Loading ...

Play interactive tourEdit tour

Analysis Report otiiahj64_mediasvc.png

Overview

General Information

Sample Name:otiiahj64_mediasvc.png (renamed file extension from png to dll)
Analysis ID:370720
MD5:aa6bf98c9120b0539c0270a3e453ddf6
SHA1:982bae56ad251639d34412d40bd7c0f2c2f4ff7a
SHA256:7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
Infos:

Most interesting Screenshot:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Adds a new user with administrator rights
Hides user accounts
Modifies security policies related information
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll64.exe (PID: 5824 cmdline: loaddll64.exe 'C:\Users\user\Desktop\otiiahj64_mediasvc.dll' MD5: 8E81A09C7B4484341759E793AC330CB2)
    • rundll32.exe (PID: 2996 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,TMethodImplementationIntercept MD5: 73C519F050C20580F8A62C849D49215A)
      • cmd.exe (PID: 2796 cmdline: cmd /C net.exe user WgaUtilAcc 000000 /del MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • net.exe (PID: 6244 cmdline: net.exe user WgaUtilAcc 000000 /del MD5: 15534275EDAABC58159DD0F8607A71E5)
          • net1.exe (PID: 6272 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 000000 /del MD5: AF569DE92AB6C1B9C681AF1E799F9983)
      • WerFault.exe (PID: 6188 cmdline: C:\Windows\system32\WerFault.exe -u -p 2996 -s 552 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • cmd.exe (PID: 6808 cmdline: cmd /C net.exe user WgaUtilAcc NCWWqygs /add MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • net.exe (PID: 6892 cmdline: net.exe user WgaUtilAcc NCWWqygs /add MD5: 15534275EDAABC58159DD0F8607A71E5)
          • net1.exe (PID: 6928 cmdline: C:\Windows\system32\net1 user WgaUtilAcc NCWWqygs /add MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • cmd.exe (PID: 988 cmdline: cmd /C net.exe user WgaUtilAcc 000000 /del MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • net.exe (PID: 6168 cmdline: net.exe user WgaUtilAcc 000000 /del MD5: 15534275EDAABC58159DD0F8607A71E5)
        • net1.exe (PID: 6204 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 000000 /del MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • cmd.exe (PID: 6296 cmdline: cmd /C net.exe user WgaUtilAcc 4iEPp7DW /add MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • net.exe (PID: 6332 cmdline: net.exe user WgaUtilAcc 4iEPp7DW /add MD5: 15534275EDAABC58159DD0F8607A71E5)
        • net1.exe (PID: 6444 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 4iEPp7DW /add MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • rundll32.exe (PID: 6320 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,__dbk_fcall_wrapper MD5: 73C519F050C20580F8A62C849D49215A)
    • cmd.exe (PID: 6524 cmdline: cmd /C net.exe LOCALGROUP 'Remote Desktop Users' WgaUtilAcc /ADD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • net.exe (PID: 6544 cmdline: net.exe LOCALGROUP 'Remote Desktop Users' WgaUtilAcc /ADD MD5: 15534275EDAABC58159DD0F8607A71E5)
        • net1.exe (PID: 6576 cmdline: C:\Windows\system32\net1 LOCALGROUP 'Remote Desktop Users' WgaUtilAcc /ADD MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • rundll32.exe (PID: 6556 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,dbkFCallWrapperAddr MD5: 73C519F050C20580F8A62C849D49215A)
      • cmd.exe (PID: 6672 cmdline: cmd /C net.exe user WgaUtilAcc 000000 /del MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • net.exe (PID: 6752 cmdline: net.exe user WgaUtilAcc 000000 /del MD5: 15534275EDAABC58159DD0F8607A71E5)
          • net1.exe (PID: 6796 cmdline: C:\Windows\system32\net1 user WgaUtilAcc 000000 /del MD5: AF569DE92AB6C1B9C681AF1E799F9983)
      • WerFault.exe (PID: 6680 cmdline: C:\Windows\system32\WerFault.exe -u -p 6556 -s 624 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • cmd.exe (PID: 6688 cmdline: cmd /C net.exe LOCALGROUP 'Remote Desktop Users' user /ADD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • net.exe (PID: 6708 cmdline: net.exe LOCALGROUP 'Remote Desktop Users' user /ADD MD5: 15534275EDAABC58159DD0F8607A71E5)
        • net1.exe (PID: 6776 cmdline: C:\Windows\system32\net1 LOCALGROUP 'Remote Desktop Users' user /ADD MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • rundll32.exe (PID: 6872 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,euefnaiw MD5: 73C519F050C20580F8A62C849D49215A)
    • cmd.exe (PID: 6948 cmdline: cmd /C net.exe LOCALGROUP 'Administrators' WgaUtilAcc /ADD MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • net.exe (PID: 6964 cmdline: net.exe LOCALGROUP 'Administrators' WgaUtilAcc /ADD MD5: 15534275EDAABC58159DD0F8607A71E5)
        • net1.exe (PID: 6984 cmdline: C:\Windows\system32\net1 LOCALGROUP 'Administrators' WgaUtilAcc /ADD MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • rundll32.exe (PID: 7016 cmdline: rundll32.exe C:\Users\user\Desktop\otiiahj64_mediasvc.dll,gusiezo3 MD5: 73C519F050C20580F8A62C849D49215A)
    • cmd.exe (PID: 7092 cmdline: cmd /C net.exe user WgaUtilAcc 4iEPp7DW MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.373759681.00000240DB1F1000.00000004.00000001.sdmpJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    00000013.00000002.387399333.000001D49CD41000.00000004.00000001.sdmpJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: rundll32.exe PID: 6556JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: loaddll64.exe PID: 5824PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
        • 0x435b8:$sa1: -enc
        • 0x4ac47:$sa1: -enc
        • 0x100ea2:$sa1: -enc
        • 0x43581:$sc2: -NoProfile
        • 0x100e6b:$sc2: -NoProfile
        • 0x435a8:$sd2: -noninteractive
        • 0x4ac37:$sd2: -noninteractive
        • 0x100e92:$sd2: -noninteractive
        • 0x43576:$se1: -ep bypass
        • 0x100e60:$se1: -ep bypass
        Process Memory Space: loaddll64.exe PID: 5824JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Group Modification LoggingShow sources
          Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x202b4, data 9: -
          Sigma detected: Local User CreationShow sources
          Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: WgaUtilAcc, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x202b4, data 7: -, data 8: WgaUtilAcc, data 9: %%1793
          Sigma detected: Net.exe ExecutionShow sources
          Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net.exe user WgaUtilAcc 000000 /del, CommandLine: net.exe user WgaUtilAcc 000000 /del, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /C net.exe user WgaUtilAcc 000000 /del, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 988, ProcessCommandLine: net.exe user WgaUtilAcc 000000 /del, ProcessId: 6168

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: otiiahj64_mediasvc.dllVirustotal: Detection: 42%Perma Link
          Source: otiiahj64_mediasvc.dllMetadefender: Detection: 32%Perma Link
          Source: otiiahj64_mediasvc.dllReversingLabs: Detection: 72%
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49726 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49740 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49742 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49755 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49757 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49765 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49767 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49768 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49769 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49770 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49771 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49772 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49773 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49775 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49776 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49777 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49782 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49788 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49789 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49790 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49791 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49792 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49793 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49794 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49795 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49796 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49797 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49798 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49799 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49800 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49801 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49802 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49803 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49804 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49805 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49806 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49807 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49808 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49809 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49810 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49811 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49812 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49813 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49814 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49816 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49818 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49820 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49821 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49822 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49823 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49824 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49825 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49827 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49829 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49830 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49831 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49832 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49833 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49834 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49835 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49836 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49837 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49838 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49839 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49840 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49841 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49842 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49843 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49844 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49845 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49846 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49847 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49848 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49849 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49850 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49850 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49851 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49852 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49853 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49854 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49855 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49856 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49857 version: TLS 1.2
          Source: otiiahj64_mediasvc.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdbDy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wbemcomn.pdb? source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: dwmapi.pdb> source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: wbemdisp.pdb_y: source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdbPy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: kernel32.pdb source: WerFault.exe, 00000008.00000003.337970170.00000242967E7000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: sxs.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: win32u.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: sxs.pdb$ source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: CLBCatQ.pdbGy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000008.00000003.337958928.00000242967E1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.354135432.00000229FE5B1000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdbI source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: imm32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000008.00000003.338884564.00000242967ED000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.353099034.00000229FE5BD000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdbn source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: mswsock.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: version.pdb= source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows.pdb source: WerFault.exe, 00000008.00000003.343526295.00000242949A0000.00000004.00000001.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.336850963.0000024296E07000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: netutils.pdb3 source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdbd source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: win32u.pdbMy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: sxs.pdb^ source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdbYy0 source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: netutils.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdbAy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000008.00000003.337970170.00000242967E7000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.351894336.00000229FE5B7000.00000004.00000001.sdmp
          Source: Binary string: UxTheme.pdbJy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wbemprox.pdbO source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: imm32.pdbSy source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdbVy3 source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdbX source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: user32.pdb~y source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: nsi.pdbf source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
          Source: Binary string: mswsock.pdb< source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: gdi32.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdbc source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdb0 source: WerFault.exe, 00000008.00000003.337951904.00000242967DB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.351848765.00000229FE5AB000.00000004.00000001.sdmp
          Source: Binary string: ws2_32.pdb] source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: fastprox.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: fastprox.pdb* source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: .pdbd source: WerFault.exe, 00000017.00000002.372514679.00000229FC8A3000.00000004.00000020.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: netapi32.pdb{y source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: msctf.pdb8 source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: user32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.343778680.00000242973D0000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357324789.00000229FF1B0000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: netapi32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb! source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: ntdll.pdb source: WerFault.exe, 00000008.00000003.343635964.00000242973D1000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357008583.00000229FF1B1000.00000004.00000040.sdmp
          Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wtsapi32.pdb{ source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb\y5 source: WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000008.00000003.343744226.00000242973DA000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.357031699.00000229FF1BA000.00000004.00000040.sdmp
          Source: C:\Windows\System32\rundll32.exeCode function: 1_2_67355D80 FindFirstFileW,FindClose,1_2_67355D80
          Source: C:\Windows\System32\rundll32.exeCode function: 19_2_67355D80 FindFirstFileW,FindClose,19_2_67355D80
          Source: C:\Windows\System32\rundll32.exeCode function: 38_2_67355D80 FindFirstFileW,FindClose,38_2_67355D80
          Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: unknownDNS traffic detected: queries for: raw.githubusercontent.com
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
          Source: loaddll64.exe, 00000000.00000003.376076962.00000240DB28A000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000002.361906155.000002273170A000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.339540768.000001F32CB7A000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387715264.000001D49CDDA000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.353508971.0000021AF199A000.00000004.00000001.sdmpString found in binary or memory: http://bromide.xyz/ssh.zip
          Source: loaddll64.exe, 00000000.00000003.374051580.00000240DB28A000.00000004.00000001.sdmpString found in binary or memory: http://bromide.xyz/ssh.zipQ
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp, rundll32.exe, 00000026.00000003.496943072.000001E66F2F2000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp, rundll32.exe, 00000026.00000003.496943072.000001E66F2F2000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0E
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmp, rundll32.exe, 00000026.00000003.496943072.000001E66F2F2000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
          Source: loaddll64.exe, 00000000.00000003.374051580.00000240DB28A000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000002.361906155.000002273170A000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387715264.000001D49CDDA000.00000004.00000001.sdmpString found in binary or memory: http://sdsddgu.xyz/khkhkt
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386700844.000001D49B34E000.00000004.00000020.sdmpString found in binary or memory: https://jfuag3.cn/
          Source: loaddll64.exe, 00000000.00000002.376819370.00000240D9698000.00000004.00000020.sdmp, loaddll64.exe, 00000000.00000002.376933565.00000240D970D000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386594753.000001D49B2FB000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000002.386735555.000001D49B370000.00000004.00000020.sdmpString found in binary or memory: https://jfuag3.cn/fjfuev/b.php
          Source: rundll32.exe, 00000013.00000002.387699553.000001D49CDD3000.00000004.00000001.sdmpString found in binary or memory: https://jfuag3.cn/fjfuev/b.php03
          Source: loaddll64.exe, 00000000.00000003.374043886.00000240DB283000.00000004.00000001.sdmpString found in binary or memory: https://jfuag3.cn/fjfuev/b.php03(
          Source: rundll32.exe, 00000013.00000002.386594753.000001D49B2FB000.00000004.00000020.sdmpString found in binary or memory: https://jfuag3.cn/fjfuev/b.php4V
          Source: loaddll64.exe, 00000000.00000002.376819370.00000240D9698000.00000004.00000020.sdmpString found in binary or memory: https://jfuag3.cn/fjfuev/b.phpce
          Source: loaddll64.exe, 00000000.00000003.376076962.00000240DB28A000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000002.361906155.000002273170A000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000003.339540768.000001F32CB7A000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387715264.000001D49CDDA000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.353508971.0000021AF199A000.00000004.00000001.sdmpString found in binary or memory: https://jfuag3.cndfdlhldfh
          Source: loaddll64.exe, 00000000.00000003.373759681.00000240DB1F1000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.387399333.000001D49CD41000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubuser
          Source: loaddll64.exe, 00000000.00000002.376863992.00000240D96D7000.00000004.00000020.sdmpString found in binary or memory: https://wauag3.cn/
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
          Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
          Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
          Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
          Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
          Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
          Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
          Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
          Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
          Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
          Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
          Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
          Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
          Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
          Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
          Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
          Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49726 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49740 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49742 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49755 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49757 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49765 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49767 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49768 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49769 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49770 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49771 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49772 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49773 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49775 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49776 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49777 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49782 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49788 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49789 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49790 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49791 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49792 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49793 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49794 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49795 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49796 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49797 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49798 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49799 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49800 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49801 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49802 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49803 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49804 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49805 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49806 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49807 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.2.6:49808 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.181.156.3:443 -> 192.168.