Edit tour

Windows Analysis Report
SaLY22oLht.exe

Overview

General Information

Sample name:	SaLY22oLht.exe renamed because original name is a hash value
Original sample name:	39d11a7c0c4286ab2fa318d37cb3c3f3.exe
Analysis ID:	1362903
MD5:	39d11a7c0c4286ab2fa318d37cb3c3f3
SHA1:	c18444d8d82b628100ac6d7b33c873884be99897
SHA256:	48ee5e003fdd3d8c6b50ffb7931e5562ef3d04b7b411d8cf89118655da5c0e03
Tags:	exe
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Contains functionality to inject code into remote processes

Drops PE files with benign system names

Found Tor onion address

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SaLY22oLht.exe (PID: 7088 cmdline: C:\Users\user\Desktop\SaLY22oLht.exe MD5: 39D11A7C0C4286AB2FA318D37CB3C3F3)

SaLY22oLht.exe (PID: 6204 cmdline: C:\Users\user\Desktop\SaLY22oLht.exe MD5: 39D11A7C0C4286AB2FA318D37CB3C3F3)

csrss.exe (PID: 6320 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 39D11A7C0C4286AB2FA318D37CB3C3F3)

csrss.exe (PID: 1856 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 39D11A7C0C4286AB2FA318D37CB3C3F3)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1742071924.0000000002C00000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SaLY22oLht.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe

Avira: detection malicious, Label: HEUR/AGEN.1357748

Machine Learning detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SaLY22oLht.exe

Joe Sandbox ML: detected

Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_40e2a35e-8

Source: SaLY22oLht.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 199.249.230.155:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 139.162.210.252:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 178.20.55.16:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.15.246.170:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.211.136.23:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.118.242.103:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.158.147.25:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.213.233.138:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.154.106.60:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.10.240.250:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 62.210.123.24:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49822 version: TLS 1.2

Networking

Found Tor onion address

Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000824000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Referer: X-Requested-With: XMLHttpRequest Content-Type: application/json;127.0.0.1:--ignore-missing-torrcect[] = --SOCKSPort--DataDirectory--bridgehttp://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/rep.phperr.php?&n=v=b=p=repsf=e=nocache=SEH exceptionSEHSTD: C++.dll4kPv6aJG8e\!update!sleep !regcheckcreateObjectwp-login.phpwp-admin/name="loginform"ionW[] = id="loginform"name="log"id="user_login"name="pwd"id="user_pass"administrator/administrator/index.php ] = id="form-login"action="/administrator= = id="mod-login-username"nd[] = name="username"id="mod-login-password" name="passwd"admin.phpDataLifesubactionusernamepasswordOK{
Source: csrss.exe, 00000003.00000002.4085920493.0000000000824000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Referer: X-Requested-With: XMLHttpRequest Content-Type: application/json;127.0.0.1:--ignore-missing-torrcect[] = --SOCKSPort--DataDirectory--bridgehttp://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/rep.phperr.php?&n=v=b=p=repsf=e=nocache=SEH exceptionSEHSTD: C++.dll4kPv6aJG8e\!update!sleep !regcheckcreateObjectwp-login.phpwp-admin/name="loginform"ionW[] = id="loginform"name="log"id="user_login"name="pwd"id="user_pass"administrator/administrator/index.php ] = id="form-login"action="/administrator= = id="mod-login-username"nd[] = name="username"id="mod-login-password" name="passwd"admin.phpDataLifesubactionusernamepasswordOK{

Source: unknown

Network traffic detected: IP country count 20

Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 82.145.59.127:9001
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 46.19.141.85:8100
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 116.203.140.74:9001
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 95.84.140.36:9090
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 188.26.207.181:19001
Source: global traffic	TCP traffic: 192.168.2.4:49752 -> 128.31.0.39:9101
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 185.220.101.1:30001
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 185.198.26.149:9001
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 195.201.29.252:9001
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 163.172.68.222:9001
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 212.8.243.229:9001
Source: global traffic	TCP traffic: 192.168.2.4:49764 -> 45.15.16.116:9001
Source: global traffic	TCP traffic: 192.168.2.4:49765 -> 45.151.167.10:8443
Source: global traffic	TCP traffic: 192.168.2.4:49766 -> 147.92.88.67:9001
Source: global traffic	TCP traffic: 192.168.2.4:49772 -> 140.186.205.68:9001
Source: global traffic	TCP traffic: 192.168.2.4:49773 -> 185.244.192.247:9001
Source: global traffic	TCP traffic: 192.168.2.4:49774 -> 205.185.127.35:9100
Source: global traffic	TCP traffic: 192.168.2.4:49775 -> 94.142.241.226:9443
Source: global traffic	TCP traffic: 192.168.2.4:49779 -> 37.139.22.180:9001
Source: global traffic	TCP traffic: 192.168.2.4:49783 -> 167.114.144.152:9002
Source: global traffic	TCP traffic: 192.168.2.4:49785 -> 51.38.65.160:9001
Source: global traffic	TCP traffic: 192.168.2.4:49786 -> 37.120.167.200:12312
Source: global traffic	TCP traffic: 192.168.2.4:49788 -> 116.12.180.234:9443
Source: global traffic	TCP traffic: 192.168.2.4:49789 -> 213.158.31.231:22711
Source: global traffic	TCP traffic: 192.168.2.4:49790 -> 149.56.98.216:9001
Source: global traffic	TCP traffic: 192.168.2.4:49791 -> 78.94.253.253:9001
Source: global traffic	TCP traffic: 192.168.2.4:49793 -> 2.233.91.176:19001
Source: global traffic	TCP traffic: 192.168.2.4:49795 -> 121.200.26.46:300
Source: global traffic	TCP traffic: 192.168.2.4:49797 -> 24.150.204.225:9003
Source: global traffic	TCP traffic: 192.168.2.4:49798 -> 5.2.78.69:9001
Source: global traffic	TCP traffic: 192.168.2.4:49799 -> 77.250.227.202:7002
Source: global traffic	TCP traffic: 192.168.2.4:49802 -> 62.210.83.207:8080
Source: global traffic	TCP traffic: 192.168.2.4:49803 -> 88.198.112.25:9001
Source: global traffic	TCP traffic: 192.168.2.4:49805 -> 185.220.101.22:30022
Source: global traffic	TCP traffic: 192.168.2.4:49806 -> 85.195.208.154:9001
Source: global traffic	TCP traffic: 192.168.2.4:49808 -> 103.253.41.98:9001
Source: global traffic	TCP traffic: 192.168.2.4:49810 -> 51.91.121.255:9001
Source: global traffic	TCP traffic: 192.168.2.4:49812 -> 47.56.94.99:9001
Source: global traffic	TCP traffic: 192.168.2.4:49814 -> 107.189.31.181:9001
Source: global traffic	TCP traffic: 192.168.2.4:49817 -> 153.126.128.94:9001
Source: global traffic	TCP traffic: 192.168.2.4:49819 -> 91.121.160.6:9001
Source: global traffic	TCP traffic: 192.168.2.4:49820 -> 176.123.3.222:9001
Source: global traffic	TCP traffic: 192.168.2.4:49821 -> 94.154.159.96:9001

Source: global traffic

TCP traffic: 192.168.2.4:49749 -> 62.102.148.68:53

Source: Joe Sandbox View	IP Address: 171.25.193.9 171.25.193.9
Source: Joe Sandbox View	IP Address: 171.25.193.9 171.25.193.9

Source: Joe Sandbox View

JA3 fingerprint: 83d60721ecc423892660e275acc4dffd

Source: unknown	TCP traffic detected without corresponding DNS query: 82.145.59.127
Source: unknown	TCP traffic detected without corresponding DNS query: 82.145.59.127
Source: unknown	TCP traffic detected without corresponding DNS query: 46.19.141.85
Source: unknown	TCP traffic detected without corresponding DNS query: 82.145.59.127
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 46.19.141.85
Source: unknown	TCP traffic detected without corresponding DNS query: 82.145.59.127
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 82.145.59.127
Source: unknown	TCP traffic detected without corresponding DNS query: 46.19.141.85
Source: unknown	TCP traffic detected without corresponding DNS query: 46.19.141.85
Source: unknown	TCP traffic detected without corresponding DNS query: 46.19.141.85
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.140.74
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.140.74
Source: unknown	TCP traffic detected without corresponding DNS query: 95.84.140.36
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.140.74
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 95.84.140.36
Source: unknown	TCP traffic detected without corresponding DNS query: 95.84.140.36
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.140.74
Source: unknown	TCP traffic detected without corresponding DNS query: 95.84.140.36
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 199.249.230.155
Source: unknown	TCP traffic detected without corresponding DNS query: 62.102.148.68
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 188.26.207.181
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.0.39
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.158.115
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.158.115
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.158.115
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.158.115
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9

Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4086802509.000000000281C000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: SaLY22oLht.exe, 00000001.00000002.4086834034.00000000025D5000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4086802509.0000000002812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: SaLY22oLht.exe, 00000001.00000002.4086834034.00000000025D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com$y equals www.yahoo.com (Yahoo)
Source: SaLY22oLht.exe, 00000001.00000002.4086834034.00000000025D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com~y equals www.yahoo.com (Yahoo)

Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.htmlTYPE=2OpenSSL
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000824000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000824000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/re
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https:///phpMyAdmin//PhpMyAdmin//pma/rootmysqlimapssmtpspop3sscp://your_IP_is_greylisted_README.txt2
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/
Source: csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/documentation.html

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	HTTPS traffic detected: 199.249.230.155:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 139.162.210.252:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 178.20.55.16:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.15.246.170:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.211.136.23:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.118.242.103:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.158.147.25:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.213.233.138:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.154.106.60:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.10.240.250:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 62.210.123.24:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49822 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.1742071924.0000000002C00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02AD0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		0_2_02AD0110
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02E00110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		2_2_02E00110

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Drivers\csrss.exe 48EE5E003FDD3D8C6B50FFB7931E5562EF3D04B7B411D8CF89118655DA5C0E03

Source: SaLY22oLht.exe	Binary or memory string: OriginalFilename vs SaLY22oLht.exe
Source: SaLY22oLht.exe, 00000000.00000002.1650054900.0000000000A8D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFamebob.exe2 vs SaLY22oLht.exe
Source: SaLY22oLht.exe, 00000001.00000000.1647063660.0000000000A8D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFamebob.exe2 vs SaLY22oLht.exe
Source: SaLY22oLht.exe, 00000001.00000003.1651519469.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFamebob.exe2 vs SaLY22oLht.exe
Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000843000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs SaLY22oLht.exe
Source: SaLY22oLht.exe	Binary or memory string: OriginalFilenameFamebob.exe2 vs SaLY22oLht.exe

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: mswsock.dll	Jump to behavior

Source: SaLY22oLht.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000002.00000002.1742071924.0000000002C00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal92.evad.winEXE@6/3@0/73

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Code function: 0_2_029177C6 CreateToolhelp32Snapshot,Module32First,

0_2_029177C6

Source: C:\Users\user\Desktop\SaLY22oLht.exe

File created: C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\

Jump to behavior

Source: SaLY22oLht.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SaLY22oLht.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe

File read: C:\Users\user\Desktop\SaLY22oLht.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SaLY22oLht.exe C:\Users\user\Desktop\SaLY22oLht.exe
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process created: C:\Users\user\Desktop\SaLY22oLht.exe C:\Users\user\Desktop\SaLY22oLht.exe
Source: unknown	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process created: C:\Users\user\Desktop\SaLY22oLht.exe C:\Users\user\Desktop\SaLY22oLht.exe	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: SaLY22oLht.exe

Static file information: File size 1990656 > 1048576

Source: SaLY22oLht.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1bce00

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Code function: 1_2_0069D030 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_0069D030

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02AC74BD push cs; ret	0_2_02AC74BE
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02A8F7ED push ebp; retf	0_2_02A8F7EE
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02AC77F8 push edx; retf	0_2_02AC77F9
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_029D52EF push ebx; iretd	0_2_029D52F7
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02A8F80A push 5A36841Dh; retf	0_2_02A8F825
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02A2970A pushad ; ret	0_2_02A2970C
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 1_2_00696299 push ecx; ret	1_2_006962AC
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02DB07D8 push edx; retf	2_2_02DB07D9
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02CBE2CF push ebx; iretd	2_2_02CBE2D7
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02D787CD push ebp; retf	2_2_02D787CE
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02D126EA pushad ; ret	2_2_02D126EC
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02D787EA push 5A36841Dh; retf	2_2_02D78805
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02DB049D push cs; ret	2_2_02DB049E
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 3_2_00696299 push ecx; ret	3_2_006962AC

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\SaLY22oLht.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SaLY22oLht.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SaLY22oLht.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

May use the Tor software to hide its network traffic

Source: SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: onion-port

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Window / User API: threadDelayed 2275	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Window / User API: threadDelayed 7622	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Window / User API: threadDelayed 5072	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Window / User API: threadDelayed 4918	Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe TID: 3484	Thread sleep count: 2275 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe TID: 3484	Thread sleep time: -227500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe TID: 3484	Thread sleep count: 7622 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SaLY22oLht.exe TID: 3484	Thread sleep time: -762200s >= -30000s	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 4588	Thread sleep count: 5072 > 30	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 4588	Thread sleep time: -507200s >= -30000s	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 4588	Thread sleep count: 4918 > 30	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 4588	Thread sleep time: -491800s >= -30000s	Jump to behavior

Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed
Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed

Source: SaLY22oLht.exe, 00000001.00000002.4086433374.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: csrss.exe, 00000003.00000002.4086508451.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Code function: 1_2_006943E0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_006943E0

Source: C:\Users\user\Desktop\SaLY22oLht.exe

1_2_0069D030

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_029170A3 push dword ptr fs:[00000030h]	0_2_029170A3
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 0_2_02AD0042 push dword ptr fs:[00000030h]	0_2_02AD0042
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02C00083 push dword ptr fs:[00000030h]	2_2_02C00083
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02E00042 push dword ptr fs:[00000030h]	2_2_02E00042

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 1_2_006943E0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006943E0
Source: C:\Users\user\Desktop\SaLY22oLht.exe	Code function: 1_2_00694A78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00694A78
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 3_2_006943E0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_006943E0
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 3_2_00694A78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00694A78

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Code function: 0_2_02AD0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_02AD0110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Memory written: C:\Users\user\Desktop\SaLY22oLht.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Memory written: C:\ProgramData\Drivers\csrss.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe	Process created: C:\Users\user\Desktop\SaLY22oLht.exe C:\Users\user\Desktop\SaLY22oLht.exe			Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Code function: 0_2_00411D03 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00411D03

Source: C:\Users\user\Desktop\SaLY22oLht.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Multi-hop Proxy			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Scheduled Transfer	2 Proxy			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SaLY22oLht.exe	100%	Avira	HEUR/AGEN.1357748
SaLY22oLht.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Drivers\csrss.exe	100%	Avira	HEUR/AGEN.1357748
C:\ProgramData\Drivers\csrss.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https:///phpMyAdmin//PhpMyAdmin//pma/rootmysqlimapssmtpspop3sscp://your_IP_is_greylisted_README.txt2	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
http://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/re	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.htmlTYPE=2OpenSSL	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.torproject.org/	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://curl.se/docs/alt-svc.html	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https:///phpMyAdmin//PhpMyAdmin//pma/rootmysqlimapssmtpspop3sscp://your_IP_is_greylisted_README.txt2	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://curl.se/docs/http-cookies.html	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/re	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000824000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000824000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.torproject.org/documentation.html	csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://trac.torproject.org/projects/tor/ticket/14917.	SaLY22oLht.exe, 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
171.25.193.9	unknown	Sweden	198093	DFRI-ASForeningenfordigitalafri-ochrattigheterSE	false
85.10.240.250	unknown	Germany	24940	HETZNER-ASDE	false
45.66.33.45	unknown	Netherlands	47482	SPECTRENL	false
144.76.170.20	unknown	Germany	24940	HETZNER-ASDE	false
205.185.127.35	unknown	United States	53667	PONYNETUS	false
94.142.241.226	unknown	Netherlands	8283	COLOCLUE-ASNetwerkverenigingColoclueAmsterdamNetherlan	false
51.158.147.25	unknown	France	12876	OnlineSASFR	false
78.94.253.253	unknown	Germany	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
86.59.21.38	unknown	Austria	8437	UTA-ASAT	false
107.189.31.181	unknown	United States	53667	PONYNETUS	false
62.102.148.68	unknown	Sweden	51815	TEKNIKBYRANSE	false
163.172.68.222	unknown	United Kingdom	12876	OnlineSASFR	false
178.33.183.251	unknown	France	16276	OVHFR	false
154.35.175.225	unknown	United States	14987	RETHEMHOSTINGUS	false
153.126.128.94	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	false
2.233.91.176	unknown	Italy	12874	FASTWEBIT	false
128.31.0.39	unknown	United States	3	MIT-GATEWAYSUS	false
88.198.112.25	unknown	Germany	24940	HETZNER-ASDE	false
163.172.29.34	unknown	United Kingdom	12876	OnlineSASFR	false
91.213.233.138	unknown	Kyrgyzstan	39819	PROHOSTKG	false
62.210.83.207	unknown	France	12876	OnlineSASFR	false
51.91.121.255	unknown	France	16276	OVHFR	false
195.154.106.60	unknown	France	12876	OnlineSASFR	false
47.56.94.99	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
185.198.26.149	unknown	Germany	63473	HOSTHATCHUS	false
204.13.164.118	unknown	United States	25700	25700US	false
46.19.141.85	unknown	Switzerland	51852	PLI-ASCH	false
121.200.26.46	unknown	Australia	4764	WIDEBAND-AS-APAussieBroadbandAU	false
192.46.225.58	unknown	United States	5501	FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe	false
46.105.227.109	unknown	France	16276	OVHFR	false
198.100.149.77	unknown	Canada	16276	OVHFR	false
167.114.144.152	unknown	Canada	16276	OVHFR	false
95.211.136.23	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
37.187.23.232	unknown	France	16276	OVHFR	false
140.186.205.68	unknown	United States	11232	MIDCO-NETUS	false
94.154.159.96	unknown	United Kingdom	62240	CLOUVIDERClouvider-GlobalASNGB	false
178.20.55.16	unknown	France	50618	LIAZOFR	false
45.151.167.10	unknown	Germany	207871	FFDDORFDE	false
82.118.242.103	unknown	Bulgaria	201133	VERDINABZ	false
185.244.192.247	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	false
149.56.98.216	unknown	Canada	16276	OVHFR	false
116.203.140.74	unknown	Germany	24940	HETZNER-ASDE	false
193.23.244.244	unknown	Germany	50472	CHAOS-ASDE	false
62.210.123.24	unknown	France	12876	OnlineSASFR	false
5.2.78.69	unknown	Netherlands	60404	LITESERVERNL	false
147.92.88.67	unknown	United States	396097	SAIL-INETUS	false
77.250.227.202	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
45.15.16.116	unknown	Sweden	197595	OBE-EUROPEObenetworkEuropeSE	false
37.139.22.180	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	false
116.12.180.234	unknown	Singapore	3758	SINGNETSingNetSG	false
212.8.243.229	unknown	Netherlands	49981	WORLDSTREAMNL	false
82.145.59.127	unknown	United Kingdom	20860	IOMART-ASGB	false
37.120.167.200	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	false
85.195.208.154	unknown	Switzerland	13030	INIT7CH	false
131.188.40.189	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
185.220.101.22	unknown	Germany	208294	ASMKNL	false
95.84.140.36	unknown	Russian Federation	42610	NCNET-ASRU	false
24.150.204.225	unknown	Canada	7992	COGECOWAVECA	false
176.123.3.222	unknown	Moldova Republic of	200019	ALEXHOSTMD	false
188.26.207.181	unknown	Romania	57269	DIGISPAINTELECOMES	false
199.249.230.155	unknown	United States	62744	QUINTEXUS	false
199.58.81.140	unknown	Canada	7765	KOUMBITCA	false
85.25.213.211	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
103.253.41.98	unknown	Hong Kong	133398	TELE-ASTeleAsiaLimitedHK	false
91.121.160.6	unknown	France	16276	OVHFR	false
195.201.29.252	unknown	Germany	24940	HETZNER-ASDE	false
185.220.101.1	unknown	Germany	208294	ASMKNL	false
51.15.246.170	unknown	France	12876	OnlineSASFR	false
139.162.210.252	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
85.209.158.115	unknown	Netherlands	18978	ENZUINC-US	false
51.38.65.160	unknown	France	16276	OVHFR	false
213.158.31.231	unknown	Russian Federation	31496	ATNET-ASArkhangelskbranchRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1362903
Start date and time:	2023-12-15 19:28:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SaLY22oLht.exe renamed because original name is a hash value
Original Sample Name:	39d11a7c0c4286ab2fa318d37cb3c3f3.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@6/3@0/73
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SaLY22oLht.exe

Simulations

Behavior and APIs

Time	Type	Description
18:29:12	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
19:29:48	API Interceptor	7598559x Sleep call for process: SaLY22oLht.exe modified
19:29:58	API Interceptor	7073561x Sleep call for process: csrss.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
171.25.193.9	R53a3ZJHBQ.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	x3WX1kHqcx.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	oGO7Hy4YCH.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	SPXp2YHDFz.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	ILI1MGzcig.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	lwRhzjuYIg.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	OVrJ9mtD6Y.exe	Get hash	malicious	TinyNuke	Browse	171.25.193.9/tor/status-vote/current/consensus
	F75rJPKdGb.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	ozJy5Zf5cf.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	zfpLjnr5P9.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	kecFPnbu5K.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	SecuriteInfo.com.Trojan.Kronos.21.31435.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	530000.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	6d0000.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	6729001591617.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	NNrUb9Avaw.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	taugif.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	9WajXSHVwg.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	bill4759.doc	Get hash	malicious		Browse	171.25.193.9/tor/status-vote/current/consensus
	bill notice 05.2019.xls	Get hash	malicious		Browse	171.25.193.9/tor/status-vote/current/consensus

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	qeCs6MR23P.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	7XD2TB6dZa.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	Ji7udNcOt2.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	M55cMerudm.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	Y2yATpEiec.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	WmmCieY6PG.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	Mj5ya4f2as.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	sWCFCHY7EN.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	tplzQKxY1P.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	PbPOdRfeO4.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	cYZ1srzEIF.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	jWhy7l5zLW.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	vjvbFvLuy7.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	YITdaTtsD2.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	ljEgZmwShb.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	nZkPfty6fI.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	c2Wh4peoeL.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	62px5bE7iO.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	i3uKp2gIYb.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
	SrZ2YdNfM3.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	95.216.227.177
SPECTRENL	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	45.66.35.11
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	45.66.35.11
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	45.66.33.45
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	45.66.33.45
	Bznx8G6dMz.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	45.66.33.45
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	45.66.33.45
	oB4fbQkz71.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse	45.66.33.45
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	45.66.33.45
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	45.66.33.45
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	45.66.35.11
	file.exe	Get hash	malicious	Unknown	Browse	45.66.33.45
	file.exe	Get hash	malicious	Unknown	Browse	45.66.33.45
	g5oo6DQ4pd.exe	Get hash	malicious	Unknown	Browse	45.66.33.45
	http--vx.zedz.net-vir-Exploit.HTML.Mht.exe	Get hash	malicious	Unknown	Browse	45.66.35.236
	cjx1l7SFuN.exe	Get hash	malicious	Amadey, RedLine, SmokeLoader, Vidar	Browse	45.66.33.45
	pe74v7n41M.exe	Get hash	malicious	Unknown	Browse	45.66.33.45
	sloa2.exe	Get hash	malicious	Unknown	Browse	45.66.33.45
	SecuriteInfo.com.BackDoor.Rat.281.18292.exe	Get hash	malicious	Kronos	Browse	45.66.35.35
	FickerStealer.exe	Get hash	malicious	Ficker Stealer	Browse	45.66.35.35
	RApTor.exe	Get hash	malicious	Unknown	Browse	45.66.33.45
DFRI-ASForeningenfordigitalafri-ochrattigheterSE	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	171.25.193.9
	http://171.25.193.25	Get hash	malicious	Unknown	Browse	171.25.193.25
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	Ma0hVedIX4.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	Bznx8G6dMz.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	171.25.193.9
	rgTRPlTmIt.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	file.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	file.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	171.25.193.9
	NxrkCS4fDD.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	171.25.193.9
	Rgi3BxJNQJ.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig, zgRAT	Browse	171.25.193.9
	g5oo6DQ4pd.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	OIWw4LXu2F.elf	Get hash	malicious	Mirai	Browse	171.25.193.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83d60721ecc423892660e275acc4dffd	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	K6DjJpNlzI.exe	Get hash	malicious	LummaC Stealer, RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	8as7BA35XQ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	82YWwkVfIS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc, Vidar	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc, Vidar	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	BRvptajioG.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	Ma0hVedIX4.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	Bznx8G6dMz.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	qG2cUr0x4A.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	85.10.240.250 62.210.123.24 199.249.230.155 199.58.81.140 204.13.164.118 51.158.147.25 86.59.21.38 51.15.246.170 95.211.136.23 139.162.210.252 178.20.55.16 131.188.40.189 82.118.242.103 91.213.233.138 193.23.244.244 195.154.106.60

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\ProgramData\Drivers\csrss.exe	K6DjJpNlzI.exe	Get hash	malicious	LummaC Stealer, RedLine, SmokeLoader	Browse

Created / dropped Files

C:\ProgramData\Drivers\csrss.exe

Download File

Process:	C:\Users\user\Desktop\SaLY22oLht.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1990656
Entropy (8bit):	7.92923314547243
Encrypted:	false
SSDEEP:	49152:CeZz2gwNjPDGrcflSdRwwlM2oTPHUcmdfgL:hQg0iyqwwlJyLmB
MD5:	39D11A7C0C4286AB2FA318D37CB3C3F3
SHA1:	C18444D8D82B628100AC6D7B33C873884BE99897
SHA-256:	48EE5E003FDD3D8C6B50FFB7931E5562EF3D04B7B411D8CF89118655DA5C0E03
SHA-512:	3B24266CFDA84AF111551BB35111B1816739FFB971EE9ED26F20D3463ABB7E7CC7F301BD29B0FED9F68B40A2E43E8B8FBB3C3776F3EA78EB875E0327F52D5A10
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: K6DjJpNlzI.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...5O.b......................g.....).............@..........................pi.....&8......................................\|.........h..............................................................C..@............................................text............................... ..`.data...D.f.........................@....rsrc.........h.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4KPV6A~1\state (copy)

Download File

Process:	C:\Users\user\Desktop\SaLY22oLht.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	4.777856418432524
Encrypted:	false
SSDEEP:	6:SbdWwxXz2GznXr87+QVe2vwR/Ep5fM8BaQz:bwxXlzXr87HVBvwNCzz
MD5:	8CE848D150D3810A38F3A13161A60D1B
SHA1:	0FD834E5DF9F864B4BB45CE227A33495DC961CE5
SHA-256:	BC43A2558AC34CED3A2828DEF4DEC5488E013D84B3EFD31917A729900CB8FB33
SHA-512:	02FF5372E75E002BA69BB2876CB19E6C2F7373405F3FB90E75327AAEE2A743C9174E26DD21EA577151C0A5C346CA44DBF7A281824C8289E4C761925412DBDE18
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2023-12-15 19:29:12 local time..# Other times below are in UTC..# You do not need to edit this file.....Dormant 0..LastWritten 2023-12-15 18:29:12..TorVersion Tor 0.4.4.9..

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\state.tmp

Download File

Process:	C:\Users\user\Desktop\SaLY22oLht.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	209
Entropy (8bit):	4.777856418432524
Encrypted:	false
SSDEEP:	6:SbdWwxXz2GznXr87+QVe2vwR/Ep5fM8BaQz:bwxXlzXr87HVBvwNCzz
MD5:	8CE848D150D3810A38F3A13161A60D1B
SHA1:	0FD834E5DF9F864B4BB45CE227A33495DC961CE5
SHA-256:	BC43A2558AC34CED3A2828DEF4DEC5488E013D84B3EFD31917A729900CB8FB33
SHA-512:	02FF5372E75E002BA69BB2876CB19E6C2F7373405F3FB90E75327AAEE2A743C9174E26DD21EA577151C0A5C346CA44DBF7A281824C8289E4C761925412DBDE18
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2023-12-15 19:29:12 local time..# Other times below are in UTC..# You do not need to edit this file.....Dormant 0..LastWritten 2023-12-15 18:29:12..TorVersion Tor 0.4.4.9..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.92923314547243
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	SaLY22oLht.exe
File size:	1'990'656 bytes
MD5:	39d11a7c0c4286ab2fa318d37cb3c3f3
SHA1:	c18444d8d82b628100ac6d7b33c873884be99897
SHA256:	48ee5e003fdd3d8c6b50ffb7931e5562ef3d04b7b411d8cf89118655da5c0e03
SHA512:	3b24266cfda84af111551bb35111b1816739ffb971ee9ed26f20d3463abb7e7cc7f301bd29b0fed9f68b40a2e43e8b8fbb3c3776f3ea78eb875e0327f52d5a10
SSDEEP:	49152:CeZz2gwNjPDGrcflSdRwwlM2oTPHUcmdfgL:hQg0iyqwwlJyLmB
TLSH:	BD952352BA914433E15727395971C6F0BB2AFCB18B15A9C737A17B6EAD302D1CA70703
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...5O.b...........

File Icon


Icon Hash:	2f4f730507131b31

Static PE Info

General

Entrypoint:	0x40aa29
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x62DB4F35 [Sat Jul 23 01:30:29 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a010ada1aa352a4971def9619d728b6a

Entrypoint Preview

Instruction
call 00007F97D4E7823Ah
jmp 00007F97D4E70DEEh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00421250h+ecx*8]
je 00007F97D4E70F75h
inc ecx
cmp ecx, 2Dh
jc 00007F97D4E70F53h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F97D4E70F70h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [00421254h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F97D4E773A9h
test eax, eax
jne 00007F97D4E70F68h
mov eax, 004213B8h
ret
add eax, 08h
ret
call 00007F97D4E77396h
test eax, eax
jne 00007F97D4E70F68h
mov eax, 004213BCh
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F97D4E70F47h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F97D4E70EE7h
pop ecx
mov esi, eax
call 00007F97D4E70F21h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 4Ch
mov eax, dword ptr [004213ECh]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-4Ch], esi
mov dword ptr [ebp-48h], ebx
cmp dword ptr [esi+14h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f67c	0x8c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68d000	0x9b00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x43c0	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1e4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f1cc	0x1f200	False	0.524386608935743	data	6.43576990630947	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x21000	0x66b844	0x1bce00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x68d000	0x9b00	0x9c00	False	0.3239182692307692	data	3.9463609412429705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0x692c18	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7598684210526315
RT_CURSOR	0x692d60	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0x692e90	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0	0.4625
RT_CURSOR	0x692f80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.0877110694183865
RT_CURSOR	0x694058	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4473684210526316
RT_CURSOR	0x694188	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0	0.4625
RT_CURSOR	0x694278	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.08583489681050657
RT_CURSOR	0x695350	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.3407039711191336
RT_ICON	0x68d660	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5201612903225806
RT_ICON	0x68dd28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.546242774566474
RT_ICON	0x68e290	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.41909005628517826
RT_ICON	0x68f338	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.4778368794326241
RT_ICON	0x68f7e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.37906137184115524
RT_ICON	0x690088	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4176267281105991
RT_ICON	0x690750	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.38222543352601157
RT_ICON	0x690cb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2718105065666041
RT_ICON	0x691d60	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.2815573770491803
RT_ICON	0x6926e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3129432624113475
RT_STRING	0x695e80	0x446	data	0.44789762340036565
RT_STRING	0x6962c8	0x2e4	data	0.4891891891891892
RT_STRING	0x6965b0	0x358	data	0.47079439252336447
RT_STRING	0x696908	0x1f4	data	0.498
RT_ACCELERATOR	0x692bb0	0x68	data	0.7211538461538461
RT_GROUP_CURSOR	0x692d48	0x14	data	1.15
RT_GROUP_CURSOR	0x695bf8	0x14	data	1.25
RT_GROUP_CURSOR	0x694028	0x30	data	1.0
RT_GROUP_CURSOR	0x695320	0x30	data	1.0
RT_GROUP_ICON	0x68f7a0	0x3e	data	0.8387096774193549
RT_GROUP_ICON	0x692b50	0x5a	data	0.7222222222222222
RT_VERSION	0x695c10	0x270	data	0.5352564102564102

Imports

DLL	Import
KERNEL32.dll	PeekNamedPipe, GetLocaleInfoA, CommConfigDialogA, ConvertThreadToFiber, UpdateResourceA, InterlockedIncrement, InterlockedDecrement, GetNamedPipeHandleStateA, WriteConsoleInputA, SetVolumeMountPointW, GetModuleHandleW, LocalFlags, GetWindowsDirectoryA, GetCompressedFileSizeW, GetVolumePathNameW, GlobalAlloc, LoadLibraryW, GetVersionExW, GetConsoleAliasW, WriteConsoleW, WritePrivateProfileSectionW, ReadFile, GetStartupInfoW, FindFirstFileW, GetShortPathNameA, GetCPInfoExW, GetLastError, GetProcAddress, HeapSize, PeekConsoleInputW, IsValidCodePage, OpenWaitableTimerA, WriteConsoleA, LocalAlloc, BuildCommDCBAndTimeoutsW, FindFirstVolumeMountPointW, UpdateResourceW, FreeEnvironmentStringsW, FindNextFileW, GetCurrentDirectoryA, WaitForDebugEvent, GetVolumeNameForVolumeMountPointW, GlobalAddAtomW, GetProfileSectionW, CreateFileW, FlushFileBuffers, SetStdHandle, GetConsoleMode, GetCommandLineW, LocalUnlock, VirtualUnlock, DebugActiveProcess, GetConsoleCP, SetFilePointer, IsValidLocale, WideCharToMultiByte, InterlockedExchange, MultiByteToWideChar, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, DeleteFileA, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, LCMapStringW, IsProcessorFeaturePresent, ExitProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetACP, GetOEMCP, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, GetModuleFileNameW, GetModuleFileNameA, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeW, GetLocaleInfoW, GetUserDefaultLCID, EnumSystemLocalesA, CloseHandle
USER32.dll	GetDlgCtrlID, CharToOemBuffA, CharUpperBuffW
GDI32.dll	GetCharWidthW
ADVAPI32.dll	DuplicateToken
WINHTTP.dll	WinHttpCloseHandle
MSIMG32.dll	AlphaBlend

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2023 19:29:15.252096891 CET	49731	9001	192.168.2.4	82.145.59.127
Dec 15, 2023 19:29:15.481213093 CET	9001	49731	82.145.59.127	192.168.2.4
Dec 15, 2023 19:29:15.988176107 CET	49731	9001	192.168.2.4	82.145.59.127
Dec 15, 2023 19:29:16.051316023 CET	49732	8100	192.168.2.4	46.19.141.85
Dec 15, 2023 19:29:16.216665030 CET	9001	49731	82.145.59.127	192.168.2.4
Dec 15, 2023 19:29:16.722583055 CET	49731	9001	192.168.2.4	82.145.59.127
Dec 15, 2023 19:29:16.953865051 CET	9001	49731	82.145.59.127	192.168.2.4
Dec 15, 2023 19:29:17.051601887 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:29:17.051650047 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:29:17.051749945 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:29:17.060096025 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:29:17.060112000 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:29:17.066284895 CET	49732	8100	192.168.2.4	46.19.141.85
Dec 15, 2023 19:29:17.456964970 CET	49731	9001	192.168.2.4	82.145.59.127
Dec 15, 2023 19:29:17.555588961 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:29:17.555780888 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:29:17.559701920 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:29:17.559715033 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:29:17.560034037 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:29:17.560291052 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:29:17.604748964 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:29:17.685694933 CET	9001	49731	82.145.59.127	192.168.2.4
Dec 15, 2023 19:29:18.191450119 CET	49731	9001	192.168.2.4	82.145.59.127
Dec 15, 2023 19:29:18.420424938 CET	9001	49731	82.145.59.127	192.168.2.4
Dec 15, 2023 19:29:18.421423912 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:29:18.421463966 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:29:18.421531916 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:29:18.421818018 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:29:18.421827078 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:29:19.082007885 CET	49732	8100	192.168.2.4	46.19.141.85
Dec 15, 2023 19:29:19.127019882 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:29:19.127269983 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:29:19.131587982 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:29:19.131606102 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:29:19.131912947 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:29:19.132183075 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:29:19.176742077 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:29:23.081949949 CET	49732	8100	192.168.2.4	46.19.141.85
Dec 15, 2023 19:29:31.081926107 CET	49732	8100	192.168.2.4	46.19.141.85
Dec 15, 2023 19:29:37.083198071 CET	49743	443	192.168.2.4	163.172.29.34
Dec 15, 2023 19:29:37.083302021 CET	443	49743	163.172.29.34	192.168.2.4
Dec 15, 2023 19:29:37.083400011 CET	49743	443	192.168.2.4	163.172.29.34
Dec 15, 2023 19:29:37.083745956 CET	49744	443	192.168.2.4	154.35.175.225
Dec 15, 2023 19:29:37.083801031 CET	443	49744	154.35.175.225	192.168.2.4
Dec 15, 2023 19:29:37.083849907 CET	49744	443	192.168.2.4	154.35.175.225
Dec 15, 2023 19:29:37.084244013 CET	49743	443	192.168.2.4	163.172.29.34
Dec 15, 2023 19:29:37.084295988 CET	443	49743	163.172.29.34	192.168.2.4
Dec 15, 2023 19:29:37.084639072 CET	49744	443	192.168.2.4	154.35.175.225
Dec 15, 2023 19:29:37.084662914 CET	443	49744	154.35.175.225	192.168.2.4
Dec 15, 2023 19:29:37.330667973 CET	443	49743	163.172.29.34	192.168.2.4
Dec 15, 2023 19:30:25.879529953 CET	49746	9001	192.168.2.4	116.203.140.74
Dec 15, 2023 19:30:26.894556046 CET	49746	9001	192.168.2.4	116.203.140.74
Dec 15, 2023 19:30:28.582918882 CET	49747	9090	192.168.2.4	95.84.140.36
Dec 15, 2023 19:30:28.583189964 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:28.583233118 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:28.583332062 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:28.597985029 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:28.598001003 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:28.910058975 CET	49746	9001	192.168.2.4	116.203.140.74
Dec 15, 2023 19:30:29.385483980 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:29.385637999 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:29.394169092 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:29.394184113 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:29.394498110 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:29.394767046 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:29.436743021 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:29.597558975 CET	49747	9090	192.168.2.4	95.84.140.36
Dec 15, 2023 19:30:31.613243103 CET	49747	9090	192.168.2.4	95.84.140.36
Dec 15, 2023 19:30:32.910134077 CET	49746	9001	192.168.2.4	116.203.140.74
Dec 15, 2023 19:30:35.613197088 CET	49747	9090	192.168.2.4	95.84.140.36
Dec 15, 2023 19:30:39.597997904 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:39.598125935 CET	443	49748	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:39.598202944 CET	49748	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:39.598396063 CET	49744	443	192.168.2.4	154.35.175.225
Dec 15, 2023 19:30:39.613225937 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:30:39.613363028 CET	443	49734	139.162.210.252	192.168.2.4
Dec 15, 2023 19:30:39.613416910 CET	49734	443	192.168.2.4	139.162.210.252
Dec 15, 2023 19:30:39.613473892 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:30:39.613562107 CET	443	49733	199.249.230.155	192.168.2.4
Dec 15, 2023 19:30:39.613609076 CET	49733	443	192.168.2.4	199.249.230.155
Dec 15, 2023 19:30:39.623311996 CET	49749	53	192.168.2.4	62.102.148.68
Dec 15, 2023 19:30:39.623856068 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:39.640770912 CET	443	49744	154.35.175.225	192.168.2.4
Dec 15, 2023 19:30:39.886292934 CET	80	49750	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:39.886372089 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:39.887212992 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:39.888525009 CET	49751	19001	192.168.2.4	188.26.207.181
Dec 15, 2023 19:30:39.888974905 CET	49752	9101	192.168.2.4	128.31.0.39
Dec 15, 2023 19:30:39.889589071 CET	49753	443	192.168.2.4	85.209.158.115
Dec 15, 2023 19:30:39.889620066 CET	443	49753	85.209.158.115	192.168.2.4
Dec 15, 2023 19:30:39.889669895 CET	49753	443	192.168.2.4	85.209.158.115
Dec 15, 2023 19:30:39.890165091 CET	49753	443	192.168.2.4	85.209.158.115
Dec 15, 2023 19:30:39.890181065 CET	443	49753	85.209.158.115	192.168.2.4
Dec 15, 2023 19:30:40.053903103 CET	9101	49752	128.31.0.39	192.168.2.4
Dec 15, 2023 19:30:40.151262999 CET	80	49750	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:40.154722929 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:40.154968977 CET	49753	443	192.168.2.4	85.209.158.115
Dec 15, 2023 19:30:40.171333075 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:40.181055069 CET	49754	30001	192.168.2.4	185.220.101.1
Dec 15, 2023 19:30:40.181339979 CET	49755	9101	192.168.2.4	128.31.0.39
Dec 15, 2023 19:30:40.200745106 CET	443	49753	85.209.158.115	192.168.2.4
Dec 15, 2023 19:30:40.208688021 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.229876041 CET	49757	9001	192.168.2.4	195.201.29.252
Dec 15, 2023 19:30:40.230498075 CET	49758	9001	192.168.2.4	163.172.68.222
Dec 15, 2023 19:30:40.346287012 CET	9101	49755	128.31.0.39	192.168.2.4
Dec 15, 2023 19:30:40.396300077 CET	9001	49756	185.198.26.149	192.168.2.4
Dec 15, 2023 19:30:40.396425009 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.396761894 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.397655010 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:40.397716999 CET	443	49759	178.20.55.16	192.168.2.4
Dec 15, 2023 19:30:40.397768974 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:40.398237944 CET	49760	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:30:40.398247004 CET	443	49760	199.58.81.140	192.168.2.4
Dec 15, 2023 19:30:40.398289919 CET	49760	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:30:40.398675919 CET	49761	80	192.168.2.4	37.187.23.232
Dec 15, 2023 19:30:40.398962975 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:40.398979902 CET	443	49759	178.20.55.16	192.168.2.4
Dec 15, 2023 19:30:40.399298906 CET	49760	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:30:40.399307013 CET	443	49760	199.58.81.140	192.168.2.4
Dec 15, 2023 19:30:40.417881012 CET	80	49750	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:40.418025017 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:40.426604986 CET	30001	49754	185.220.101.1	192.168.2.4
Dec 15, 2023 19:30:40.434035063 CET	80	49750	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:40.434149981 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:40.434746027 CET	80	49750	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:40.434808016 CET	49750	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:40.587588072 CET	9001	49756	185.198.26.149	192.168.2.4
Dec 15, 2023 19:30:40.587759018 CET	9001	49756	185.198.26.149	192.168.2.4
Dec 15, 2023 19:30:40.591708899 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.592216969 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:40.592216969 CET	49760	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:30:40.599090099 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.610063076 CET	49762	9001	192.168.2.4	212.8.243.229
Dec 15, 2023 19:30:40.610452890 CET	49763	443	192.168.2.4	51.15.246.170
Dec 15, 2023 19:30:40.610541105 CET	443	49763	51.15.246.170	192.168.2.4
Dec 15, 2023 19:30:40.610606909 CET	49763	443	192.168.2.4	51.15.246.170
Dec 15, 2023 19:30:40.611005068 CET	49763	443	192.168.2.4	51.15.246.170
Dec 15, 2023 19:30:40.611023903 CET	443	49763	51.15.246.170	192.168.2.4
Dec 15, 2023 19:30:40.611498117 CET	49764	9001	192.168.2.4	45.15.16.116
Dec 15, 2023 19:30:40.632778883 CET	443	49760	199.58.81.140	192.168.2.4
Dec 15, 2023 19:30:40.632817984 CET	443	49759	178.20.55.16	192.168.2.4
Dec 15, 2023 19:30:40.634984970 CET	80	49761	37.187.23.232	192.168.2.4
Dec 15, 2023 19:30:40.635040045 CET	49761	80	192.168.2.4	37.187.23.232
Dec 15, 2023 19:30:40.780628920 CET	9001	49756	185.198.26.149	192.168.2.4
Dec 15, 2023 19:30:40.780711889 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.786777020 CET	9001	49756	185.198.26.149	192.168.2.4
Dec 15, 2023 19:30:40.786839008 CET	49756	9001	192.168.2.4	185.198.26.149
Dec 15, 2023 19:30:40.842341900 CET	9001	49762	212.8.243.229	192.168.2.4
Dec 15, 2023 19:30:40.927681923 CET	443	49760	199.58.81.140	192.168.2.4
Dec 15, 2023 19:30:40.927791119 CET	49760	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:30:40.927817106 CET	49760	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:30:41.121085882 CET	443	49759	178.20.55.16	192.168.2.4
Dec 15, 2023 19:30:41.121270895 CET	443	49759	178.20.55.16	192.168.2.4
Dec 15, 2023 19:30:41.121365070 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:41.121365070 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:41.124138117 CET	49759	443	192.168.2.4	178.20.55.16
Dec 15, 2023 19:30:41.321446896 CET	443	49763	51.15.246.170	192.168.2.4
Dec 15, 2023 19:30:41.321654081 CET	49763	443	192.168.2.4	51.15.246.170
Dec 15, 2023 19:30:41.325668097 CET	49763	443	192.168.2.4	51.15.246.170
Dec 15, 2023 19:30:41.325686932 CET	443	49763	51.15.246.170	192.168.2.4
Dec 15, 2023 19:30:41.325987101 CET	443	49763	51.15.246.170	192.168.2.4
Dec 15, 2023 19:30:41.344907999 CET	49763	443	192.168.2.4	51.15.246.170
Dec 15, 2023 19:30:41.347532034 CET	49762	9001	192.168.2.4	212.8.243.229
Dec 15, 2023 19:30:41.376923084 CET	49765	8443	192.168.2.4	45.151.167.10
Dec 15, 2023 19:30:41.377945900 CET	49766	9001	192.168.2.4	147.92.88.67
Dec 15, 2023 19:30:41.378599882 CET	49767	443	192.168.2.4	46.105.227.109
Dec 15, 2023 19:30:41.378635883 CET	443	49767	46.105.227.109	192.168.2.4
Dec 15, 2023 19:30:41.378694057 CET	49767	443	192.168.2.4	46.105.227.109
Dec 15, 2023 19:30:41.379195929 CET	49768	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:41.379247904 CET	443	49768	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:41.379293919 CET	49768	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:41.379736900 CET	49768	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:41.379749060 CET	443	49768	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:41.379997969 CET	49767	443	192.168.2.4	46.105.227.109
Dec 15, 2023 19:30:41.380023956 CET	443	49767	46.105.227.109	192.168.2.4
Dec 15, 2023 19:30:41.579565048 CET	9001	49762	212.8.243.229	192.168.2.4
Dec 15, 2023 19:30:41.611706018 CET	8443	49765	45.151.167.10	192.168.2.4
Dec 15, 2023 19:30:42.113214016 CET	49765	8443	192.168.2.4	45.151.167.10
Dec 15, 2023 19:30:42.347908974 CET	8443	49765	45.151.167.10	192.168.2.4
Dec 15, 2023 19:30:42.355695963 CET	443	49768	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:42.355829000 CET	49768	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:42.359874010 CET	49768	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:42.359886885 CET	443	49768	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:42.360204935 CET	443	49768	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:42.378770113 CET	49766	9001	192.168.2.4	147.92.88.67
Dec 15, 2023 19:30:42.379614115 CET	49768	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:42.386204004 CET	49767	443	192.168.2.4	46.105.227.109
Dec 15, 2023 19:30:42.388483047 CET	49769	443	192.168.2.4	95.211.136.23
Dec 15, 2023 19:30:42.388518095 CET	443	49769	95.211.136.23	192.168.2.4
Dec 15, 2023 19:30:42.388575077 CET	49769	443	192.168.2.4	95.211.136.23
Dec 15, 2023 19:30:42.388973951 CET	49770	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:42.388998985 CET	443	49770	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:42.389049053 CET	49770	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:42.389420986 CET	49769	443	192.168.2.4	95.211.136.23
Dec 15, 2023 19:30:42.389439106 CET	443	49769	95.211.136.23	192.168.2.4
Dec 15, 2023 19:30:42.389707088 CET	49770	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:42.389718056 CET	443	49770	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:42.390516996 CET	49771	443	192.168.2.4	82.118.242.103
Dec 15, 2023 19:30:42.390549898 CET	443	49771	82.118.242.103	192.168.2.4
Dec 15, 2023 19:30:42.390599012 CET	49771	443	192.168.2.4	82.118.242.103
Dec 15, 2023 19:30:42.390947104 CET	49771	443	192.168.2.4	82.118.242.103
Dec 15, 2023 19:30:42.390955925 CET	443	49771	82.118.242.103	192.168.2.4
Dec 15, 2023 19:30:42.432744980 CET	443	49767	46.105.227.109	192.168.2.4
Dec 15, 2023 19:30:43.127870083 CET	49771	443	192.168.2.4	82.118.242.103
Dec 15, 2023 19:30:43.128040075 CET	49770	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:43.136845112 CET	443	49769	95.211.136.23	192.168.2.4
Dec 15, 2023 19:30:43.136910915 CET	49769	443	192.168.2.4	95.211.136.23
Dec 15, 2023 19:30:43.142821074 CET	49769	443	192.168.2.4	95.211.136.23
Dec 15, 2023 19:30:43.163166046 CET	49772	9001	192.168.2.4	140.186.205.68
Dec 15, 2023 19:30:43.163902044 CET	49773	9001	192.168.2.4	185.244.192.247
Dec 15, 2023 19:30:43.168756962 CET	443	49771	82.118.242.103	192.168.2.4
Dec 15, 2023 19:30:43.172740936 CET	443	49770	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:43.360610962 CET	443	49770	193.23.244.244	192.168.2.4
Dec 15, 2023 19:30:43.360763073 CET	49770	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:43.360788107 CET	49770	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:30:43.504507065 CET	443	49771	82.118.242.103	192.168.2.4
Dec 15, 2023 19:30:43.504726887 CET	49771	443	192.168.2.4	82.118.242.103
Dec 15, 2023 19:30:43.508219004 CET	49771	443	192.168.2.4	82.118.242.103
Dec 15, 2023 19:30:44.175671101 CET	49772	9001	192.168.2.4	140.186.205.68
Dec 15, 2023 19:30:44.175702095 CET	49773	9001	192.168.2.4	185.244.192.247
Dec 15, 2023 19:30:44.190792084 CET	49774	9100	192.168.2.4	205.185.127.35
Dec 15, 2023 19:30:44.192097902 CET	49775	9443	192.168.2.4	94.142.241.226
Dec 15, 2023 19:30:44.192682981 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:44.192744017 CET	443	49776	91.213.233.138	192.168.2.4
Dec 15, 2023 19:30:44.192867994 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:44.193280935 CET	49777	443	192.168.2.4	144.76.170.20
Dec 15, 2023 19:30:44.193315983 CET	443	49777	144.76.170.20	192.168.2.4
Dec 15, 2023 19:30:44.193377018 CET	49777	443	192.168.2.4	144.76.170.20
Dec 15, 2023 19:30:44.193645954 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:44.193665981 CET	443	49776	91.213.233.138	192.168.2.4
Dec 15, 2023 19:30:44.193864107 CET	49777	443	192.168.2.4	144.76.170.20
Dec 15, 2023 19:30:44.193881035 CET	443	49777	144.76.170.20	192.168.2.4
Dec 15, 2023 19:30:44.301028013 CET	49777	443	192.168.2.4	144.76.170.20
Dec 15, 2023 19:30:44.306845903 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:44.307670116 CET	49778	9101	192.168.2.4	128.31.0.39
Dec 15, 2023 19:30:44.308199883 CET	49779	9001	192.168.2.4	37.139.22.180
Dec 15, 2023 19:30:44.308711052 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.308748007 CET	443	49780	51.158.147.25	192.168.2.4
Dec 15, 2023 19:30:44.308816910 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.309134960 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.309150934 CET	443	49780	51.158.147.25	192.168.2.4
Dec 15, 2023 19:30:44.344732046 CET	443	49777	144.76.170.20	192.168.2.4
Dec 15, 2023 19:30:44.352739096 CET	443	49776	91.213.233.138	192.168.2.4
Dec 15, 2023 19:30:44.472753048 CET	9101	49778	128.31.0.39	192.168.2.4
Dec 15, 2023 19:30:44.548980951 CET	9001	49779	37.139.22.180	192.168.2.4
Dec 15, 2023 19:30:44.823389053 CET	443	49780	51.158.147.25	192.168.2.4
Dec 15, 2023 19:30:44.823668003 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.829206944 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.829206944 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.829221964 CET	443	49780	51.158.147.25	192.168.2.4
Dec 15, 2023 19:30:44.829581022 CET	443	49780	51.158.147.25	192.168.2.4
Dec 15, 2023 19:30:44.829652071 CET	49780	443	192.168.2.4	51.158.147.25
Dec 15, 2023 19:30:44.838577032 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:44.838987112 CET	49782	443	192.168.2.4	198.100.149.77
Dec 15, 2023 19:30:44.839018106 CET	443	49782	198.100.149.77	192.168.2.4
Dec 15, 2023 19:30:44.839087963 CET	49782	443	192.168.2.4	198.100.149.77
Dec 15, 2023 19:30:44.839416027 CET	49783	9002	192.168.2.4	167.114.144.152
Dec 15, 2023 19:30:44.839751959 CET	49782	443	192.168.2.4	198.100.149.77
Dec 15, 2023 19:30:44.839766026 CET	443	49782	198.100.149.77	192.168.2.4
Dec 15, 2023 19:30:45.096441984 CET	80	49781	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:45.096597910 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.097017050 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.121134996 CET	49782	443	192.168.2.4	198.100.149.77
Dec 15, 2023 19:30:45.131671906 CET	49784	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:30:45.131725073 CET	443	49784	45.66.33.45	192.168.2.4
Dec 15, 2023 19:30:45.131791115 CET	49784	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:30:45.132340908 CET	49785	9001	192.168.2.4	51.38.65.160
Dec 15, 2023 19:30:45.132843018 CET	49784	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:30:45.132853985 CET	443	49784	45.66.33.45	192.168.2.4
Dec 15, 2023 19:30:45.133635998 CET	49786	12312	192.168.2.4	37.120.167.200
Dec 15, 2023 19:30:45.168760061 CET	443	49782	198.100.149.77	192.168.2.4
Dec 15, 2023 19:30:45.272789001 CET	443	49776	91.213.233.138	192.168.2.4
Dec 15, 2023 19:30:45.272994041 CET	443	49776	91.213.233.138	192.168.2.4
Dec 15, 2023 19:30:45.273068905 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:45.273149014 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:45.273149014 CET	49776	443	192.168.2.4	91.213.233.138
Dec 15, 2023 19:30:45.356405020 CET	80	49781	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:45.361381054 CET	9001	49785	51.38.65.160	192.168.2.4
Dec 15, 2023 19:30:45.361396074 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.361490965 CET	49785	9001	192.168.2.4	51.38.65.160
Dec 15, 2023 19:30:45.362008095 CET	49784	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:30:45.369159937 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.375453949 CET	12312	49786	37.120.167.200	192.168.2.4
Dec 15, 2023 19:30:45.375511885 CET	49786	12312	192.168.2.4	37.120.167.200
Dec 15, 2023 19:30:45.376770020 CET	49785	9001	192.168.2.4	51.38.65.160
Dec 15, 2023 19:30:45.377211094 CET	49787	443	192.168.2.4	195.154.106.60
Dec 15, 2023 19:30:45.377276897 CET	443	49787	195.154.106.60	192.168.2.4
Dec 15, 2023 19:30:45.377362013 CET	49787	443	192.168.2.4	195.154.106.60
Dec 15, 2023 19:30:45.377662897 CET	49788	9443	192.168.2.4	116.12.180.234
Dec 15, 2023 19:30:45.378081083 CET	49787	443	192.168.2.4	195.154.106.60
Dec 15, 2023 19:30:45.378098011 CET	443	49787	195.154.106.60	192.168.2.4
Dec 15, 2023 19:30:45.378937960 CET	49789	22711	192.168.2.4	213.158.31.231
Dec 15, 2023 19:30:45.408746958 CET	443	49784	45.66.33.45	192.168.2.4
Dec 15, 2023 19:30:45.605089903 CET	9001	49785	51.38.65.160	192.168.2.4
Dec 15, 2023 19:30:45.605365038 CET	49785	9001	192.168.2.4	51.38.65.160
Dec 15, 2023 19:30:45.619992971 CET	80	49781	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:45.620162010 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.626938105 CET	80	49781	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:45.626964092 CET	80	49781	171.25.193.9	192.168.2.4
Dec 15, 2023 19:30:45.627068043 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.627068043 CET	49781	80	192.168.2.4	171.25.193.9
Dec 15, 2023 19:30:45.867204905 CET	443	49787	195.154.106.60	192.168.2.4
Dec 15, 2023 19:30:45.867372990 CET	49787	443	192.168.2.4	195.154.106.60
Dec 15, 2023 19:30:45.872914076 CET	49787	443	192.168.2.4	195.154.106.60
Dec 15, 2023 19:30:45.872940063 CET	443	49787	195.154.106.60	192.168.2.4
Dec 15, 2023 19:30:45.873270035 CET	443	49787	195.154.106.60	192.168.2.4
Dec 15, 2023 19:30:45.904237986 CET	49787	443	192.168.2.4	195.154.106.60
Dec 15, 2023 19:30:45.926263094 CET	49790	9001	192.168.2.4	149.56.98.216
Dec 15, 2023 19:30:45.934099913 CET	49791	9001	192.168.2.4	78.94.253.253
Dec 15, 2023 19:30:45.934643984 CET	49792	443	192.168.2.4	85.10.240.250
Dec 15, 2023 19:30:45.934685946 CET	443	49792	85.10.240.250	192.168.2.4
Dec 15, 2023 19:30:45.934771061 CET	49792	443	192.168.2.4	85.10.240.250
Dec 15, 2023 19:30:45.935277939 CET	49792	443	192.168.2.4	85.10.240.250
Dec 15, 2023 19:30:45.935292006 CET	443	49792	85.10.240.250	192.168.2.4
Dec 15, 2023 19:30:46.035444021 CET	49792	443	192.168.2.4	85.10.240.250
Dec 15, 2023 19:30:46.040370941 CET	49793	19001	192.168.2.4	2.233.91.176
Dec 15, 2023 19:30:46.041119099 CET	49794	443	192.168.2.4	178.33.183.251
Dec 15, 2023 19:30:46.041166067 CET	443	49794	178.33.183.251	192.168.2.4
Dec 15, 2023 19:30:46.041224957 CET	49794	443	192.168.2.4	178.33.183.251
Dec 15, 2023 19:30:46.041686058 CET	49794	443	192.168.2.4	178.33.183.251
Dec 15, 2023 19:30:46.041702032 CET	443	49794	178.33.183.251	192.168.2.4
Dec 15, 2023 19:30:46.076738119 CET	443	49792	85.10.240.250	192.168.2.4
Dec 15, 2023 19:30:46.192872047 CET	9001	49791	78.94.253.253	192.168.2.4
Dec 15, 2023 19:30:46.347893953 CET	49794	443	192.168.2.4	178.33.183.251
Dec 15, 2023 19:30:46.352113962 CET	49795	300	192.168.2.4	121.200.26.46
Dec 15, 2023 19:30:46.392736912 CET	443	49794	178.33.183.251	192.168.2.4
Dec 15, 2023 19:30:46.705883980 CET	443	49792	85.10.240.250	192.168.2.4
Dec 15, 2023 19:30:46.705950975 CET	49792	443	192.168.2.4	85.10.240.250
Dec 15, 2023 19:30:46.705974102 CET	49792	443	192.168.2.4	85.10.240.250
Dec 15, 2023 19:30:46.751576900 CET	443	49777	144.76.170.20	192.168.2.4
Dec 15, 2023 19:30:47.363168955 CET	49795	300	192.168.2.4	121.200.26.46
Dec 15, 2023 19:30:47.393450975 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:47.393491030 CET	443	49796	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:47.393548965 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:47.394052982 CET	49797	9003	192.168.2.4	24.150.204.225
Dec 15, 2023 19:30:47.394553900 CET	49798	9001	192.168.2.4	5.2.78.69
Dec 15, 2023 19:30:47.394891977 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:47.394903898 CET	443	49796	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:47.707567930 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:47.710666895 CET	49799	7002	192.168.2.4	77.250.227.202
Dec 15, 2023 19:30:47.748747110 CET	443	49796	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:48.171828032 CET	443	49796	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:48.172012091 CET	443	49796	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:48.172106028 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:48.172180891 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:48.172180891 CET	49796	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:48.722524881 CET	49799	7002	192.168.2.4	77.250.227.202
Dec 15, 2023 19:30:48.756093025 CET	49800	9001	192.168.2.4	192.46.225.58
Dec 15, 2023 19:30:49.769407988 CET	49800	9001	192.168.2.4	192.46.225.58
Dec 15, 2023 19:30:49.811333895 CET	49801	80	192.168.2.4	85.25.213.211
Dec 15, 2023 19:30:50.055999041 CET	80	49801	85.25.213.211	192.168.2.4
Dec 15, 2023 19:30:50.056109905 CET	49801	80	192.168.2.4	85.25.213.211
Dec 15, 2023 19:30:50.056408882 CET	49801	80	192.168.2.4	85.25.213.211
Dec 15, 2023 19:30:50.056969881 CET	49802	8080	192.168.2.4	62.210.83.207
Dec 15, 2023 19:30:50.300915003 CET	80	49801	85.25.213.211	192.168.2.4
Dec 15, 2023 19:30:50.301321030 CET	80	49801	85.25.213.211	192.168.2.4
Dec 15, 2023 19:30:50.301367044 CET	80	49801	85.25.213.211	192.168.2.4
Dec 15, 2023 19:30:50.301661015 CET	49801	80	192.168.2.4	85.25.213.211
Dec 15, 2023 19:30:50.301714897 CET	49801	80	192.168.2.4	85.25.213.211
Dec 15, 2023 19:30:50.304760933 CET	49803	9001	192.168.2.4	88.198.112.25
Dec 15, 2023 19:30:51.331892014 CET	49803	9001	192.168.2.4	88.198.112.25
Dec 15, 2023 19:30:51.338982105 CET	49804	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:30:51.339023113 CET	443	49804	86.59.21.38	192.168.2.4
Dec 15, 2023 19:30:51.339088917 CET	49804	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:30:51.339624882 CET	49805	30022	192.168.2.4	185.220.101.22
Dec 15, 2023 19:30:51.340012074 CET	49804	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:30:51.340024948 CET	443	49804	86.59.21.38	192.168.2.4
Dec 15, 2023 19:30:51.584116936 CET	30022	49805	185.220.101.22	192.168.2.4
Dec 15, 2023 19:30:51.644916058 CET	49804	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:30:51.688738108 CET	443	49804	86.59.21.38	192.168.2.4
Dec 15, 2023 19:30:52.117341042 CET	443	49804	86.59.21.38	192.168.2.4
Dec 15, 2023 19:30:52.117424011 CET	49804	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:30:52.117449045 CET	49804	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:30:53.710700035 CET	49806	9001	192.168.2.4	85.195.208.154
Dec 15, 2023 19:30:53.711143970 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:53.711194038 CET	443	49807	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:53.711253881 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:53.711602926 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:53.711618900 CET	443	49807	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:54.113410950 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:54.156754971 CET	443	49807	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:54.482842922 CET	443	49807	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:54.482995987 CET	443	49807	131.188.40.189	192.168.2.4
Dec 15, 2023 19:30:54.483113050 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:54.483113050 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:54.483113050 CET	49807	443	192.168.2.4	131.188.40.189
Dec 15, 2023 19:30:56.147090912 CET	49808	9001	192.168.2.4	103.253.41.98
Dec 15, 2023 19:30:56.147483110 CET	49809	9101	192.168.2.4	128.31.0.39
Dec 15, 2023 19:30:56.312361956 CET	9101	49809	128.31.0.39	192.168.2.4
Dec 15, 2023 19:30:56.831923962 CET	49809	9101	192.168.2.4	128.31.0.39
Dec 15, 2023 19:30:56.996783972 CET	9101	49809	128.31.0.39	192.168.2.4
Dec 15, 2023 19:31:01.291203022 CET	49810	9001	192.168.2.4	51.91.121.255
Dec 15, 2023 19:31:01.291726112 CET	49811	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:31:01.291779041 CET	443	49811	193.23.244.244	192.168.2.4
Dec 15, 2023 19:31:01.291841984 CET	49811	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:31:01.292140961 CET	49811	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:31:01.292164087 CET	443	49811	193.23.244.244	192.168.2.4
Dec 15, 2023 19:31:02.210573912 CET	49811	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:31:02.231604099 CET	443	49811	193.23.244.244	192.168.2.4
Dec 15, 2023 19:31:02.231712103 CET	49811	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:31:02.232404947 CET	49811	443	192.168.2.4	193.23.244.244
Dec 15, 2023 19:31:03.243848085 CET	49812	9001	192.168.2.4	47.56.94.99
Dec 15, 2023 19:31:03.244122028 CET	49813	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:31:03.244163036 CET	443	49813	86.59.21.38	192.168.2.4
Dec 15, 2023 19:31:03.244245052 CET	49813	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:31:03.244590998 CET	49813	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:31:03.244601011 CET	443	49813	86.59.21.38	192.168.2.4
Dec 15, 2023 19:31:03.738434076 CET	49813	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:31:03.784732103 CET	443	49813	86.59.21.38	192.168.2.4
Dec 15, 2023 19:31:04.030925035 CET	443	49813	86.59.21.38	192.168.2.4
Dec 15, 2023 19:31:04.031035900 CET	49813	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:31:04.032459021 CET	49813	443	192.168.2.4	86.59.21.38
Dec 15, 2023 19:31:28.648561954 CET	49814	9001	192.168.2.4	107.189.31.181
Dec 15, 2023 19:31:28.885410070 CET	9001	49814	107.189.31.181	192.168.2.4
Dec 15, 2023 19:31:29.519421101 CET	49814	9001	192.168.2.4	107.189.31.181
Dec 15, 2023 19:31:29.756433010 CET	9001	49814	107.189.31.181	192.168.2.4
Dec 15, 2023 19:31:34.576322079 CET	49815	443	192.168.2.4	204.13.164.118
Dec 15, 2023 19:31:34.576366901 CET	443	49815	204.13.164.118	192.168.2.4
Dec 15, 2023 19:31:34.576440096 CET	49815	443	192.168.2.4	204.13.164.118
Dec 15, 2023 19:31:34.576834917 CET	49815	443	192.168.2.4	204.13.164.118
Dec 15, 2023 19:31:34.576852083 CET	443	49815	204.13.164.118	192.168.2.4
Dec 15, 2023 19:31:34.879026890 CET	49815	443	192.168.2.4	204.13.164.118
Dec 15, 2023 19:31:34.920736074 CET	443	49815	204.13.164.118	192.168.2.4
Dec 15, 2023 19:31:35.223325014 CET	443	49815	204.13.164.118	192.168.2.4
Dec 15, 2023 19:31:35.223488092 CET	49815	443	192.168.2.4	204.13.164.118
Dec 15, 2023 19:31:35.224714994 CET	49815	443	192.168.2.4	204.13.164.118
Dec 15, 2023 19:31:43.187190056 CET	49816	443	192.168.2.4	62.210.123.24
Dec 15, 2023 19:31:43.187242031 CET	443	49816	62.210.123.24	192.168.2.4
Dec 15, 2023 19:31:43.187335014 CET	49816	443	192.168.2.4	62.210.123.24
Dec 15, 2023 19:31:43.191457033 CET	49816	443	192.168.2.4	62.210.123.24
Dec 15, 2023 19:31:43.191468000 CET	443	49816	62.210.123.24	192.168.2.4
Dec 15, 2023 19:31:44.122399092 CET	49816	443	192.168.2.4	62.210.123.24
Dec 15, 2023 19:31:44.168742895 CET	443	49816	62.210.123.24	192.168.2.4
Dec 15, 2023 19:31:47.699646950 CET	443	49816	62.210.123.24	192.168.2.4
Dec 15, 2023 19:31:47.699762106 CET	49816	443	192.168.2.4	62.210.123.24
Dec 15, 2023 19:31:47.699785948 CET	49816	443	192.168.2.4	62.210.123.24
Dec 15, 2023 19:32:05.607745886 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:05.951776028 CET	9001	49817	153.126.128.94	192.168.2.4
Dec 15, 2023 19:32:05.951905966 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:05.952224016 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:06.299813986 CET	9001	49817	153.126.128.94	192.168.2.4
Dec 15, 2023 19:32:06.300757885 CET	9001	49817	153.126.128.94	192.168.2.4
Dec 15, 2023 19:32:06.304296017 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:06.304382086 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:06.648658037 CET	9001	49817	153.126.128.94	192.168.2.4
Dec 15, 2023 19:32:06.648698092 CET	9001	49817	153.126.128.94	192.168.2.4
Dec 15, 2023 19:32:06.648819923 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:06.652555943 CET	49817	9001	192.168.2.4	153.126.128.94
Dec 15, 2023 19:32:08.357508898 CET	49818	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:32:08.357562065 CET	443	49818	45.66.33.45	192.168.2.4
Dec 15, 2023 19:32:08.357630968 CET	49818	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:32:08.357940912 CET	49818	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:32:08.357952118 CET	443	49818	45.66.33.45	192.168.2.4
Dec 15, 2023 19:32:09.401238918 CET	49818	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:32:09.407252073 CET	49819	9001	192.168.2.4	91.121.160.6
Dec 15, 2023 19:32:09.448740005 CET	443	49818	45.66.33.45	192.168.2.4
Dec 15, 2023 19:32:09.642659903 CET	9001	49819	91.121.160.6	192.168.2.4
Dec 15, 2023 19:32:10.191267967 CET	49819	9001	192.168.2.4	91.121.160.6
Dec 15, 2023 19:32:10.427495003 CET	9001	49819	91.121.160.6	192.168.2.4
Dec 15, 2023 19:32:39.831873894 CET	49744	443	192.168.2.4	154.35.175.225
Dec 15, 2023 19:32:40.331909895 CET	49753	443	192.168.2.4	85.209.158.115
Dec 15, 2023 19:32:42.597573042 CET	49767	443	192.168.2.4	46.105.227.109
Dec 15, 2023 19:32:45.191298008 CET	49782	443	192.168.2.4	198.100.149.77
Dec 15, 2023 19:32:45.519511938 CET	49784	443	192.168.2.4	45.66.33.45
Dec 15, 2023 19:32:46.394434929 CET	49794	443	192.168.2.4	178.33.183.251
Dec 15, 2023 19:32:49.131957054 CET	49820	9001	192.168.2.4	176.123.3.222
Dec 15, 2023 19:32:50.128761053 CET	49820	9001	192.168.2.4	176.123.3.222
Dec 15, 2023 19:33:12.283726931 CET	49821	9001	192.168.2.4	94.154.159.96
Dec 15, 2023 19:33:12.284058094 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.284090996 CET	443	49822	199.58.81.140	192.168.2.4
Dec 15, 2023 19:33:12.284158945 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.284522057 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.284540892 CET	443	49822	199.58.81.140	192.168.2.4
Dec 15, 2023 19:33:12.444592953 CET	9001	49821	94.154.159.96	192.168.2.4
Dec 15, 2023 19:33:12.444679976 CET	49821	9001	192.168.2.4	94.154.159.96
Dec 15, 2023 19:33:12.444994926 CET	49821	9001	192.168.2.4	94.154.159.96
Dec 15, 2023 19:33:12.445127964 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.492741108 CET	443	49822	199.58.81.140	192.168.2.4
Dec 15, 2023 19:33:12.602977991 CET	9001	49821	94.154.159.96	192.168.2.4
Dec 15, 2023 19:33:12.611356020 CET	9001	49821	94.154.159.96	192.168.2.4
Dec 15, 2023 19:33:12.614918947 CET	49821	9001	192.168.2.4	94.154.159.96
Dec 15, 2023 19:33:12.615031004 CET	49821	9001	192.168.2.4	94.154.159.96
Dec 15, 2023 19:33:12.815006971 CET	9001	49821	94.154.159.96	192.168.2.4
Dec 15, 2023 19:33:12.816478968 CET	443	49822	199.58.81.140	192.168.2.4
Dec 15, 2023 19:33:12.816598892 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.816616058 CET	443	49822	199.58.81.140	192.168.2.4
Dec 15, 2023 19:33:12.816684008 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.816684008 CET	49822	443	192.168.2.4	199.58.81.140
Dec 15, 2023 19:33:12.884268045 CET	9001	49821	94.154.159.96	192.168.2.4
Dec 15, 2023 19:33:12.884372950 CET	49821	9001	192.168.2.4	94.154.159.96
Dec 15, 2023 19:33:12.946584940 CET	9001	49821	94.154.159.96	192.168.2.4
Dec 15, 2023 19:33:12.946702957 CET	49821	9001	192.168.2.4	94.154.159.96

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 15, 2023 19:30:43.406773090 CET	185.244.192.247	192.168.2.4	3ab5	(Unknown)	Destination Unreachable
Dec 15, 2023 19:30:44.418675900 CET	185.244.192.247	192.168.2.4	3ab5	(Unknown)	Destination Unreachable

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49750	171.25.193.9	80	6204	C:\Users\user\Desktop\SaLY22oLht.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2023 19:30:39.887212992 CET	188	OUT	Data Raw: 16 03 01 00 b7 01 00 00 b3 03 03 90 65 3b 29 4a 3b 87 28 b1 8b c9 22 e7 8e c8 12 02 09 a5 d0 a2 02 1f 85 3a 61 b8 de d5 b5 11 4c 00 00 1c c0 2b c0 2f c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 33 00 39 00 2f 00 35 00 0a 00 ff 01 00 00 6e 00 00 00 15 Data Ascii: e;)J;(":aL+/,039/5nwww.57uq5ez4.com#
Dec 15, 2023 19:30:40.151262999 CET	1000	IN	Data Raw: 16 03 03 00 39 02 00 00 35 03 03 37 a0 87 58 84 67 18 6d 4b a4 c3 ab df 8d 22 be fc 58 e3 8b d6 c5 fa 34 44 4f 57 4e 47 52 44 01 00 c0 30 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 4a 0b 00 02 46 00 02 43 00 02 40 30 82 02 3c 30 Data Ascii: 957XgmK"X4DOWNGRD0JFC@0<0b)0H0"1 0Uwww.my2jc3tjqlxsnyy.com0231210000000Z231217235959Z010Uwww.kpz3tm66.net0"0H0
Dec 15, 2023 19:30:40.154722929 CET	126	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 6b 70 83 42 0f 6e dd 9d 0c e0 88 cb d3 c4 cd f1 93 2d c3 23 ff 8b 15 5f 0d 06 d6 3b 34 43 7c 9f 50 6b 5d 57 a6 9a bd 3a d9 ce 25 f7 67 a0 97 13 37 87 9d 34 63 e6 16 bd 7f 8c d1 63 2a 67 e7 49 14 03 03 00 01 01 16 Data Ascii: FBAkpBn-#_;4C\|Pk]W:%g74cc*gI(^ELTE+cL/F^X1ZYM
Dec 15, 2023 19:30:40.417881012 CET	51	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 e8 5d 92 e5 81 8e 91 09 94 f0 5a c1 26 ad 75 27 70 d7 fd f9 ed 90 b3 25 ac 37 7f 3a ec 20 2a d0 29 53 ae e2 20 60 99 8b Data Ascii: (]Z&u'p%7: *)S `

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49781	171.25.193.9	80	6204	C:\Users\user\Desktop\SaLY22oLht.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2023 19:30:45.097017050 CET	199	OUT	Data Raw: 16 03 01 00 c2 01 00 00 be 03 03 81 82 f8 0f 44 5b 2b 42 73 c7 97 77 06 47 2a ad ea 2a 4b 89 18 fe 35 13 28 02 da be ea e2 6e ae 00 00 1c c0 2b c0 2f c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 33 00 39 00 2f 00 35 00 0a 00 ff 01 00 00 79 00 00 00 20 Data Ascii: D[+BswG**K5(n+/,039/5y www.52l4ssog4mep2upyttj.com#
Dec 15, 2023 19:30:45.356405020 CET	1000	IN	Data Raw: 16 03 03 00 39 02 00 00 35 03 03 c0 c8 0e d5 bd c0 c8 34 08 22 6b b9 36 80 61 7f d6 fa 11 fd d3 28 0c b7 44 4f 57 4e 47 52 44 01 00 c0 30 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 4a 0b 00 02 46 00 02 43 00 02 40 30 82 02 3c 30 Data Ascii: 954"k6a(DOWNGRD0JFC@0<0b)0H0"1 0Uwww.my2jc3tjqlxsnyy.com0231210000000Z231217235959Z010Uwww.kpz3tm66.net0"0H0
Dec 15, 2023 19:30:45.361396074 CET	126	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 20 ae ad 66 4f f8 87 fb 5d 13 ac c2 79 5a 25 39 c4 4c c2 ac 4d 39 d2 97 6b 7f 06 91 5a 6a d1 11 e8 cd 47 3e c4 d1 ea 2a 5f a4 ea a5 79 8e eb fe 5a d7 aa 9f af ff 43 34 15 9c fe 60 8f 47 c1 bf 14 03 03 00 01 01 16 Data Ascii: FBA fO]yZ%9LM9kZjG>*_yZC4`G(fm+ckO_e6BAj\maLek
Dec 15, 2023 19:30:45.619992971 CET	51	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 60 ed 7c b2 0e b5 2c 4f 05 05 ff 9f c8 9b eb 60 ae de 0b 45 86 36 c7 01 c1 9b 0b d8 87 0a 8a 9d 56 a4 df 07 70 b0 64 ae Data Ascii: (`\|,O`E6Vpd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49801	85.25.213.211	80	6204	C:\Users\user\Desktop\SaLY22oLht.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2023 19:30:50.056408882 CET	200	OUT	Data Raw: 16 03 01 00 c3 01 00 00 bf 03 03 2f 32 c7 a4 af cc 21 17 43 e0 60 61 6a ee fd 54 60 4a 50 8b c3 59 52 3a 89 a6 c4 d3 8a 23 c6 1e 00 00 1c c0 2b c0 2f c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 33 00 39 00 2f 00 35 00 0a 00 ff 01 00 00 7a 00 00 00 21 Data Ascii: /2!C`ajT`JPYR:#+/,039/5z!www.rhurngfhdlabfvrd7waq.com#
Dec 15, 2023 19:30:50.301321030 CET	392	IN	HTTP/1.1 400 Bad Request Date: Fri, 15 Dec 2023 18:30:50 GMT Server: Apache Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br /></p></body></html>

Target ID:	0
Start time:	19:29:10
Start date:	15/12/2023
Path:	C:\Users\user\Desktop\SaLY22oLht.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SaLY22oLht.exe
Imagebase:	0x400000
File size:	1'990'656 bytes
MD5 hash:	39D11A7C0C4286AB2FA318D37CB3C3F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:29:11
Start date:	15/12/2023
Path:	C:\Users\user\Desktop\SaLY22oLht.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SaLY22oLht.exe
Imagebase:	0x400000
File size:	1'990'656 bytes
MD5 hash:	39D11A7C0C4286AB2FA318D37CB3C3F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	19:29:20
Start date:	15/12/2023
Path:	C:\ProgramData\Drivers\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Drivers\csrss.exe"
Imagebase:	0x400000
File size:	1'990'656 bytes
MD5 hash:	39D11A7C0C4286AB2FA318D37CB3C3F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.1742071924.0000000002C00000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:29:21
Start date:	15/12/2023
Path:	C:\ProgramData\Drivers\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Drivers\csrss.exe"
Imagebase:	0x400000
File size:	1'990'656 bytes
MD5 hash:	39D11A7C0C4286AB2FA318D37CB3C3F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	42.6%
Dynamic/Decrypted Code Coverage:	86.4%
Signature Coverage:	47.7%
Total number of Nodes:	44
Total number of Limit Nodes:	8

Executed Functions

Function 02AD0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 02AD0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 02AD016C
CreateProcessA.KERNELBASE(?,00000000), ref: 02AD0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02AD0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AD0283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 02AD029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 02AD02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 02AD02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 02AD0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 02AD032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 02AD0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 02AD03BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 02AD03E1
ResumeThread.KERNELBASE(00000000), ref: 02AD03ED
ExitProcess.KERNEL32(00000000), ref: 02AD0412

Memory Dump Source

Source File: 00000000.00000002.1650356050.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_SaLY22oLht.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: f774ee626b8cc4861267b4c49568cf263bed367cbeeb4b093439fcdbdb7a68de
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: D3B1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E909AB395D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 029177C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029177EE
Module32First.KERNEL32(00000000,00000224), ref: 0291780E

Memory Dump Source

Source File: 00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp, Offset: 02917000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2917000_SaLY22oLht.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9dede7ead46e25afe92f7ffa4aaebbc020a816820aac8a4ad9530dc346b1685a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F0F0683160071A6FD7203BF6A88DBBAB6ECAF45729F100568E546910C0DB70E8458651

Uniqueness

Uniqueness Score: -1.00%

Function 02AD0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 02AD0533

Strings

saodkfnosa9uin, xrefs: 02AD04DA
0, xrefs: 02AD0492
mfoaskdfnoa, xrefs: 02AD0520, 02AD0523
d, xrefs: 02AD0584

Memory Dump Source

Source File: 00000000.00000002.1650356050.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_SaLY22oLht.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 4ff0d82efb415d9390a0db76b1c84572b2069caf0442dcf55fb82ffedc2c9d6a
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 61512870D08388DEEB11CBE8C849BDDBFB2AF11708F144058D5497F286C7BA5658CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02AD05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 02AD05EC

Strings

apfHQ, xrefs: 02AD05E2, 02AD05E5
o, xrefs: 02AD0600

Memory Dump Source

Source File: 00000000.00000002.1650356050.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_SaLY22oLht.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 5c2481810d22026c9ce69fa6f9a92d1649bdda8b4e010dc6b28578dddc1e4f30
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 4D012170C0425CEEDF10DBA8C5587AEBFB5AF51308F1480D9C4092B241D7B69B58CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02917485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 029174D6

Memory Dump Source

Source File: 00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp, Offset: 02917000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2917000_SaLY22oLht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a43b95601648353374cf6c9a1fcef50978d01f1617f85edaf4d789075bf89a9a
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: A4113979A00208EFDB01DF99C985E99BBF5AF08351F0580A4F9489B361D371EA90EF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 029170A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650243292.0000000002917000.00000040.00000020.00020000.00000000.sdmp, Offset: 02917000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2917000_SaLY22oLht.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 81b720f7bcdf5d5a2ff129362b1cbf8d403e61f523b0bd1bf71ff33ec56d4445
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 3E1170723402059FD754DF96DC80EE6B3EAEB89224B2980A5ED08CB316D775E842C760

Uniqueness

Uniqueness Score: -1.00%

Function 02AD0042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650356050.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_SaLY22oLht.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: bad916304b353e62ff5d45095d27b63224734384297a3ab440c9a4773db4d882
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 85118E72340100AFEB54DF65DCD0FA673EAEB88320B598165ED09CB311DA76EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SaLY22oLht.exePID: 6204, Parent PID: 7088COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.2%
Total number of Nodes:	27
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00694A87 Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___sbh_find_block.LIBCMT ref: 00694AB0
___sbh_free_block.LIBCMT ref: 00694ABF
RtlFreeHeap.NTDLL(00000000,?,0081B8C0,0000000C,00695999,00000000,?,?,006959B0,?,006C5FF8,0081C690,0000000C,006C60AA,?,00000000), ref: 00694AEF
GetLastError.KERNEL32(?,?,006959B0,?,006C5FF8,0081C690,0000000C,006C60AA,?,00000000), ref: 00694B00

Memory Dump Source

Source File: 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4085945568.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085945568.000000000083C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085945568.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SaLY22oLht.jbxd

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 78909d6c4936e91804b8b1daa8b3149c3f077c8927f69aac5a87e0b9846f729e
Instruction ID: d2f168f1c234fbc1eb0db84b56c896eb6ac808ee96d716f7e41c0537d1ba3495
Opcode Fuzzy Hash: 78909d6c4936e91804b8b1daa8b3149c3f077c8927f69aac5a87e0b9846f729e
Instruction Fuzzy Hash: E501A271945301AADF60BF74AC06F9F3B6EAF00765F10000DF510A6A99CE788A42DA68

Uniqueness

Uniqueness Score: -1.00%

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 006C5FF3

Part of subcall function 006959A8: __getptd_noexit.LIBCMT ref: 006959AB
Part of subcall function 006959A8: __amsg_exit.LIBCMT ref: 006959B8

__endthreadex.LIBCMT ref: 006C6003

Part of subcall function 006C5FAA: __IsNonwritableInCurrentImage.LIBCMT ref: 006C5FBD
Part of subcall function 006C5FAA: __getptd_noexit.LIBCMT ref: 006C5FCD
Part of subcall function 006C5FAA: __freeptd.LIBCMT ref: 006C5FD7
Part of subcall function 006C5FAA: RtlExitUserThread.NTDLL(?,?,006C6008,00000000), ref: 006C5FE0
Part of subcall function 006C5FAA: __XcptFilter.LIBCMT ref: 006C6014

Memory Dump Source

Source File: 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4085945568.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085945568.000000000083C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085945568.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SaLY22oLht.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction ID: d5ace2e70bc2d3c52d8088d9385be9d0b72b17dae02ad738aec28fd26f28fbfb
Opcode Fuzzy Hash: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction Fuzzy Hash: 65E0ECB5954605DFEB58ABA0C806E7E776AEF48311F20404CF1029B6A2CA75A984DF25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00694A78 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 006999D2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006999E7
UnhandledExceptionFilter.KERNEL32(006D9C6C), ref: 006999F2
GetCurrentProcess.KERNEL32(C0000409), ref: 00699A0E
TerminateProcess.KERNEL32(00000000), ref: 00699A15

Memory Dump Source

Source File: 00000001.00000002.4085945568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4085945568.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085945568.000000000083C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085945568.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SaLY22oLht.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5e4f057abdc76eb51c15de7ff52c5ade2ab544b117bf26ad20e1fd5a877e97fd
Instruction ID: dcde4617195335d5d3c577808627ec0208f30a12f7e2c262b8b14ad4a69ab474
Opcode Fuzzy Hash: 5e4f057abdc76eb51c15de7ff52c5ade2ab544b117bf26ad20e1fd5a877e97fd
Instruction Fuzzy Hash: F021E0B4902305DFCB91DF69FD856447BA9FB88360F10681AF509833A0EFB059828F35

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exePID: 6320, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	43.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	7

Executed Functions

Function 02E00110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 02E00156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 02E0016C
CreateProcessA.KERNELBASE(?,00000000), ref: 02E00255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02E00270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02E00283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 02E0029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 02E002C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 02E002E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 02E00304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 02E0032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 02E00399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 02E003BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 02E003E1
ResumeThread.KERNELBASE(00000000), ref: 02E003ED
ExitProcess.KERNEL32(00000000), ref: 02E00412

Memory Dump Source

Source File: 00000002.00000002.1742186981.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e00000_csrss.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: f3ec474a1b3da366d106007abcf9c85731e8baf6589ee5752e1a40de0612b5f4
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 7CB1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E509AB395D771AE81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02E00420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 02E00533

Strings

d, xrefs: 02E00584
saodkfnosa9uin, xrefs: 02E004DA
0, xrefs: 02E00492
mfoaskdfnoa, xrefs: 02E00520, 02E00523

Memory Dump Source

Source File: 00000002.00000002.1742186981.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e00000_csrss.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 6de7b5529b993f3b7fbe5ff215f0a0e84dbfa0af8bd8802f7e89b45a9199b93f
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 2A512870D48388DAEB11CBE8C849BDDBFB2AF11708F148058D5447F2C6C7BA5699CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02E005B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 02E005EC

Strings

apfHQ, xrefs: 02E005E2, 02E005E5
o, xrefs: 02E00600

Memory Dump Source

Source File: 00000002.00000002.1742186981.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e00000_csrss.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: f77ce1bc39bc4718defc984e8e0a2485f3c5530f25d5e0fcff6585206d8ef14c
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 64011E70C0425CEADB10DBD8C5583EEBFB5AF41308F188099C4492B281D7769B99CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C007A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C007CE
Module32First.KERNEL32(00000000,00000224), ref: 02C007EE

Memory Dump Source

Source File: 00000002.00000002.1742071924.0000000002C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_csrss.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1d1d4dae44e4a8b162e9defa3452e9491fd66bf9a200da9cde886310764cdc26
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CAF090322017156FE7203BF9A8CCB6F77ECAF89669F110528E643910C0DBB8F9458E61

Uniqueness

Uniqueness Score: -1.00%

Function 02C00465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C004B6

Memory Dump Source

Source File: 00000002.00000002.1742071924.0000000002C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_csrss.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: ff8c20fc5a41ae8860a10b1286c41e14d1ede41510af5fde43b15dfc6e300fb1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 72113C79A40208EFDB01DF98C985E98BBF5AF08351F058094F9489B361D775EA50EF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exePID: 1856, Parent PID: 6320COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 006C5FF3

Part of subcall function 006959A8: __getptd_noexit.LIBCMT ref: 006959AB
Part of subcall function 006959A8: __amsg_exit.LIBCMT ref: 006959B8

__endthreadex.LIBCMT ref: 006C6003

Part of subcall function 006C5FAA: __IsNonwritableInCurrentImage.LIBCMT ref: 006C5FBD
Part of subcall function 006C5FAA: __getptd_noexit.LIBCMT ref: 006C5FCD
Part of subcall function 006C5FAA: __freeptd.LIBCMT ref: 006C5FD7
Part of subcall function 006C5FAA: RtlExitUserThread.NTDLL(?,?,006C6008,00000000), ref: 006C5FE0
Part of subcall function 006C5FAA: __XcptFilter.LIBCMT ref: 006C6014

Memory Dump Source

Source File: 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4085920493.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085920493.000000000083D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085920493.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_csrss.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction ID: d5ace2e70bc2d3c52d8088d9385be9d0b72b17dae02ad738aec28fd26f28fbfb
Opcode Fuzzy Hash: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction Fuzzy Hash: 65E0ECB5954605DFEB58ABA0C806E7E776AEF48311F20404CF1029B6A2CA75A984DF25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00694A78 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 006999D2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006999E7
UnhandledExceptionFilter.KERNEL32(006D9C6C), ref: 006999F2
GetCurrentProcess.KERNEL32(C0000409), ref: 00699A0E
TerminateProcess.KERNEL32(00000000), ref: 00699A15

Memory Dump Source

Source File: 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4085920493.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085920493.000000000083D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085920493.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_csrss.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5e4f057abdc76eb51c15de7ff52c5ade2ab544b117bf26ad20e1fd5a877e97fd
Instruction ID: dcde4617195335d5d3c577808627ec0208f30a12f7e2c262b8b14ad4a69ab474
Opcode Fuzzy Hash: 5e4f057abdc76eb51c15de7ff52c5ade2ab544b117bf26ad20e1fd5a877e97fd
Instruction Fuzzy Hash: F021E0B4902305DFCB91DF69FD856447BA9FB88360F10681AF509833A0EFB059828F35

Uniqueness

Uniqueness Score: -1.00%

Function 00694A87 Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___sbh_find_block.LIBCMT ref: 00694AB0
___sbh_free_block.LIBCMT ref: 00694ABF
HeapFree.KERNEL32(00000000,?,0081B8C0,0000000C,00695999,00000000,?,?,006959B0,?,006C5FF8,0081C690,0000000C,006C60AA,?,00000000), ref: 00694AEF
GetLastError.KERNEL32(?,?,006959B0,?,006C5FF8,0081C690,0000000C,006C60AA,?,00000000), ref: 00694B00

Memory Dump Source

Source File: 00000003.00000002.4085920493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4085920493.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085920493.000000000083D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085920493.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_csrss.jbxd

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 78909d6c4936e91804b8b1daa8b3149c3f077c8927f69aac5a87e0b9846f729e
Instruction ID: d2f168f1c234fbc1eb0db84b56c896eb6ac808ee96d716f7e41c0537d1ba3495
Opcode Fuzzy Hash: 78909d6c4936e91804b8b1daa8b3149c3f077c8927f69aac5a87e0b9846f729e
Instruction Fuzzy Hash: E501A271945301AADF60BF74AC06F9F3B6EAF00765F10000DF510A6A99CE788A42DA68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SaLY22oLht.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Drivers\csrss.exe

C:\Users\user\AppData\Local\Temp\4KPV6A~1\state (copy)

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\state.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

ICMP Packets

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
SaLY22oLht.exe

Function 02AD0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 029177C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02AD0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 02AD05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 02917485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 00694A87 Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Function 00694A78 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 02E00110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 02E00420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 02E005B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 02C007A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02C00465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Function 00694A78 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE