Play interactive tour

Edit tour

Analysis Report otiiahj64_mediasvc.png

Overview

General Information

Sample Name:	otiiahj64_mediasvc.png (renamed file extension from png to dll)
Analysis ID:	370720
MD5:	aa6bf98c9120b0539c0270a3e453ddf6
SHA1:	982bae56ad251639d34412d40bd7c0f2c2f4ff7a
SHA256:	7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Adds a new user with administrator rights

Hides user accounts

Modifies security policies related information

Checks if the current process is being debugged

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

loaddll64.exe (PID: 5824 cmdline: loaddll64.exe 'C:\Users\user\Desktop\otiiahj64_mediasvc.dll' MD5: 8E81A09C7B4484341759E793AC330CB2)

rundll32.exe (PID: 2996 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,TMethodImplementationIntercept MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 2796 cmdline: cmd /C net.exe user WgaUtilAcc 000000 /del MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 6244 cmdline: net.exe user WgaUtilAcc 000000 /del MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6272 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 000000 /del MD5: AF569DE92AB6C1B9C681AF1E799F9983)

WerFault.exe (PID: 6188 cmdline: C:\Windows\system32\WerFault.exe -u -p 2996 -s 552 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cmd.exe (PID: 6808 cmdline: cmd /C net.exe user WgaUtilAcc NCWWqygs /add MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 6892 cmdline: net.exe user WgaUtilAcc NCWWqygs /add MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6928 cmdline: C:\Windows\system32\net1 user WgaUtilAcc NCWWqygs /add MD5: AF569DE92AB6C1B9C681AF1E799F9983)

cmd.exe (PID: 988 cmdline: cmd /C net.exe user WgaUtilAcc 000000 /del MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

net.exe (PID: 6168 cmdline: net.exe user WgaUtilAcc 000000 /del MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6204 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 000000 /del MD5: AF569DE92AB6C1B9C681AF1E799F9983)

cmd.exe (PID: 6296 cmdline: cmd /C net.exe user WgaUtilAcc 4iEPp7DW /add MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

net.exe (PID: 6332 cmdline: net.exe user WgaUtilAcc 4iEPp7DW /add MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6444 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 4iEPp7DW /add MD5: AF569DE92AB6C1B9C681AF1E799F9983)

rundll32.exe (PID: 6320 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,__dbk_fcall_wrapper MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 6524 cmdline: cmd /C net.exe LOCALGROUP 'Remote Desktop Users' WgaUtilAcc /ADD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

net.exe (PID: 6544 cmdline: net.exe LOCALGROUP 'Remote Desktop Users' WgaUtilAcc /ADD MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6576 cmdline: C:\Windows\system32\net1 LOCALGROUP 'Remote Desktop Users' WgaUtilAcc /ADD MD5: AF569DE92AB6C1B9C681AF1E799F9983)

rundll32.exe (PID: 6556 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,dbkFCallWrapperAddr MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 6672 cmdline: cmd /C net.exe user WgaUtilAcc 000000 /del MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 6752 cmdline: net.exe user WgaUtilAcc 000000 /del MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6796 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 000000 /del MD5: AF569DE92AB6C1B9C681AF1E799F9983)

WerFault.exe (PID: 6680 cmdline: C:\Windows\system32\WerFault.exe -u -p 6556 -s 624 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cmd.exe (PID: 6688 cmdline: cmd /C net.exe LOCALGROUP 'Remote Desktop Users' user /ADD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

net.exe (PID: 6708 cmdline: net.exe LOCALGROUP 'Remote Desktop Users' user /ADD MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6776 cmdline: C:\Windows\system32\net1 LOCALGROUP 'Remote Desktop Users' user /ADD MD5: AF569DE92AB6C1B9C681AF1E799F9983)

rundll32.exe (PID: 6872 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,euefnaiw MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 6948 cmdline: cmd /C net.exe LOCALGROUP 'Administrators' WgaUtilAcc /ADD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

net.exe (PID: 6964 cmdline: net.exe LOCALGROUP 'Administrators' WgaUtilAcc /ADD MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6984 cmdline: C:\Windows\system32\net1 LOCALGROUP 'Administrators' WgaUtilAcc /ADD MD5: AF569DE92AB6C1B9C681AF1E799F9983)

rundll32.exe (PID: 7016 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,gusiezo3 MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 7092 cmdline: cmd /C net.exe user WgaUtilAcc 4iEPp7DW MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.373759681.00000240DB1F1000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000013.00000002.387399333.000001D49CD41000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: rundll32.exe PID: 6556	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: loaddll64.exe PID: 5824	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x435b8:$sa1: -enc 0x4ac47:$sa1: -enc 0x100ea2:$sa1: -enc 0x43581:$sc2: -NoProfile 0x100e6b:$sc2: -NoProfile 0x435a8:$sd2: -noninteractive 0x4ac37:$sd2: -noninteractive 0x100e92:$sd2: -noninteractive 0x43576:$se1: -ep bypass 0x100e60:$se1: -ep bypass
Process Memory Space: loaddll64.exe PID: 5824	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Overview

System Summary:

Sigma detected: Group Modification Logging

Show sources

Source: Event Logs

Author: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x202b4, data 9: -

Sigma detected: Local User Creation

Show sources

Source: Event Logs

Author: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: WgaUtilAcc, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x202b4, data 7: -, data 8: WgaUtilAcc, data 9: %%1793

Sigma detected: Net.exe Execution

Show sources

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net.exe user WgaUtilAcc 000000 /del, CommandLine: net.exe user WgaUtilAcc 000000 /del, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /C net.exe user WgaUtilAcc 000000 /del, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 988, ProcessCommandLine: net.exe user WgaUtilAcc 000000 /del, ProcessId: 6168

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: otiiahj64_mediasvc.dll	Virustotal: Detection: 42%	Perma Link
Source: otiiahj64_mediasvc.dll	Metadefender: Detection: 32%	Perma Link
Source: otiiahj64_mediasvc.dll	ReversingLabs: Detection: 72%

Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49857 version: TLS 1.2

Source: otiiahj64_mediasvc.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: UxTheme.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbDy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb? source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb> source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb_y: source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbPy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb source: WerFault.exe, 00000008.00000003.337970170.00000242967E7000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: win32u.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: sxs.pdb$ source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbGy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb0 source: WerFault.exe, 00000008.00000003.337958928.00000242967E1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.354135432.00000229FE5B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbI source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: kernelbase.pdb0 source: WerFault.exe, 00000008.00000003.338884564.00000242967ED000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.353099034.00000229FE5BD000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbn source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: mswsock.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: version.pdb= source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: kernelbase.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows.pdb source: WerFault.exe, 00000008.00000003.343526295.00000242949A0000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.336850963.0000024296E07000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb3 source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbd source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: win32u.pdbMy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: sxs.pdb^ source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbYy0 source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: kernelbase.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbAy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb0 source: WerFault.exe, 00000008.00000003.337970170.00000242967E7000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.351894336.00000229FE5B7000.00000004.00000001.sdmp
Source:	Binary string: UxTheme.pdbJy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbO source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdbSy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbVy3 source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbX source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: user32.pdb~y source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbf source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: gdi32full.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
Source:	Binary string: mswsock.pdb< source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbc source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb0 source: WerFault.exe, 00000008.00000003.337951904.00000242967DB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.351848765.00000229FE5AB000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb] source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb* source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: .pdbd source: WerFault.exe, 00000017.00000002.372514679.00000229FC8A3000.00000004.00000020.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb{y source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb8 source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: user32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb! source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb{ source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb\y5 source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp

Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_67355D80 FindFirstFileW,FindClose,	1_2_67355D80
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_67355D80 FindFirstFileW,FindClose,	19_2_67355D80
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_67355D80 FindFirstFileW,FindClose,	38_2_67355D80

Source: Joe Sandbox View

ASN Name: MIVOCLOUDMD MIVOCLOUDMD

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: raw.githubusercontent.com

Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: loaddll64.exe, 00000000.00000003.376076962.00000240DB28A000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000002.361906155.000002273170A000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.339540768.000001F32CB7A000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387715264.000001D49CDDA000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.353508971.0000021AF199A000.00000004.00000001.sdmp	String found in binary or memory: http://bromide.xyz/ssh.zip
Source: loaddll64.exe, 00000000.00000003.374051580.00000240DB28A000.00000004.00000001.sdmp	String found in binary or memory: http://bromide.xyz/ssh.zipQ
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp, rundll32.exe, 00000026.00000003.496943072.000001E66F2F2000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp, rundll32.exe, 00000026.00000003.496943072.000001E66F2F2000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0E
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp, rundll32.exe, 00000026.00000003.496943072.000001E66F2F2000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: loaddll64.exe, 00000000.00000003.374051580.00000240DB28A000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000002.361906155.000002273170A000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387715264.000001D49CDDA000.00000004.00000001.sdmp	String found in binary or memory: http://sdsddgu.xyz/khkhkt
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386700844.000001D49B34E000.00000004.00000020.sdmp	String found in binary or memory: https://jfuag3.cn/
Source: loaddll64.exe, 00000000.00000002.376819370.00000240D9698000.00000004.00000020.sdmp, loaddll64.exe, 00000000.00000002.376933565.00000240D970D000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386594753.000001D49B2FB000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp	String found in binary or memory: https://jfuag3.cn/fjfuev/b.php
Source: rundll32.exe, 00000013.00000002.387699553.000001D49CDD3000.00000004.00000001.sdmp	String found in binary or memory: https://jfuag3.cn/fjfuev/b.php03
Source: loaddll64.exe, 00000000.00000003.374043886.00000240DB283000.00000004.00000001.sdmp	String found in binary or memory: https://jfuag3.cn/fjfuev/b.php03(
Source: rundll32.exe, 00000013.00000002.386594753.000001D49B2FB000.00000004.00000020.sdmp	String found in binary or memory: https://jfuag3.cn/fjfuev/b.php4V
Source: loaddll64.exe, 00000000.00000002.376819370.00000240D9698000.00000004.00000020.sdmp	String found in binary or memory: https://jfuag3.cn/fjfuev/b.phpce
Source: loaddll64.exe, 00000000.00000003.376076962.00000240DB28A000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000002.361906155.000002273170A000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.339540768.000001F32CB7A000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387715264.000001D49CDDA000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.353508971.0000021AF199A000.00000004.00000001.sdmp	String found in binary or memory: https://jfuag3.cndfdlhldfh
Source: loaddll64.exe, 00000000.00000003.373759681.00000240DB1F1000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387399333.000001D49CD41000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubuser
Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp	String found in binary or memory: https://wauag3.cn/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443

Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.181.156.3:443 -> 192.168.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report otiiahj64_mediasvc.png

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking: