Edit tour

Windows Analysis Report
Mcb5K3TOWT.exe

Overview

General Information

Sample name:	Mcb5K3TOWT.exe renamed because original name is a hash value
Original sample name:	97e5f2c04baad060d0169b7d76cfa5de.exe
Analysis ID:	1417384
MD5:	97e5f2c04baad060d0169b7d76cfa5de
SHA1:	00d5d0699bf1ccddf28fbd9eeb6ed9aaa8bc320b
SHA256:	bb50ae148cf4986c2ac4c81e75412a91910fe8fb169bd054d130a775af4b5e35
Tags:	32CMSBruteexetrojan
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to inject code into remote processes

Drops PE files with benign system names

Found Tor onion address

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious Process Parents

Sigma detected: System File Execution Location Anomaly

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Mcb5K3TOWT.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\Mcb5K3TOWT.exe" MD5: 97E5F2C04BAAD060D0169B7D76CFA5DE)

Mcb5K3TOWT.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\Mcb5K3TOWT.exe" MD5: 97E5F2C04BAAD060D0169B7D76CFA5DE)

csrss.exe (PID: 7708 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 97E5F2C04BAAD060D0169B7D76CFA5DE)

csrss.exe (PID: 7724 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 97E5F2C04BAAD060D0169B7D76CFA5DE)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1734753448.0000000002E00000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Mcb5K3TOWT.exe, ProcessId: 7608, TargetFilename: C:\ProgramData\Drivers\csrss.exe

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ParentImage: C:\ProgramData\Drivers\csrss.exe, ParentProcessId: 7708, ParentProcessName: csrss.exe, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 7724, ProcessName: csrss.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 7708, ProcessName: csrss.exe

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 104.149.139.42, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\Mcb5K3TOWT.exe, Initiated: true, ProcessId: 7608, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49768

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Drivers\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Mcb5K3TOWT.exe, ProcessId: 7608, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 7708, ProcessName: csrss.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mcb5K3TOWT.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe

Avira: detection malicious, Label: HEUR/AGEN.1313019

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe	ReversingLabs: Detection: 38%
Source: C:\ProgramData\Drivers\csrss.exe	Virustotal: Detection: 44%			Perma Link

Multi AV Scanner detection for submitted file

Source: Mcb5K3TOWT.exe	ReversingLabs: Detection: 38%
Source: Mcb5K3TOWT.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Mcb5K3TOWT.exe

Joe Sandbox ML: detected

Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_86043cfe-e

Source: Mcb5K3TOWT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.58.180.90:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.191.95:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.195.248:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.74.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.154.106.60:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.65.205.10:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.94.113:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.213.233.138:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.10.240.250:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.12.203.242:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.42.116.17:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.36.38.33:443 -> 192.168.2.4:49879 version: TLS 1.2

Source:

Binary string: C:\dukusixurageru32\wabipajomali_fafutaf\bebut\j.pdb source: Mcb5K3TOWT.exe, csrss.exe.1.dr

Networking

Found Tor onion address

Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000824000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Referer: X-Requested-With: XMLHttpRequest Content-Type: application/json;127.0.0.1:--ignore-missing-torrcect[] = --SOCKSPort--DataDirectory--bridgehttp://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/rep.phperr.php?&n=v=b=p=repsf=e=nocache=SEH exceptionSEHSTD: C++.dll4kPv6aJG8e\!update!sleep !regcheckcreateObjectwp-login.phpwp-admin/name="loginform"ionW[] = id="loginform"name="log"id="user_login"name="pwd"id="user_pass"administrator/administrator/index.php ] = id="form-login"action="/administrator= = id="mod-login-username"nd[] = name="username"id="mod-login-password" name="passwd"admin.phpDataLifesubactionusernamepasswordOK{
Source: csrss.exe, 00000003.00000002.4085831673.0000000000824000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Referer: X-Requested-With: XMLHttpRequest Content-Type: application/json;127.0.0.1:--ignore-missing-torrcect[] = --SOCKSPort--DataDirectory--bridgehttp://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/rep.phperr.php?&n=v=b=p=repsf=e=nocache=SEH exceptionSEHSTD: C++.dll4kPv6aJG8e\!update!sleep !regcheckcreateObjectwp-login.phpwp-admin/name="loginform"ionW[] = id="loginform"name="log"id="user_login"name="pwd"id="user_pass"administrator/administrator/index.php ] = id="form-login"action="/administrator= = id="mod-login-username"nd[] = name="username"id="mod-login-password" name="passwd"admin.phpDataLifesubactionusernamepasswordOK{

Source: unknown

Network traffic detected: IP country count 24

Source: global traffic	TCP traffic: 192.168.2.4:49733 -> 31.127.34.9:9001
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 128.31.0.39:9101
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 198.98.52.143:9001
Source: global traffic	TCP traffic: 192.168.2.4:49749 -> 176.31.116.155:8443
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 37.191.206.197:8443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 185.220.100.251:9000
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 45.14.150.182:9001
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 213.144.142.24:9001
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 195.123.209.91:5092
Source: global traffic	TCP traffic: 192.168.2.4:49763 -> 91.121.181.6:9001
Source: global traffic	TCP traffic: 192.168.2.4:49765 -> 185.220.101.205:10205
Source: global traffic	TCP traffic: 192.168.2.4:49767 -> 62.78.194.4:9001
Source: global traffic	TCP traffic: 192.168.2.4:49768 -> 104.149.139.42:8080
Source: global traffic	TCP traffic: 192.168.2.4:49770 -> 185.251.165.74:9001
Source: global traffic	TCP traffic: 192.168.2.4:49779 -> 5.2.78.69:9001
Source: global traffic	TCP traffic: 192.168.2.4:49785 -> 91.121.86.59:993
Source: global traffic	TCP traffic: 192.168.2.4:49789 -> 173.249.63.227:9001
Source: global traffic	TCP traffic: 192.168.2.4:49795 -> 47.254.134.152:9001
Source: global traffic	TCP traffic: 192.168.2.4:49796 -> 47.56.94.99:9001
Source: global traffic	TCP traffic: 192.168.2.4:49801 -> 149.56.98.216:9001
Source: global traffic	TCP traffic: 192.168.2.4:49802 -> 103.253.41.98:9001
Source: global traffic	TCP traffic: 192.168.2.4:49806 -> 54.36.112.239:9001
Source: global traffic	TCP traffic: 192.168.2.4:49811 -> 91.121.160.6:9001
Source: global traffic	TCP traffic: 192.168.2.4:49819 -> 37.139.22.180:9001
Source: global traffic	TCP traffic: 192.168.2.4:49824 -> 140.186.205.68:9001
Source: global traffic	TCP traffic: 192.168.2.4:49836 -> 162.212.158.82:9001
Source: global traffic	TCP traffic: 192.168.2.4:49838 -> 184.105.220.24:9001
Source: global traffic	TCP traffic: 192.168.2.4:49839 -> 185.220.101.1:30001
Source: global traffic	TCP traffic: 192.168.2.4:49840 -> 176.67.170.192:9001
Source: global traffic	TCP traffic: 192.168.2.4:49841 -> 149.34.27.137:9001
Source: global traffic	TCP traffic: 192.168.2.4:49842 -> 51.195.124.251:9001
Source: global traffic	TCP traffic: 192.168.2.4:49843 -> 185.220.101.143:10143
Source: global traffic	TCP traffic: 192.168.2.4:49844 -> 185.233.252.14:9001
Source: global traffic	TCP traffic: 192.168.2.4:49845 -> 62.216.85.110:34049
Source: global traffic	TCP traffic: 192.168.2.4:49846 -> 185.213.155.169:5753
Source: global traffic	TCP traffic: 192.168.2.4:49847 -> 185.220.101.20:10020
Source: global traffic	TCP traffic: 192.168.2.4:49849 -> 94.142.241.226:9443
Source: global traffic	TCP traffic: 192.168.2.4:49851 -> 145.239.158.234:9001
Source: global traffic	TCP traffic: 192.168.2.4:49852 -> 194.55.13.50:9001
Source: global traffic	TCP traffic: 192.168.2.4:49853 -> 78.46.174.72:9001
Source: global traffic	TCP traffic: 192.168.2.4:49854 -> 212.47.227.71:9001
Source: global traffic	TCP traffic: 192.168.2.4:49856 -> 8.209.79.125:9001
Source: global traffic	TCP traffic: 192.168.2.4:49857 -> 212.8.243.229:9001
Source: global traffic	TCP traffic: 192.168.2.4:49858 -> 45.125.65.112:9001
Source: global traffic	TCP traffic: 192.168.2.4:49859 -> 185.220.101.198:10198
Source: global traffic	TCP traffic: 192.168.2.4:49862 -> 45.151.167.10:8443
Source: global traffic	TCP traffic: 192.168.2.4:49863 -> 143.107.229.210:42256
Source: global traffic	TCP traffic: 192.168.2.4:49865 -> 62.210.105.46:9001
Source: global traffic	TCP traffic: 192.168.2.4:49866 -> 185.220.101.23:30023
Source: global traffic	TCP traffic: 192.168.2.4:49867 -> 116.12.180.234:9443
Source: global traffic	TCP traffic: 192.168.2.4:49869 -> 185.220.101.206:30206
Source: global traffic	TCP traffic: 192.168.2.4:49871 -> 198.58.107.53:9001
Source: global traffic	TCP traffic: 192.168.2.4:49872 -> 5.181.51.52:9001
Source: global traffic	TCP traffic: 192.168.2.4:49875 -> 88.198.112.25:9001
Source: global traffic	TCP traffic: 192.168.2.4:49880 -> 143.107.229.120:40233
Source: global traffic	TCP traffic: 192.168.2.4:49882 -> 71.200.64.77:9001
Source: global traffic	TCP traffic: 192.168.2.4:49883 -> 185.82.217.49:9001
Source: global traffic	TCP traffic: 192.168.2.4:49884 -> 80.66.135.13:9001
Source: global traffic	TCP traffic: 192.168.2.4:49885 -> 147.92.88.67:9001
Source: global traffic	TCP traffic: 192.168.2.4:49886 -> 176.123.3.222:9001
Source: global traffic	TCP traffic: 192.168.2.4:49887 -> 194.140.117.58:993

Source: Joe Sandbox View	IP Address: 171.25.193.9 171.25.193.9
Source: Joe Sandbox View	IP Address: 171.25.193.9 171.25.193.9
Source: Joe Sandbox View	IP Address: 198.50.191.95 198.50.191.95
Source: Joe Sandbox View	IP Address: 178.20.55.18 178.20.55.18

Source: Joe Sandbox View

JA3 fingerprint: 83d60721ecc423892660e275acc4dffd

Source: unknown	TCP traffic detected without corresponding DNS query: 178.17.174.10
Source: unknown	TCP traffic detected without corresponding DNS query: 178.17.174.10
Source: unknown	TCP traffic detected without corresponding DNS query: 178.17.174.10
Source: unknown	TCP traffic detected without corresponding DNS query: 31.127.34.9
Source: unknown	TCP traffic detected without corresponding DNS query: 31.127.34.9
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 31.127.34.9
Source: unknown	TCP traffic detected without corresponding DNS query: 31.127.34.9
Source: unknown	TCP traffic detected without corresponding DNS query: 31.127.34.9
Source: unknown	TCP traffic detected without corresponding DNS query: 192.0.128.86
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.0.39
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.0.39
Source: unknown	TCP traffic detected without corresponding DNS query: 192.0.128.86
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.0.39
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.0.39
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.0.39
Source: unknown	TCP traffic detected without corresponding DNS query: 192.0.128.86
Source: unknown	TCP traffic detected without corresponding DNS query: 192.0.128.86
Source: unknown	TCP traffic detected without corresponding DNS query: 192.0.128.86
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.52.143
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.52.143
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.52.143
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.52.143
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.52.143
Source: unknown	TCP traffic detected without corresponding DNS query: 209.58.180.90
Source: unknown	TCP traffic detected without corresponding DNS query: 209.58.180.90
Source: unknown	TCP traffic detected without corresponding DNS query: 209.58.180.90
Source: unknown	TCP traffic detected without corresponding DNS query: 209.58.180.90
Source: unknown	TCP traffic detected without corresponding DNS query: 209.58.180.90
Source: unknown	TCP traffic detected without corresponding DNS query: 209.58.180.90
Source: unknown	TCP traffic detected without corresponding DNS query: 176.31.116.155
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 176.31.116.155
Source: unknown	TCP traffic detected without corresponding DNS query: 176.31.116.155
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 131.188.40.189
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.175.225

Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: Mcb5K3TOWT.exe, 00000001.00000002.4087569548.00000000025A5000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4087672879.0000000002812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Mcb5K3TOWT.exe, 00000001.00000002.4087569548.00000000025A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com}P equals www.yahoo.com (Yahoo)

Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.htmlTYPE=2OpenSSL
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000824000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000824000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/re
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https:///phpMyAdmin//PhpMyAdmin//pma/rootmysqlimapssmtpspop3sscp://your_IP_is_greylisted_README.txt2
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/
Source: csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/documentation.html

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.58.180.90:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.191.95:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.195.248:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.74.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.154.106.60:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.65.205.10:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.94.113:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.213.233.138:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.58.81.140:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.10.240.250:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.12.203.242:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.42.116.17:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.36.38.33:443 -> 192.168.2.4:49879 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.1734753448.0000000002E00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02B90110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		0_2_02B90110
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_03000110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		2_2_03000110

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_00406FA0

0_2_00406FA0

Source: Mcb5K3TOWT.exe	Binary or memory string: OriginalFilename vs Mcb5K3TOWT.exe
Source: Mcb5K3TOWT.exe, 00000000.00000002.1631393059.0000000000C85000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWell2 vs Mcb5K3TOWT.exe
Source: Mcb5K3TOWT.exe, 00000001.00000003.1632887221.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWell2 vs Mcb5K3TOWT.exe
Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000843000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs Mcb5K3TOWT.exe
Source: Mcb5K3TOWT.exe, 00000001.00000000.1630209987.0000000000C85000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWell2 vs Mcb5K3TOWT.exe
Source: Mcb5K3TOWT.exe	Binary or memory string: OriginalFilenameWell2 vs Mcb5K3TOWT.exe

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Section loaded: srvcli.dll	Jump to behavior

Source: Mcb5K3TOWT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000002.00000002.1734753448.0000000002E00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.evad.winEXE@6/3@0/100

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_029C87C6 CreateToolhelp32Snapshot,Module32First,

0_2_029C87C6

Source: C:\ProgramData\Drivers\csrss.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

File created: C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\

Jump to behavior

Source: Mcb5K3TOWT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mcb5K3TOWT.exe	ReversingLabs: Detection: 38%
Source: Mcb5K3TOWT.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

File read: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mcb5K3TOWT.exe "C:\Users\user\Desktop\Mcb5K3TOWT.exe"
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process created: C:\Users\user\Desktop\Mcb5K3TOWT.exe "C:\Users\user\Desktop\Mcb5K3TOWT.exe"
Source: unknown	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process created: C:\Users\user\Desktop\Mcb5K3TOWT.exe "C:\Users\user\Desktop\Mcb5K3TOWT.exe"	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Mcb5K3TOWT.exe

Static file information: File size 1981440 > 1048576

Source: Mcb5K3TOWT.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1c6c00

Source: Mcb5K3TOWT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\dukusixurageru32\wabipajomali_fafutaf\bebut\j.pdb source: Mcb5K3TOWT.exe, csrss.exe.1.dr

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 1_2_0069D030 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_0069D030

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_00406CD5 push ecx; ret	0_2_00406CE8
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02B22AB0 push A7EF5AB4h; ret	0_2_02B22AB7
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02B16AE0 push esi; iretd	0_2_02B16AEB
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02A3B2C0 push eax; iretd	0_2_02A3B2C9
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02A6FA35 push ds; ret	0_2_02A6FA36
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02B22A51 push eax; retf	0_2_02B22A53
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02A533F1 push edx; ret	0_2_02A533F3
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 1_2_00696299 push ecx; ret	1_2_006962AC
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02F4EAC0 push esi; iretd	2_2_02F4EACB
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02E732A0 push eax; iretd	2_2_02E732A9
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02F5AA90 push A7EF5AB4h; ret	2_2_02F5AA97
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02F5AA31 push eax; retf	2_2_02F5AA33
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02EA7A15 push ds; ret	2_2_02EA7A16
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02E8B3D1 push edx; ret	2_2_02E8B3D3
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 3_2_00696299 push ecx; ret	3_2_006962AC

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

May use the Tor software to hide its network traffic

Source: Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: onion-port

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_00406FA0 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00406FA0

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Window / User API: threadDelayed 1927	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Window / User API: threadDelayed 7959	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Window / User API: threadDelayed 9925	Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe TID: 7612	Thread sleep count: 1927 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe TID: 7612	Thread sleep time: -192700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe TID: 7612	Thread sleep count: 7959 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe TID: 7612	Thread sleep time: -795900s >= -30000s	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 7728	Thread sleep count: 9925 > 30	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 7728	Thread sleep time: -992500s >= -30000s	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 7728	Thread sleep count: 66 > 30	Jump to behavior

Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed
Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed

Source: csrss.exe, 00000003.00000002.4087488823.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: csrss.exe, 00000003.00000002.4087488823.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: csrss.exe, 00000003.00000002.4087277129.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMJ
Source: Mcb5K3TOWT.exe, 00000001.00000002.4086757848.0000000000958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_00408C01 IsDebuggerPresent,

0_2_00408C01

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

1_2_0069D030

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_029C80A3 push dword ptr fs:[00000030h]	0_2_029C80A3
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_02B90042 push dword ptr fs:[00000030h]	0_2_02B90042
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_02E00083 push dword ptr fs:[00000030h]	2_2_02E00083
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 2_2_03000042 push dword ptr fs:[00000030h]	2_2_03000042

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_004080CC GetProcessHeap,

0_2_004080CC

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 0_2_00408B8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408B8C
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 1_2_006943E0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006943E0
Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Code function: 1_2_00694A78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00694A78

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_02B90110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_02B90110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Memory written: C:\Users\user\Desktop\Mcb5K3TOWT.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Memory written: C:\ProgramData\Drivers\csrss.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe	Process created: C:\Users\user\Desktop\Mcb5K3TOWT.exe "C:\Users\user\Desktop\Mcb5K3TOWT.exe"			Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Code function: 0_2_00408658 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00408658

Source: C:\Users\user\Desktop\Mcb5K3TOWT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Multi-hop Proxy	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	2 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mcb5K3TOWT.exe	39%	ReversingLabs
Mcb5K3TOWT.exe	44%	Virustotal		Browse
Mcb5K3TOWT.exe	100%	Avira	HEUR/AGEN.1313019
Mcb5K3TOWT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Drivers\csrss.exe	100%	Avira	HEUR/AGEN.1313019
C:\ProgramData\Drivers\csrss.exe	100%	Joe Sandbox ML
C:\ProgramData\Drivers\csrss.exe	39%	ReversingLabs
C:\ProgramData\Drivers\csrss.exe	44%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https:///phpMyAdmin//PhpMyAdmin//pma/rootmysqlimapssmtpspop3sscp://your_IP_is_greylisted_README.txt2	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
http://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/re	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
https://curl.se/docs/alt-svc.html	0%	Virustotal		Browse
https://curl.se/docs/http-cookies.html	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.htmlTYPE=2OpenSSL	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.torproject.org/	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://curl.se/docs/alt-svc.html	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https:///phpMyAdmin//PhpMyAdmin//pma/rootmysqlimapssmtpspop3sscp://your_IP_is_greylisted_README.txt2	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://curl.se/docs/http-cookies.html	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x5outc76j5k4qrzaqdj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onionT/reg.php?upd.php?/task.php?/re	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000824000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000824000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.torproject.org/documentation.html	csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://trac.torproject.org/projects/tor/ticket/14917.	Mcb5K3TOWT.exe, 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csrss.exe, 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
171.25.193.9	unknown	Sweden	198093	DFRI-ASForeningenfordigitalafri-ochrattigheterSE	false
85.10.240.250	unknown	Germany	24940	HETZNER-ASDE	false
198.50.191.95	unknown	Canada	16276	OVHFR	false
178.20.55.18	unknown	France	50618	LIAZOFR	false
143.107.229.120	unknown	Brazil	28571	UNIVERSIDADEDESAOPAULOBR	false
94.142.241.226	unknown	Netherlands	8283	COLOCLUE-ASNetwerkverenigingColoclueAmsterdamNetherlan	false
194.55.13.50	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	false
198.98.52.143	unknown	United States	53667	PONYNETUS	false
47.254.134.152	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
154.35.175.225	unknown	United States	14987	RETHEMHOSTINGUS	false
128.31.0.39	unknown	United States	3	MIT-GATEWAYSUS	false
88.198.112.25	unknown	Germany	24940	HETZNER-ASDE	false
213.144.142.24	unknown	Switzerland	13030	INIT7CH	false
176.31.116.155	unknown	France	16276	OVHFR	false
62.141.38.69	unknown	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	false
47.56.94.99	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
199.249.230.174	unknown	United States	62744	QUINTEXUS	false
185.220.101.206	unknown	Germany	208294	ASMKNL	false
185.220.101.205	unknown	Germany	208294	ASMKNL	false
185.82.217.49	unknown	Bulgaria	59729	ITL-BG	false
109.70.100.14	unknown	Austria	208323	APPLIEDPRIVACY-ASAT	false
31.13.195.248	unknown	Bulgaria	34224	NETERRA-ASBG	false
192.46.225.58	unknown	United States	5501	FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe	false
185.227.82.7	unknown	Netherlands	208258	ACCESS2ITNL	false
198.100.149.77	unknown	Canada	16276	OVHFR	false
185.65.205.10	unknown	Turkey	59895	CITYNETHOST-ASTR	false
109.150.12.235	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
23.129.64.239	unknown	United States	396507	EMERALD-ONIONUS	false
104.149.129.210	unknown	United States	40676	AS40676US	false
37.187.23.232	unknown	France	16276	OVHFR	false
140.186.205.68	unknown	United States	11232	MIDCO-NETUS	false
45.151.167.10	unknown	Germany	207871	FFDDORFDE	false
54.36.112.239	unknown	France	16276	OVHFR	false
149.56.98.216	unknown	Canada	16276	OVHFR	false
31.127.34.9	unknown	United Kingdom	12576	EELtdGB	false
185.220.100.251	unknown	Germany	205100	F3NETZEDE	false
5.2.78.69	unknown	Netherlands	60404	LITESERVERNL	false
62.216.85.110	unknown	Romania	9009	M247GB	false
163.44.174.129	unknown	Japan	7506	INTERQGMOInternetIncJP	false
91.121.86.59	unknown	France	16276	OVHFR	false
185.213.155.169	unknown	Sweden	39351	ESAB-ASSE	false
176.123.3.222	unknown	Moldova Republic of	200019	ALEXHOSTMD	false
194.140.117.58	unknown	Germany	41998	NETCOMBW-ASDE	false
192.0.128.86	unknown	Canada	5645	TEKSAVVYCA	false
91.121.181.6	unknown	France	16276	OVHFR	false
45.14.150.182	unknown	Romania	44220	PARFUMURI-FEMEI-ASRO	false
162.247.74.201	unknown	United States	4224	CALYX-ASUS	false
154.59.112.72	unknown	United States	174	COGENT-174US	false
62.210.105.46	unknown	France	12876	OnlineSASFR	false
173.249.63.227	unknown	Germany	51167	CONTABODE	false
85.209.157.3	unknown	Netherlands	18978	ENZUINC-US	false
178.254.31.125	unknown	Germany	42730	EVANZOASDE	false
45.66.33.45	unknown	Netherlands	47482	SPECTRENL	false
195.201.94.113	unknown	Germany	24940	HETZNER-ASDE	false
8.209.79.125	unknown	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
144.76.170.20	unknown	Germany	24940	HETZNER-ASDE	false
185.220.101.198	unknown	Germany	208294	ASMKNL	false
38.145.200.61	unknown	United States	18978	ENZUINC-US	false
86.59.21.38	unknown	Austria	8437	UTA-ASAT	false
149.34.27.137	unknown	United States	35699	ADAMOEU-ASAdamoTelecomIberiaSAES	false
178.33.183.251	unknown	France	16276	OVHFR	false
62.78.194.4	unknown	Finland	16086	DNAFI	false
91.213.233.138	unknown	Kyrgyzstan	39819	PROHOSTKG	false
163.172.29.34	unknown	United Kingdom	12876	OnlineSASFR	false
195.154.106.60	unknown	France	12876	OnlineSASFR	false
143.107.229.210	unknown	Brazil	28571	UNIVERSIDADEDESAOPAULOBR	false
192.42.116.17	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
145.239.158.234	unknown	France	16276	OVHFR	false
198.58.107.53	unknown	United States	63949	LINODE-APLinodeLLCUS	false
204.13.164.118	unknown	United States	25700	25700US	false
95.211.136.23	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
71.200.64.77	unknown	United States	7922	COMCAST-7922US	false
37.191.206.197	unknown	Norway	57963	LYNET-INTERNETT-ASNO	false
104.149.139.42	unknown	United States	40676	AS40676US	false
217.160.255.217	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
193.23.244.244	unknown	Germany	50472	CHAOS-ASDE	false
162.212.158.82	unknown	United States	11878	TZULOUS	false
147.92.88.67	unknown	United States	396097	SAIL-INETUS	false
192.36.38.33	unknown	Sweden	57169	EDIS-AS-EUAT	false
5.181.51.52	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	false
37.139.22.180	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	false
184.105.220.24	unknown	United States	46841	FORKNETWORKINGUS	false
217.12.203.242	unknown	Ukraine	59729	ITL-BG	false
116.12.180.234	unknown	Singapore	3758	SINGNETSingNetSG	false
212.8.243.229	unknown	Netherlands	49981	WORLDSTREAMNL	false
80.66.135.13	unknown	Belgium	1239	SPRINTLINKUS	false
131.188.40.189	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
199.249.230.115	unknown	United States	62744	QUINTEXUS	false
185.220.101.23	unknown	Germany	208294	ASMKNL	false
185.220.101.20	unknown	Germany	208294	ASMKNL	false
185.251.165.74	unknown	Liechtenstein	204342	VESTRAvestraICTLICHLI	false
195.123.209.91	unknown	Bulgaria	50979	ITL-LV	false
51.195.124.251	unknown	France	16276	OVHFR	false
199.58.81.140	unknown	Canada	7765	KOUMBITCA	false
178.17.174.10	unknown	Moldova Republic of	43289	TRABIAMD	false
212.47.227.71	unknown	France	12876	OnlineSASFR	false
45.125.65.112	unknown	Hong Kong	133398	TELE-ASTeleAsiaLimitedHK	false
103.253.41.98	unknown	Hong Kong	133398	TELE-ASTeleAsiaLimitedHK	false
91.121.160.6	unknown	France	16276	OVHFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417384
Start date and time:	2024-03-29 07:20:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mcb5K3TOWT.exe renamed because original name is a hash value
Original Sample Name:	97e5f2c04baad060d0169b7d76cfa5de.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@6/3@0/100
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target csrss.exe, PID 7724 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:20:57	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
07:21:32	API Interceptor	7584232x Sleep call for process: Mcb5K3TOWT.exe modified
07:21:42	API Interceptor	6937474x Sleep call for process: csrss.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
171.25.193.9	R53a3ZJHBQ.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	x3WX1kHqcx.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	oGO7Hy4YCH.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	SPXp2YHDFz.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	ILI1MGzcig.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	lwRhzjuYIg.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	OVrJ9mtD6Y.exe	Get hash	malicious	TinyNuke	Browse	171.25.193.9/tor/status-vote/current/consensus
	F75rJPKdGb.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	ozJy5Zf5cf.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	zfpLjnr5P9.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
85.10.240.250	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
198.50.191.95	m5EyzJ7S8S.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Gurcu Stealer	Browse
	xqz8sQ4mZB.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse
	HVqTxn73uD.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	malware.exe	Get hash	malicious	Unknown	Browse
	VCJQWUG1iY.exe	Get hash	malicious	Unknown	Browse
	sHUNuVyssu.exe	Get hash	malicious	RedLine	Browse
178.20.55.18	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SmokeLoader, zgRAT	Browse
	6JrdNYGEPZ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	g5oo6DQ4pd.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	JAJL2EYBPH.exe	Get hash	malicious	DCRat	Browse	138.201.79.103
	https://mnrdtfqrcyfqiou.s3.amazonaws.com/mnrdtfqrcyfqiou.html#4HHHnO7279bGJq492fumheqtoju1686NCUIKVMPNMDQVMT689230/736882Y21#qgow23ahs76jjbq8j26ouc8n3ucpjfst25g85oeaei03mafty5n389r	Get hash	malicious	HTMLPhisher	Browse	49.12.134.254
	cvdLNZXNPZ.elf	Get hash	malicious	Mirai	Browse	188.42.90.189
	VJy4TgKlVo.elf	Get hash	malicious	Mirai	Browse	94.130.143.171
LIAZOFR	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SmokeLoader, zgRAT	Browse	178.20.55.18
	ENEDGCErLu.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC	Browse	178.20.55.16
	e6sLDuysz9.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	178.20.55.16
	kCJQaJf3Vs.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	178.20.55.16
	file.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader	Browse	178.20.55.16
	6JrdNYGEPZ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Stealc	Browse	178.20.55.18
	01b9T4tDdG.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	178.20.55.16
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse	178.20.55.16
	file.exe	Get hash	malicious	Unknown	Browse	178.20.55.16
	file.exe	Get hash	malicious	Unknown	Browse	178.20.55.18
OVHFR	SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe	Get hash	malicious	Unknown	Browse	198.50.129.180
	Facture_160087511.html	Get hash	malicious	ScreenConnect Tool	Browse	158.69.9.165
	SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe	Get hash	malicious	Unknown	Browse	51.38.43.18
	assento 555 pro-Model-2.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	144.217.159.195
	awb_shipping_doc_23642.vbs	Get hash	malicious	FormBook, GuLoader	Browse	188.165.61.82
	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	51.222.241.100
	http://www.rewardgateway.com	Get hash	malicious	HTMLPhisher	Browse	51.222.241.145
	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	51.222.241.100
	f699.js	Get hash	malicious	Unknown	Browse	51.91.79.17
	66yaYNheLa.elf	Get hash	malicious	Unknown	Browse	139.99.9.172
DFRI-ASForeningenfordigitalafri-ochrattigheterSE	7VzdKNO227.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	LIRR4A0xzv.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	171.25.193.9
	m5EyzJ7S8S.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	171.25.193.9
	906o5yr1NE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	171.25.193.9
	PjgTyZiVh0.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	171.25.193.9
	xZnG1FFx7L.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	171.25.193.9
	KWwpSm0Cec.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	171.25.193.9
	y9o3Fy6gL2.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	171.25.193.9
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	171.25.193.9
	TsfYchEAeZ.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Vidar	Browse	171.25.193.9

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83d60721ecc423892660e275acc4dffd	7VzdKNO227.exe	Get hash	malicious	Unknown	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	fonts-util	Get hash	malicious	Unknown	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	cups-utils-helper	Get hash	malicious	Unknown	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	LIRR4A0xzv.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	SecuriteInfo.com.Win32.RansomX-gen.4067.126.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	m5EyzJ7S8S.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	7vMi37TpMO.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	906o5yr1NE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	lxGAurRKvR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60
	PjgTyZiVh0.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	85.10.240.250 192.42.116.17 198.50.191.95 204.13.164.118 199.58.81.140 192.36.38.33 195.201.94.113 31.13.195.248 209.58.180.90 217.12.203.242 162.247.74.201 86.59.21.38 185.65.205.10 131.188.40.189 91.213.233.138 193.23.244.244 195.154.106.60

Process:	C:\Users\user\Desktop\Mcb5K3TOWT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1981440
Entropy (8bit):	7.876740928280371
Encrypted:	false
SSDEEP:	49152:gFnov1UndgBEDJnUJFLIzBAxmOcgSp/QDsYiX:MnovedqGoWFAxP2QHi
MD5:	97E5F2C04BAAD060D0169B7D76CFA5DE
SHA1:	00D5D0699BF1CCDDF28FBD9EEB6ED9AAA8BC320B
SHA-256:	BB50AE148CF4986C2AC4C81E75412A91910FE8FB169BD054D130A775AF4B5E35
SHA-512:	56FABB8EC6BE3CDB582214C9519A3AE59D4B4D0E97262C646CDBC6AC54D0F0FDDB692E5FBEBB6589CE2E63CAE4F4567812AA911765431D95D412D4A86DE82E9F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 44%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......d...........................&<............@.........................................................................a..P....P...y..............................8............................V..@............................................text...`........................... ..`.rdata..2j.......l..................@..@.data...,...p...l...V..............@....rsrc....y...P...z..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4KPV6A~1\state (copy)

Download File

Process:	C:\Users\user\Desktop\Mcb5K3TOWT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	4.780201992574502
Encrypted:	false
SSDEEP:	6:SbdWwxXKfXMnXr87+QVe2vwR/Ep5fM8CpHQz:bwxXE8Xr87HVBvwNCgpwz
MD5:	55805AB7EDFF754A70894FB1351C5C63
SHA1:	FD951F80E9097AA4169790F225E0FC0A0F905480
SHA-256:	2EFA88EC3A0888C440DE583C45EDCCFB0859B296E58DAD2486D24C69EC6A32BB
SHA-512:	F85450045CF65F5F1A05A3714A794FE6FFE8AE558D2E137260967B1F06E1DA3BE2B3E0BD2BD587B96D2481B9FA24DF5BF8C498E4F3BEA1A3454D3BF50774FFA1
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2024-03-29 07:20:56 local time..# Other times below are in UTC..# You do not need to edit this file.....Dormant 0..LastWritten 2024-03-29 06:20:56..TorVersion Tor 0.4.4.9..

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\state.tmp

Download File

Process:	C:\Users\user\Desktop\Mcb5K3TOWT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	209
Entropy (8bit):	4.780201992574502
Encrypted:	false
SSDEEP:	6:SbdWwxXKfXMnXr87+QVe2vwR/Ep5fM8CpHQz:bwxXE8Xr87HVBvwNCgpwz
MD5:	55805AB7EDFF754A70894FB1351C5C63
SHA1:	FD951F80E9097AA4169790F225E0FC0A0F905480
SHA-256:	2EFA88EC3A0888C440DE583C45EDCCFB0859B296E58DAD2486D24C69EC6A32BB
SHA-512:	F85450045CF65F5F1A05A3714A794FE6FFE8AE558D2E137260967B1F06E1DA3BE2B3E0BD2BD587B96D2481B9FA24DF5BF8C498E4F3BEA1A3454D3BF50774FFA1
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2024-03-29 07:20:56 local time..# Other times below are in UTC..# You do not need to edit this file.....Dormant 0..LastWritten 2024-03-29 06:20:56..TorVersion Tor 0.4.4.9..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.876740928280371
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	Mcb5K3TOWT.exe
File size:	1'981'440 bytes
MD5:	97e5f2c04baad060d0169b7d76cfa5de
SHA1:	00d5d0699bf1ccddf28fbd9eeb6ed9aaa8bc320b
SHA256:	bb50ae148cf4986c2ac4c81e75412a91910fe8fb169bd054d130a775af4b5e35
SHA512:	56fabb8ec6be3cdb582214c9519a3ae59d4b4d0e97262c646cdbc6ac54d0f0fddb692e5fbebb6589ce2e63cae4f4567812aa911765431d95d412d4a86de82e9f
SSDEEP:	49152:gFnov1UndgBEDJnUJFLIzBAxmOcgSp/QDsYiX:MnovedqGoWFAxP2QHi
TLSH:	3C95230172E2D8B1F6F70A33497D561416BFFC719D7A464737B823CD59A0180CAA9BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......d...................

File Icon


Icon Hash:	63796de971436e0f

Static PE Info

General

Entrypoint:	0x403c26
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6402F5C0 [Sat Mar 4 07:39:44 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1b67119179f8385f294929b38dacfd5b

Entrypoint Preview

Instruction
call 00007F9F28B04BB2h
jmp 00007F9F28B00185h
push 00000014h
push 00415CF8h
call 00007F9F28B031D9h
call 00007F9F28B04D83h
movzx esi, ax
push 00000002h
call 00007F9F28B04B45h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F9F28B00186h
xor ebx, ebx
jmp 00007F9F28B001B5h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F9F28B0016Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F9F28B0015Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F9F28B0018Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F9F28B045B8h
test eax, eax
jne 00007F9F28B0018Ah
push 0000001Ch
call 00007F9F28B00261h
pop ecx
call 00007F9F28B02322h
test eax, eax
jne 00007F9F28B0018Ah
push 00000010h
call 00007F9F28B00250h
pop ecx
call 00007F9F28B04BBEh
and dword ptr [ebp-04h], 00000000h
call 00007F9F28B03BECh
test eax, eax
jns 00007F9F28B0018Ah
push 0000001Bh
call 00007F9F28B00236h
pop ecx
call dword ptr [004100BCh]
mov dword ptr [00C84328h], eax
call 00007F9F28B04BD9h
mov dword ptr [005DDB8Ch], eax
call 00007F9F28B0457Ch
test eax, eax
jns 00007F9F28B0018Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16104	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x885000	0x79c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x101f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x15600	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe560	0xe600	d94e062be62c3482ce6d40b870c6aad4	False	0.6032948369565218	data	6.687370112637777	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x6a32	0x6c00	ef6194d9a0735bfc39c4b209dea051f5	False	0.3853443287037037	data	4.707277193995784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x86d32c	0x1c6c00	218bbb30a5543836510ba9b913a56cef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x885000	0x79c8	0x7a00	8ff40ad40071ea0a51508ee6d7bb6a70	False	0.41944159836065575	data	4.444395829059353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BIMEPEJIHUCAFUYAJIYEWUJORE	0x888588	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Romanian	Romania	0.6055226824457594
RT_CURSOR	0x888f70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x889e18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x88a6c0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x88ac58	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x88ad88	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_ICON	0x885480	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.533410138248848
RT_ICON	0x885b48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4130705394190871
RT_ICON	0x8880f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.44592198581560283
RT_STRING	0x88b048	0x446	data	Romanian	Romania	0.4424131627056673
RT_STRING	0x88b490	0x2c4	data	Romanian	Romania	0.4858757062146893
RT_STRING	0x88b758	0x4e0	data	Romanian	Romania	0.45592948717948717
RT_STRING	0x88bc38	0x5e0	data	Romanian	Romania	0.42819148936170215
RT_STRING	0x88c218	0x58c	data	Romanian	Romania	0.44366197183098594
RT_STRING	0x88c7a8	0x220	data	Romanian	Romania	0.4944852941176471
RT_GROUP_CURSOR	0x88ac28	0x30	data			0.9375
RT_GROUP_CURSOR	0x88ae38	0x22	data			1.0588235294117647
RT_GROUP_ICON	0x888558	0x30	data	Romanian	Romania	0.9375
RT_VERSION	0x88ae60	0x1e8	data			0.5532786885245902

Imports

DLL	Import
KERNEL32.dll	ReadConsoleA, GetCurrentProcess, GetTickCount, GetConsoleAliasesLengthA, GetWindowsDirectoryA, GlobalAlloc, SetCommConfig, GetLocaleInfoW, GetSystemPowerStatus, GetConsoleAliasExesLengthW, GetVersionExW, FindNextVolumeW, GetConsoleAliasW, WriteConsoleW, CreateFileW, GetEnvironmentVariableA, ExitThread, GetHandleInformation, GetLastError, GetProcAddress, InterlockedIncrement, PeekConsoleInputW, RemoveDirectoryA, LoadLibraryA, SetConsoleCtrlHandler, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, GlobalFindAtomW, GetModuleFileNameA, FindFirstVolumeMountPointA, VirtualProtect, GetCurrentDirectoryA, _lopen, GetCurrentProcessId, ResetWriteWatch, GetVolumeInformationW, OutputDebugStringW, HeapReAlloc, LoadLibraryExW, FindResourceW, MultiByteToWideChar, EncodePointer, DecodePointer, ReadFile, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, ExitProcess, GetModuleHandleExW, HeapSize, HeapFree, SetFilePointerEx, GetStdHandle, GetFileType, GetStartupInfoW, HeapAlloc, GetProcessHeap, GetModuleFileNameW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LCMapStringW, SetStdHandle, CloseHandle
USER32.dll	ChangeMenuA, DrawFrameControl, CharUpperBuffW
ADVAPI32.dll	ReadEventLogA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 07:20:58.658199072 CET	49732	443	192.168.2.4	178.17.174.10
Mar 29, 2024 07:20:58.658237934 CET	443	49732	178.17.174.10	192.168.2.4
Mar 29, 2024 07:20:58.658312082 CET	49732	443	192.168.2.4	178.17.174.10
Mar 29, 2024 07:20:58.663104057 CET	49732	443	192.168.2.4	178.17.174.10
Mar 29, 2024 07:20:58.663120985 CET	443	49732	178.17.174.10	192.168.2.4
Mar 29, 2024 07:20:59.487518072 CET	49733	9001	192.168.2.4	31.127.34.9
Mar 29, 2024 07:21:00.502625942 CET	49733	9001	192.168.2.4	31.127.34.9
Mar 29, 2024 07:21:00.503237963 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:21:00.503262043 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:21:00.503351927 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:21:00.504251003 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:21:00.504265070 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:21:01.019666910 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:21:01.019746065 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:21:01.035609961 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:21:01.035624981 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:21:01.035897970 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:21:01.036078930 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:21:01.076236010 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:21:02.518203974 CET	49733	9001	192.168.2.4	31.127.34.9
Mar 29, 2024 07:21:06.518264055 CET	49733	9001	192.168.2.4	31.127.34.9
Mar 29, 2024 07:21:14.533946037 CET	49733	9001	192.168.2.4	31.127.34.9
Mar 29, 2024 07:21:20.534430981 CET	49743	9001	192.168.2.4	192.0.128.86
Mar 29, 2024 07:21:20.534596920 CET	49744	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:21:20.639614105 CET	9101	49744	128.31.0.39	192.168.2.4
Mar 29, 2024 07:21:21.143213987 CET	49744	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:21:21.248159885 CET	9101	49744	128.31.0.39	192.168.2.4
Mar 29, 2024 07:21:21.533932924 CET	49743	9001	192.168.2.4	192.0.128.86
Mar 29, 2024 07:21:21.752603054 CET	49744	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:21:21.857152939 CET	9101	49744	128.31.0.39	192.168.2.4
Mar 29, 2024 07:21:22.361995935 CET	49744	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:21:22.466515064 CET	9101	49744	128.31.0.39	192.168.2.4
Mar 29, 2024 07:21:22.971324921 CET	49744	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:21:23.077208996 CET	9101	49744	128.31.0.39	192.168.2.4
Mar 29, 2024 07:21:23.549524069 CET	49743	9001	192.168.2.4	192.0.128.86
Mar 29, 2024 07:21:27.549474955 CET	49743	9001	192.168.2.4	192.0.128.86
Mar 29, 2024 07:21:35.549490929 CET	49743	9001	192.168.2.4	192.0.128.86
Mar 29, 2024 07:21:41.550035000 CET	49745	9001	192.168.2.4	198.98.52.143
Mar 29, 2024 07:21:41.550152063 CET	49746	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:21:41.550168037 CET	443	49746	154.35.175.225	192.168.2.4
Mar 29, 2024 07:21:41.550245047 CET	49746	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:21:41.565282106 CET	49746	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:21:41.565299988 CET	443	49746	154.35.175.225	192.168.2.4
Mar 29, 2024 07:21:42.565126896 CET	49745	9001	192.168.2.4	198.98.52.143
Mar 29, 2024 07:21:42.664819002 CET	9001	49745	198.98.52.143	192.168.2.4
Mar 29, 2024 07:21:43.174508095 CET	49745	9001	192.168.2.4	198.98.52.143
Mar 29, 2024 07:21:43.274478912 CET	9001	49745	198.98.52.143	192.168.2.4
Mar 29, 2024 07:21:43.783870935 CET	49745	9001	192.168.2.4	198.98.52.143
Mar 29, 2024 07:21:43.886080027 CET	9001	49745	198.98.52.143	192.168.2.4
Mar 29, 2024 07:21:44.393261909 CET	49745	9001	192.168.2.4	198.98.52.143
Mar 29, 2024 07:21:44.493041039 CET	9001	49745	198.98.52.143	192.168.2.4
Mar 29, 2024 07:22:09.473773956 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:09.473798037 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:09.473929882 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:09.474139929 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:09.474152088 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:10.492836952 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:10.492955923 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:10.496608973 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:10.496619940 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:10.496889114 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:10.497061014 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:10.540241003 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:16.518862963 CET	49749	8443	192.168.2.4	176.31.116.155
Mar 29, 2024 07:22:16.519025087 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:16.519062996 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:16.519129038 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:16.519268036 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:16.519284010 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:17.126072884 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:17.126178026 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:17.130146980 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:17.130167961 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:17.130414963 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:17.130597115 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:17.176234007 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:17.518273115 CET	49749	8443	192.168.2.4	176.31.116.155
Mar 29, 2024 07:22:19.533880949 CET	49749	8443	192.168.2.4	176.31.116.155
Mar 29, 2024 07:22:21.924949884 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:21.925057888 CET	443	49750	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:21.925112009 CET	49750	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:21.925231934 CET	49746	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:21.938734055 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:21.938807964 CET	443	49748	209.58.180.90	192.168.2.4
Mar 29, 2024 07:22:21.938848972 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:21.938874960 CET	49748	443	192.168.2.4	209.58.180.90
Mar 29, 2024 07:22:21.938955069 CET	443	49734	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:21.939003944 CET	49734	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:21.968240976 CET	443	49746	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:21.972934008 CET	49732	443	192.168.2.4	178.17.174.10
Mar 29, 2024 07:22:21.987116098 CET	49751	8443	192.168.2.4	37.191.206.197
Mar 29, 2024 07:22:21.987366915 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:21.987389088 CET	443	49752	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:21.987437963 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:21.987752914 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:21.987767935 CET	443	49752	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:21.988116980 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.016252995 CET	443	49732	178.17.174.10	192.168.2.4
Mar 29, 2024 07:22:22.173508883 CET	9000	49753	185.220.100.251	192.168.2.4
Mar 29, 2024 07:22:22.173594952 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.174062967 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.174400091 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:22.201119900 CET	49754	9001	192.168.2.4	45.14.150.182
Mar 29, 2024 07:22:22.201253891 CET	49755	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:22.201284885 CET	443	49755	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:22.201348066 CET	49755	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:22.205915928 CET	49755	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:22.205926895 CET	443	49755	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:22.220232964 CET	443	49752	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:22.329018116 CET	443	49752	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:22.329134941 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:22.329149008 CET	443	49752	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:22.329180956 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:22.329193115 CET	49752	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:22.359222889 CET	9000	49753	185.220.100.251	192.168.2.4
Mar 29, 2024 07:22:22.360321045 CET	9000	49753	185.220.100.251	192.168.2.4
Mar 29, 2024 07:22:22.365168095 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.365246058 CET	49755	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:22.365407944 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.374325991 CET	49756	443	192.168.2.4	109.70.100.14
Mar 29, 2024 07:22:22.374347925 CET	443	49756	109.70.100.14	192.168.2.4
Mar 29, 2024 07:22:22.374403954 CET	49756	443	192.168.2.4	109.70.100.14
Mar 29, 2024 07:22:22.374537945 CET	49757	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:22.374545097 CET	443	49757	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:22.374593973 CET	49757	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:22.374700069 CET	49756	443	192.168.2.4	109.70.100.14
Mar 29, 2024 07:22:22.374711037 CET	443	49756	109.70.100.14	192.168.2.4
Mar 29, 2024 07:22:22.412234068 CET	443	49755	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:22.444349051 CET	49757	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:22.444369078 CET	443	49757	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:22.550210953 CET	9000	49753	185.220.100.251	192.168.2.4
Mar 29, 2024 07:22:22.550226927 CET	9000	49753	185.220.100.251	192.168.2.4
Mar 29, 2024 07:22:22.550276041 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.550304890 CET	49753	9000	192.168.2.4	185.220.100.251
Mar 29, 2024 07:22:22.565726042 CET	443	49756	109.70.100.14	192.168.2.4
Mar 29, 2024 07:22:22.566226006 CET	49757	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:22.578378916 CET	49758	9001	192.168.2.4	213.144.142.24
Mar 29, 2024 07:22:22.578553915 CET	49759	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:22.578593969 CET	443	49759	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:22.578665018 CET	49759	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:22.578766108 CET	49760	443	192.168.2.4	31.13.195.248
Mar 29, 2024 07:22:22.578773022 CET	443	49760	31.13.195.248	192.168.2.4
Mar 29, 2024 07:22:22.578834057 CET	49760	443	192.168.2.4	31.13.195.248
Mar 29, 2024 07:22:22.578954935 CET	49759	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:22.578970909 CET	443	49759	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:22.579142094 CET	49760	443	192.168.2.4	31.13.195.248
Mar 29, 2024 07:22:22.579154968 CET	443	49760	31.13.195.248	192.168.2.4
Mar 29, 2024 07:22:22.612242937 CET	443	49757	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:22.768496990 CET	9001	49758	213.144.142.24	192.168.2.4
Mar 29, 2024 07:22:22.768686056 CET	49758	9001	192.168.2.4	213.144.142.24
Mar 29, 2024 07:22:22.787023067 CET	49758	9001	192.168.2.4	213.144.142.24
Mar 29, 2024 07:22:22.787221909 CET	49760	443	192.168.2.4	31.13.195.248
Mar 29, 2024 07:22:22.787271976 CET	49759	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:22.796649933 CET	49761	5092	192.168.2.4	195.123.209.91
Mar 29, 2024 07:22:22.796817064 CET	49762	443	192.168.2.4	198.50.191.95
Mar 29, 2024 07:22:22.796864033 CET	443	49762	198.50.191.95	192.168.2.4
Mar 29, 2024 07:22:22.796936989 CET	49762	443	192.168.2.4	198.50.191.95
Mar 29, 2024 07:22:22.797079086 CET	49762	443	192.168.2.4	198.50.191.95
Mar 29, 2024 07:22:22.797091961 CET	443	49762	198.50.191.95	192.168.2.4
Mar 29, 2024 07:22:22.828248024 CET	443	49760	31.13.195.248	192.168.2.4
Mar 29, 2024 07:22:22.832247019 CET	443	49759	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:22.972199917 CET	443	49755	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:22.972289085 CET	49755	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:22.976248026 CET	49755	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:22.977880955 CET	9001	49758	213.144.142.24	192.168.2.4
Mar 29, 2024 07:22:22.977950096 CET	49758	9001	192.168.2.4	213.144.142.24
Mar 29, 2024 07:22:22.978104115 CET	49758	9001	192.168.2.4	213.144.142.24
Mar 29, 2024 07:22:22.978424072 CET	49762	443	192.168.2.4	198.50.191.95
Mar 29, 2024 07:22:22.987714052 CET	49763	9001	192.168.2.4	91.121.181.6
Mar 29, 2024 07:22:22.987854004 CET	49764	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:23.024231911 CET	443	49762	198.50.191.95	192.168.2.4
Mar 29, 2024 07:22:23.093779087 CET	9101	49764	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:23.169104099 CET	9001	49758	213.144.142.24	192.168.2.4
Mar 29, 2024 07:22:23.183394909 CET	443	49759	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:23.183479071 CET	49759	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:23.186078072 CET	49759	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:23.202380896 CET	443	49762	198.50.191.95	192.168.2.4
Mar 29, 2024 07:22:23.202476025 CET	49762	443	192.168.2.4	198.50.191.95
Mar 29, 2024 07:22:23.204317093 CET	49762	443	192.168.2.4	198.50.191.95
Mar 29, 2024 07:22:23.350966930 CET	443	49760	31.13.195.248	192.168.2.4
Mar 29, 2024 07:22:23.351083994 CET	49760	443	192.168.2.4	31.13.195.248
Mar 29, 2024 07:22:23.352253914 CET	49760	443	192.168.2.4	31.13.195.248
Mar 29, 2024 07:22:23.612050056 CET	49764	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:23.718400955 CET	9101	49764	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:23.987025976 CET	49763	9001	192.168.2.4	91.121.181.6
Mar 29, 2024 07:22:24.237051010 CET	49764	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:24.341708899 CET	9101	49764	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:24.846440077 CET	49764	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:24.951355934 CET	9101	49764	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:25.195544958 CET	49765	10205	192.168.2.4	185.220.101.205
Mar 29, 2024 07:22:25.195792913 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.195828915 CET	443	49766	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:25.195888996 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.195964098 CET	49767	9001	192.168.2.4	62.78.194.4
Mar 29, 2024 07:22:25.196264029 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.196275949 CET	443	49766	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:25.380657911 CET	10205	49765	185.220.101.205	192.168.2.4
Mar 29, 2024 07:22:25.785037041 CET	443	49766	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:25.785125017 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.789737940 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.789751053 CET	443	49766	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:25.790021896 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.790035963 CET	443	49766	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:25.790090084 CET	49766	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:25.809593916 CET	49768	8080	192.168.2.4	104.149.139.42
Mar 29, 2024 07:22:25.809818983 CET	49769	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:25.809842110 CET	443	49769	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:25.809890985 CET	49769	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:25.810070992 CET	49769	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:25.810080051 CET	443	49769	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:25.829356909 CET	49770	9001	192.168.2.4	185.251.165.74
Mar 29, 2024 07:22:25.829596043 CET	49771	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:25.829622030 CET	443	49771	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:25.829996109 CET	49772	443	192.168.2.4	144.76.170.20
Mar 29, 2024 07:22:25.830018044 CET	49771	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:25.830033064 CET	443	49772	144.76.170.20	192.168.2.4
Mar 29, 2024 07:22:25.830046892 CET	49771	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:25.830051899 CET	443	49771	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:25.830094099 CET	49772	443	192.168.2.4	144.76.170.20
Mar 29, 2024 07:22:25.830280066 CET	49772	443	192.168.2.4	144.76.170.20
Mar 29, 2024 07:22:25.830291986 CET	443	49772	144.76.170.20	192.168.2.4
Mar 29, 2024 07:22:26.415610075 CET	443	49769	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:26.415734053 CET	49769	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:26.423397064 CET	49769	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:26.423413038 CET	443	49769	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:26.423682928 CET	443	49769	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:26.423701048 CET	49772	443	192.168.2.4	144.76.170.20
Mar 29, 2024 07:22:26.423912048 CET	49771	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:26.468235970 CET	443	49772	144.76.170.20	192.168.2.4
Mar 29, 2024 07:22:26.468244076 CET	443	49771	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:26.471098900 CET	49769	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:26.494843006 CET	49773	443	192.168.2.4	104.149.129.210
Mar 29, 2024 07:22:26.494843960 CET	49774	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:26.494874954 CET	443	49774	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:26.494874954 CET	443	49773	104.149.129.210	192.168.2.4
Mar 29, 2024 07:22:26.494951963 CET	49774	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:26.494959116 CET	49773	443	192.168.2.4	104.149.129.210
Mar 29, 2024 07:22:26.572699070 CET	49773	443	192.168.2.4	104.149.129.210
Mar 29, 2024 07:22:26.572737932 CET	443	49773	104.149.129.210	192.168.2.4
Mar 29, 2024 07:22:26.572900057 CET	49774	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:26.572917938 CET	443	49774	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:26.573307037 CET	49775	443	192.168.2.4	62.141.38.69
Mar 29, 2024 07:22:26.573359013 CET	443	49775	62.141.38.69	192.168.2.4
Mar 29, 2024 07:22:26.573474884 CET	49775	443	192.168.2.4	62.141.38.69
Mar 29, 2024 07:22:26.573642969 CET	49776	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:26.573679924 CET	443	49776	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:26.573798895 CET	49776	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:26.573887110 CET	49775	443	192.168.2.4	62.141.38.69
Mar 29, 2024 07:22:26.573899984 CET	443	49775	62.141.38.69	192.168.2.4
Mar 29, 2024 07:22:26.574069977 CET	49776	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:26.574084044 CET	443	49776	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:26.620345116 CET	443	49771	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:26.620454073 CET	49771	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:26.620454073 CET	49771	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:26.790915966 CET	443	49775	62.141.38.69	192.168.2.4
Mar 29, 2024 07:22:26.791702032 CET	49776	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:26.832241058 CET	443	49776	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:26.836755991 CET	49774	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:26.836873055 CET	49773	443	192.168.2.4	104.149.129.210
Mar 29, 2024 07:22:26.849940062 CET	49777	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:26.849977970 CET	443	49777	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:26.850228071 CET	49778	80	192.168.2.4	163.44.174.129
Mar 29, 2024 07:22:26.850255013 CET	49777	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:26.850541115 CET	49777	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:26.850554943 CET	443	49777	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:26.880238056 CET	443	49773	104.149.129.210	192.168.2.4
Mar 29, 2024 07:22:26.884232998 CET	443	49774	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:26.956418991 CET	49777	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:26.956661940 CET	49779	9001	192.168.2.4	5.2.78.69
Mar 29, 2024 07:22:26.956840038 CET	49780	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:26.956876040 CET	443	49780	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:26.957014084 CET	49780	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:26.957220078 CET	49780	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:26.957236052 CET	443	49780	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:27.004232883 CET	443	49777	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:27.360815048 CET	443	49777	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:27.360902071 CET	49777	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:27.360902071 CET	49777	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:27.564701080 CET	443	49780	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:27.564791918 CET	49780	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:27.569184065 CET	49780	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:27.569200993 CET	443	49780	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:27.569453001 CET	443	49780	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:27.589330912 CET	49780	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:27.605859995 CET	49781	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:27.605892897 CET	443	49781	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:27.605963945 CET	49781	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:27.606115103 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.606149912 CET	443	49782	162.247.74.201	192.168.2.4
Mar 29, 2024 07:22:27.606225014 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.606399059 CET	49781	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:27.606410980 CET	443	49781	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:27.606626034 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.606640100 CET	443	49782	162.247.74.201	192.168.2.4
Mar 29, 2024 07:22:27.935102940 CET	443	49782	162.247.74.201	192.168.2.4
Mar 29, 2024 07:22:27.935179949 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.939152956 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.939162016 CET	443	49782	162.247.74.201	192.168.2.4
Mar 29, 2024 07:22:27.939389944 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.939526081 CET	49781	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:27.939532995 CET	443	49782	162.247.74.201	192.168.2.4
Mar 29, 2024 07:22:27.939588070 CET	49782	443	192.168.2.4	162.247.74.201
Mar 29, 2024 07:22:27.961230993 CET	49783	443	192.168.2.4	217.160.255.217
Mar 29, 2024 07:22:27.961266994 CET	443	49783	217.160.255.217	192.168.2.4
Mar 29, 2024 07:22:27.961323977 CET	49783	443	192.168.2.4	217.160.255.217
Mar 29, 2024 07:22:27.961735964 CET	49784	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:27.961743116 CET	443	49784	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:27.961790085 CET	49784	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:27.962069988 CET	49783	443	192.168.2.4	217.160.255.217
Mar 29, 2024 07:22:27.962080002 CET	443	49783	217.160.255.217	192.168.2.4
Mar 29, 2024 07:22:27.962213993 CET	49784	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:27.962220907 CET	443	49784	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:27.962557077 CET	49785	993	192.168.2.4	91.121.86.59
Mar 29, 2024 07:22:27.962846041 CET	49786	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:27.984235048 CET	443	49781	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:28.139441967 CET	993	49785	91.121.86.59	192.168.2.4
Mar 29, 2024 07:22:28.139581919 CET	49785	993	192.168.2.4	91.121.86.59
Mar 29, 2024 07:22:28.140197039 CET	49785	993	192.168.2.4	91.121.86.59
Mar 29, 2024 07:22:28.166624069 CET	80	49786	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:28.166793108 CET	49786	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:28.231616974 CET	49786	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:28.231926918 CET	49784	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:28.231926918 CET	49783	443	192.168.2.4	217.160.255.217
Mar 29, 2024 07:22:28.256724119 CET	49787	443	192.168.2.4	195.154.106.60
Mar 29, 2024 07:22:28.256726980 CET	49788	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:28.256772041 CET	443	49788	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:28.256772041 CET	443	49787	195.154.106.60	192.168.2.4
Mar 29, 2024 07:22:28.256882906 CET	49787	443	192.168.2.4	195.154.106.60
Mar 29, 2024 07:22:28.256885052 CET	49788	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:28.257366896 CET	49785	993	192.168.2.4	91.121.86.59
Mar 29, 2024 07:22:28.262669086 CET	49789	9001	192.168.2.4	173.249.63.227
Mar 29, 2024 07:22:28.262670994 CET	49787	443	192.168.2.4	195.154.106.60
Mar 29, 2024 07:22:28.262691975 CET	443	49787	195.154.106.60	192.168.2.4
Mar 29, 2024 07:22:28.262861967 CET	49788	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:28.262880087 CET	443	49788	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:28.276236057 CET	443	49783	217.160.255.217	192.168.2.4
Mar 29, 2024 07:22:28.276273012 CET	443	49784	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:28.314770937 CET	993	49785	91.121.86.59	192.168.2.4
Mar 29, 2024 07:22:28.317270994 CET	993	49785	91.121.86.59	192.168.2.4
Mar 29, 2024 07:22:28.324733973 CET	49785	993	192.168.2.4	91.121.86.59
Mar 29, 2024 07:22:28.434161901 CET	993	49785	91.121.86.59	192.168.2.4
Mar 29, 2024 07:22:28.434185028 CET	80	49786	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:28.434196949 CET	80	49786	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:28.434386969 CET	49786	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:28.434495926 CET	49785	993	192.168.2.4	91.121.86.59
Mar 29, 2024 07:22:28.458117962 CET	9001	49789	173.249.63.227	192.168.2.4
Mar 29, 2024 07:22:28.612122059 CET	443	49788	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:28.612297058 CET	49788	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:28.616061926 CET	49788	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:28.616069078 CET	443	49788	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:28.616405010 CET	443	49788	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:28.616417885 CET	49787	443	192.168.2.4	195.154.106.60
Mar 29, 2024 07:22:28.616580963 CET	49788	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:28.644226074 CET	443	49787	195.154.106.60	192.168.2.4
Mar 29, 2024 07:22:28.644326925 CET	49787	443	192.168.2.4	195.154.106.60
Mar 29, 2024 07:22:28.644328117 CET	49787	443	192.168.2.4	195.154.106.60
Mar 29, 2024 07:22:28.738529921 CET	443	49784	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:28.738631010 CET	49784	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:28.738631010 CET	49784	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:28.788733959 CET	49790	443	192.168.2.4	185.65.205.10
Mar 29, 2024 07:22:28.788770914 CET	443	49790	185.65.205.10	192.168.2.4
Mar 29, 2024 07:22:28.788861990 CET	49790	443	192.168.2.4	185.65.205.10
Mar 29, 2024 07:22:28.789031982 CET	49791	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:28.789055109 CET	443	49791	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:28.789407969 CET	49791	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:28.844976902 CET	49790	443	192.168.2.4	185.65.205.10
Mar 29, 2024 07:22:28.844979048 CET	49791	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:28.844993114 CET	443	49791	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:28.845001936 CET	443	49790	185.65.205.10	192.168.2.4
Mar 29, 2024 07:22:28.845423937 CET	49792	443	192.168.2.4	85.209.157.3
Mar 29, 2024 07:22:28.845453024 CET	443	49792	85.209.157.3	192.168.2.4
Mar 29, 2024 07:22:28.846199989 CET	49792	443	192.168.2.4	85.209.157.3
Mar 29, 2024 07:22:28.850168943 CET	49792	443	192.168.2.4	85.209.157.3
Mar 29, 2024 07:22:28.850176096 CET	443	49792	85.209.157.3	192.168.2.4
Mar 29, 2024 07:22:29.080130100 CET	443	49772	144.76.170.20	192.168.2.4
Mar 29, 2024 07:22:29.379437923 CET	443	49791	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:29.379499912 CET	49791	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:29.384710073 CET	49791	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:29.384721041 CET	443	49791	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:29.384964943 CET	443	49791	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:29.421405077 CET	443	49790	185.65.205.10	192.168.2.4
Mar 29, 2024 07:22:29.421478987 CET	49790	443	192.168.2.4	185.65.205.10
Mar 29, 2024 07:22:29.434305906 CET	49790	443	192.168.2.4	185.65.205.10
Mar 29, 2024 07:22:29.434433937 CET	49791	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:29.448283911 CET	49792	443	192.168.2.4	85.209.157.3
Mar 29, 2024 07:22:29.450728893 CET	49793	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:29.451076031 CET	49794	443	192.168.2.4	195.201.94.113
Mar 29, 2024 07:22:29.451122046 CET	443	49794	195.201.94.113	192.168.2.4
Mar 29, 2024 07:22:29.451185942 CET	49794	443	192.168.2.4	195.201.94.113
Mar 29, 2024 07:22:29.451512098 CET	49794	443	192.168.2.4	195.201.94.113
Mar 29, 2024 07:22:29.451527119 CET	443	49794	195.201.94.113	192.168.2.4
Mar 29, 2024 07:22:29.451987028 CET	49795	9001	192.168.2.4	47.254.134.152
Mar 29, 2024 07:22:29.496244907 CET	443	49792	85.209.157.3	192.168.2.4
Mar 29, 2024 07:22:29.555496931 CET	9101	49793	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:30.030450106 CET	443	49794	195.201.94.113	192.168.2.4
Mar 29, 2024 07:22:30.030584097 CET	49794	443	192.168.2.4	195.201.94.113
Mar 29, 2024 07:22:30.051027060 CET	49794	443	192.168.2.4	195.201.94.113
Mar 29, 2024 07:22:30.051062107 CET	443	49794	195.201.94.113	192.168.2.4
Mar 29, 2024 07:22:30.051403046 CET	443	49794	195.201.94.113	192.168.2.4
Mar 29, 2024 07:22:30.080282927 CET	49794	443	192.168.2.4	195.201.94.113
Mar 29, 2024 07:22:30.100270033 CET	49796	9001	192.168.2.4	47.56.94.99
Mar 29, 2024 07:22:30.100760937 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:30.272371054 CET	80	49797	37.187.23.232	192.168.2.4
Mar 29, 2024 07:22:30.274230003 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:30.274970055 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:30.274970055 CET	49798	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:30.275007010 CET	443	49798	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:30.275145054 CET	49799	443	192.168.2.4	199.249.230.174
Mar 29, 2024 07:22:30.275193930 CET	443	49799	199.249.230.174	192.168.2.4
Mar 29, 2024 07:22:30.275264978 CET	49799	443	192.168.2.4	199.249.230.174
Mar 29, 2024 07:22:30.275265932 CET	49798	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:30.275393009 CET	49798	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:30.275401115 CET	443	49798	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:30.278078079 CET	49799	443	192.168.2.4	199.249.230.174
Mar 29, 2024 07:22:30.278109074 CET	443	49799	199.249.230.174	192.168.2.4
Mar 29, 2024 07:22:30.447159052 CET	80	49797	37.187.23.232	192.168.2.4
Mar 29, 2024 07:22:30.460635900 CET	80	49797	37.187.23.232	192.168.2.4
Mar 29, 2024 07:22:30.465219975 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:30.465482950 CET	49798	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:30.465481997 CET	49799	443	192.168.2.4	199.249.230.174
Mar 29, 2024 07:22:30.508239985 CET	443	49799	199.249.230.174	192.168.2.4
Mar 29, 2024 07:22:30.512233973 CET	443	49798	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:30.570638895 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:30.571290970 CET	49800	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:30.571321011 CET	443	49800	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:30.571444035 CET	49800	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:30.571639061 CET	49801	9001	192.168.2.4	149.56.98.216
Mar 29, 2024 07:22:30.574079990 CET	49800	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:30.574099064 CET	443	49800	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:30.603852034 CET	49802	9001	192.168.2.4	103.253.41.98
Mar 29, 2024 07:22:30.604072094 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:30.639997005 CET	80	49797	37.187.23.232	192.168.2.4
Mar 29, 2024 07:22:30.640146971 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:30.742796898 CET	80	49797	37.187.23.232	192.168.2.4
Mar 29, 2024 07:22:30.742912054 CET	49797	80	192.168.2.4	37.187.23.232
Mar 29, 2024 07:22:31.091962099 CET	80	49803	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:31.092091084 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:31.094077110 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:31.119318962 CET	49800	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:31.119628906 CET	49804	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:31.119658947 CET	443	49804	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:31.119848967 CET	49804	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:31.119889021 CET	49804	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:31.119896889 CET	443	49804	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:31.163145065 CET	443	49800	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:31.163199902 CET	49800	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:31.163213968 CET	49800	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:31.298589945 CET	80	49803	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:31.302618027 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:31.302850962 CET	49804	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:31.302944899 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:31.345273972 CET	49805	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:31.348229885 CET	443	49804	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:31.449805021 CET	9101	49805	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:31.460704088 CET	443	49804	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:31.460767984 CET	49804	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:31.460782051 CET	49804	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:31.504848003 CET	80	49803	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:31.505060911 CET	80	49803	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:31.505073071 CET	80	49803	171.25.193.9	192.168.2.4
Mar 29, 2024 07:22:31.505115032 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:31.505146027 CET	49803	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:22:32.018290997 CET	49805	9101	192.168.2.4	128.31.0.39
Mar 29, 2024 07:22:32.123373985 CET	9101	49805	128.31.0.39	192.168.2.4
Mar 29, 2024 07:22:32.327917099 CET	49806	9001	192.168.2.4	54.36.112.239
Mar 29, 2024 07:22:32.328723907 CET	49807	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:32.328756094 CET	443	49807	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:32.329996109 CET	49807	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:32.378972054 CET	49807	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:32.378989935 CET	443	49807	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:32.379271030 CET	49808	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:32.379309893 CET	443	49808	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:32.379484892 CET	49808	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:32.379632950 CET	49808	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:32.379647970 CET	443	49808	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:32.508232117 CET	9001	49806	54.36.112.239	192.168.2.4
Mar 29, 2024 07:22:32.833843946 CET	49807	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:32.833992004 CET	49808	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:32.864959002 CET	49809	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:32.864983082 CET	443	49809	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:32.865168095 CET	49809	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:32.866079092 CET	49809	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:32.866089106 CET	443	49809	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:32.880225897 CET	443	49808	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:32.880229950 CET	443	49807	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:32.986726046 CET	443	49807	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:32.986815929 CET	49807	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:32.986815929 CET	49807	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:33.371067047 CET	443	49809	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:33.371138096 CET	49809	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:33.376176119 CET	49809	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:33.376182079 CET	443	49809	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:33.376410007 CET	443	49809	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:33.395868063 CET	49809	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:33.717833996 CET	443	49808	193.23.244.244	192.168.2.4
Mar 29, 2024 07:22:33.717901945 CET	49808	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:33.717926025 CET	49808	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:22:34.018680096 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:34.018711090 CET	443	49810	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:34.018764973 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:34.018966913 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:34.018981934 CET	443	49810	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:34.617199898 CET	443	49810	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:34.617429018 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:34.624083996 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:34.624098063 CET	443	49810	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:34.624411106 CET	443	49810	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:34.675255060 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:34.723735094 CET	49810	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:35.608247042 CET	49811	9001	192.168.2.4	91.121.160.6
Mar 29, 2024 07:22:35.608665943 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:35.608685970 CET	443	49812	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:35.608740091 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:35.608967066 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:35.608973980 CET	443	49812	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:35.782896996 CET	9001	49811	91.121.160.6	192.168.2.4
Mar 29, 2024 07:22:35.942867041 CET	443	49812	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:35.942939043 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:35.947841883 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:35.947848082 CET	443	49812	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:35.948082924 CET	443	49812	199.58.81.140	192.168.2.4
Mar 29, 2024 07:22:35.948093891 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:35.948131084 CET	49812	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:22:38.858094931 CET	49813	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:38.858113050 CET	443	49813	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:38.858325958 CET	49813	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:38.858402967 CET	49813	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:38.858411074 CET	443	49813	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:39.449167013 CET	443	49813	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:39.449264050 CET	49813	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:39.454235077 CET	49813	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:39.454241991 CET	443	49813	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:39.454503059 CET	443	49813	86.59.21.38	192.168.2.4
Mar 29, 2024 07:22:39.483783007 CET	49813	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:22:39.490180016 CET	49814	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:39.490216970 CET	443	49814	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:39.490278006 CET	49814	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:39.490624905 CET	49814	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:39.490643024 CET	443	49814	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:40.983211994 CET	49814	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:22:41.024249077 CET	443	49814	45.66.33.45	192.168.2.4
Mar 29, 2024 07:22:44.258766890 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:44.258806944 CET	443	49815	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:44.258918047 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:44.259078026 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:44.259089947 CET	443	49815	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:44.766227961 CET	443	49815	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:44.766304016 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:44.771245003 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:44.771255970 CET	443	49815	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:44.771369934 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:44.771522999 CET	443	49815	204.13.164.118	192.168.2.4
Mar 29, 2024 07:22:44.771574974 CET	49815	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:22:49.762605906 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:49.762645006 CET	443	49816	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:49.766164064 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:49.766396999 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:49.766411066 CET	443	49816	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:50.428042889 CET	443	49816	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:50.428106070 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:50.434137106 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:50.434149027 CET	443	49816	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:50.434278965 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:50.434412003 CET	443	49816	131.188.40.189	192.168.2.4
Mar 29, 2024 07:22:50.434470892 CET	49816	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:22:50.440850019 CET	49817	443	192.168.2.4	91.213.233.138
Mar 29, 2024 07:22:50.440888882 CET	443	49817	91.213.233.138	192.168.2.4
Mar 29, 2024 07:22:50.440944910 CET	49817	443	192.168.2.4	91.213.233.138
Mar 29, 2024 07:22:50.441242933 CET	49817	443	192.168.2.4	91.213.233.138
Mar 29, 2024 07:22:50.441255093 CET	443	49817	91.213.233.138	192.168.2.4
Mar 29, 2024 07:22:51.514939070 CET	49817	443	192.168.2.4	91.213.233.138
Mar 29, 2024 07:22:51.560241938 CET	443	49817	91.213.233.138	192.168.2.4
Mar 29, 2024 07:22:52.595781088 CET	443	49817	91.213.233.138	192.168.2.4
Mar 29, 2024 07:22:52.595849037 CET	49817	443	192.168.2.4	91.213.233.138
Mar 29, 2024 07:22:52.595875025 CET	49817	443	192.168.2.4	91.213.233.138
Mar 29, 2024 07:22:54.679079056 CET	49818	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:54.679121017 CET	443	49818	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:54.679178953 CET	49818	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:54.679476976 CET	49818	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:54.679487944 CET	443	49818	154.35.175.225	192.168.2.4
Mar 29, 2024 07:22:55.177125931 CET	49818	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:22:55.224246025 CET	443	49818	154.35.175.225	192.168.2.4
Mar 29, 2024 07:23:02.042216063 CET	443	49818	154.35.175.225	192.168.2.4
Mar 29, 2024 07:23:03.383184910 CET	49819	9001	192.168.2.4	37.139.22.180
Mar 29, 2024 07:23:03.562400103 CET	9001	49819	37.139.22.180	192.168.2.4
Mar 29, 2024 07:23:04.157097101 CET	49819	9001	192.168.2.4	37.139.22.180
Mar 29, 2024 07:23:04.335572004 CET	9001	49819	37.139.22.180	192.168.2.4
Mar 29, 2024 07:23:08.352479935 CET	443	49732	178.17.174.10	192.168.2.4
Mar 29, 2024 07:23:15.603638887 CET	49820	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:15.603679895 CET	443	49820	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:15.603746891 CET	49820	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:15.604000092 CET	49820	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:15.604012012 CET	443	49820	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:16.299729109 CET	49820	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:16.344247103 CET	443	49820	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:16.367707968 CET	443	49820	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:16.367791891 CET	49820	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:16.367791891 CET	49820	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:29.562169075 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:29.562210083 CET	443	49821	199.58.81.140	192.168.2.4
Mar 29, 2024 07:23:29.562268972 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:29.562711000 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:29.562716961 CET	443	49821	199.58.81.140	192.168.2.4
Mar 29, 2024 07:23:29.898825884 CET	443	49821	199.58.81.140	192.168.2.4
Mar 29, 2024 07:23:29.898895025 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:29.904007912 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:29.904014111 CET	443	49821	199.58.81.140	192.168.2.4
Mar 29, 2024 07:23:29.904221058 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:29.904407978 CET	443	49821	199.58.81.140	192.168.2.4
Mar 29, 2024 07:23:29.904464960 CET	49821	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:23:37.553966999 CET	49822	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:23:37.554013014 CET	443	49822	45.66.33.45	192.168.2.4
Mar 29, 2024 07:23:37.554076910 CET	49822	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:23:37.554296970 CET	49822	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:23:37.554313898 CET	443	49822	45.66.33.45	192.168.2.4
Mar 29, 2024 07:23:38.494112015 CET	49822	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:23:38.540245056 CET	443	49822	45.66.33.45	192.168.2.4
Mar 29, 2024 07:23:45.881431103 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:45.881467104 CET	443	49823	204.13.164.118	192.168.2.4
Mar 29, 2024 07:23:45.881515980 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:45.881748915 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:45.881759882 CET	443	49823	204.13.164.118	192.168.2.4
Mar 29, 2024 07:23:46.387986898 CET	443	49823	204.13.164.118	192.168.2.4
Mar 29, 2024 07:23:46.390108109 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:46.392157078 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:46.392157078 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:46.392170906 CET	443	49823	204.13.164.118	192.168.2.4
Mar 29, 2024 07:23:46.392461061 CET	443	49823	204.13.164.118	192.168.2.4
Mar 29, 2024 07:23:46.392617941 CET	443	49823	204.13.164.118	192.168.2.4
Mar 29, 2024 07:23:46.393215895 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:46.393215895 CET	49823	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:23:51.841815948 CET	49824	9001	192.168.2.4	140.186.205.68
Mar 29, 2024 07:23:51.842123985 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:51.842163086 CET	443	49825	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:51.842274904 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:51.842523098 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:51.842535973 CET	443	49825	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:52.430795908 CET	443	49825	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:52.430931091 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:52.434576988 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:52.434587955 CET	443	49825	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:52.434696913 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:52.434822083 CET	443	49825	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:52.434977055 CET	443	49825	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:52.435122013 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:52.435122013 CET	49825	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:55.288477898 CET	49826	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:55.288536072 CET	443	49826	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:55.288594961 CET	49826	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:55.299778938 CET	49826	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:55.299794912 CET	443	49826	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:55.706099033 CET	49826	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:55.706443071 CET	49827	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:55.706468105 CET	443	49827	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:55.706521034 CET	49827	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:55.706654072 CET	49827	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:55.706660986 CET	443	49827	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:55.748244047 CET	443	49826	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:56.058648109 CET	443	49826	193.23.244.244	192.168.2.4
Mar 29, 2024 07:23:56.058717012 CET	49826	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:56.058734894 CET	49826	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:23:56.309393883 CET	443	49827	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:56.313121080 CET	49827	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:56.316138983 CET	49827	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:56.316150904 CET	443	49827	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:56.316412926 CET	443	49827	86.59.21.38	192.168.2.4
Mar 29, 2024 07:23:56.360867023 CET	49827	443	192.168.2.4	86.59.21.38
Mar 29, 2024 07:23:57.419899940 CET	49828	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:23:57.419987917 CET	443	49828	154.35.175.225	192.168.2.4
Mar 29, 2024 07:23:57.420077085 CET	49828	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:23:57.424791098 CET	49828	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:23:57.424839020 CET	443	49828	154.35.175.225	192.168.2.4
Mar 29, 2024 07:23:58.034173965 CET	49828	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:23:58.080234051 CET	443	49828	154.35.175.225	192.168.2.4
Mar 29, 2024 07:23:59.789800882 CET	49829	443	192.168.2.4	163.172.29.34
Mar 29, 2024 07:23:59.789849997 CET	443	49829	163.172.29.34	192.168.2.4
Mar 29, 2024 07:23:59.789900064 CET	49829	443	192.168.2.4	163.172.29.34
Mar 29, 2024 07:23:59.790100098 CET	49829	443	192.168.2.4	163.172.29.34
Mar 29, 2024 07:23:59.790115118 CET	443	49829	163.172.29.34	192.168.2.4
Mar 29, 2024 07:23:59.964051962 CET	443	49829	163.172.29.34	192.168.2.4
Mar 29, 2024 07:24:01.539393902 CET	49830	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:24:01.539432049 CET	443	49830	204.13.164.118	192.168.2.4
Mar 29, 2024 07:24:01.539488077 CET	49830	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:24:01.539787054 CET	49830	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:24:01.539798021 CET	443	49830	204.13.164.118	192.168.2.4
Mar 29, 2024 07:24:02.049956083 CET	49830	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:24:02.055334091 CET	443	49830	204.13.164.118	192.168.2.4
Mar 29, 2024 07:24:02.055397987 CET	49830	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:24:02.055413008 CET	49830	443	192.168.2.4	204.13.164.118
Mar 29, 2024 07:24:07.940903902 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:07.940953016 CET	443	49831	131.188.40.189	192.168.2.4
Mar 29, 2024 07:24:07.941023111 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:07.941246986 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:07.941260099 CET	443	49831	131.188.40.189	192.168.2.4
Mar 29, 2024 07:24:08.542881012 CET	443	49831	131.188.40.189	192.168.2.4
Mar 29, 2024 07:24:08.542959929 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:08.547450066 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:08.547457933 CET	443	49831	131.188.40.189	192.168.2.4
Mar 29, 2024 07:24:08.547585964 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:08.547779083 CET	443	49831	131.188.40.189	192.168.2.4
Mar 29, 2024 07:24:08.547832966 CET	49831	443	192.168.2.4	131.188.40.189
Mar 29, 2024 07:24:14.604984999 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:14.605024099 CET	443	49832	199.58.81.140	192.168.2.4
Mar 29, 2024 07:24:14.605082035 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:14.605243921 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:14.605253935 CET	443	49832	199.58.81.140	192.168.2.4
Mar 29, 2024 07:24:14.938111067 CET	443	49832	199.58.81.140	192.168.2.4
Mar 29, 2024 07:24:14.938189030 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:14.943170071 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:14.943178892 CET	443	49832	199.58.81.140	192.168.2.4
Mar 29, 2024 07:24:14.943378925 CET	443	49832	199.58.81.140	192.168.2.4
Mar 29, 2024 07:24:14.943404913 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:14.943428993 CET	49832	443	192.168.2.4	199.58.81.140
Mar 29, 2024 07:24:19.022967100 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.023009062 CET	443	49833	85.10.240.250	192.168.2.4
Mar 29, 2024 07:24:19.023066044 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.023190975 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:19.023197889 CET	443	49834	193.23.244.244	192.168.2.4
Mar 29, 2024 07:24:19.023303986 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:19.023477077 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.023490906 CET	443	49833	85.10.240.250	192.168.2.4
Mar 29, 2024 07:24:19.023644924 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:19.023653984 CET	443	49834	193.23.244.244	192.168.2.4
Mar 29, 2024 07:24:19.609879017 CET	443	49833	85.10.240.250	192.168.2.4
Mar 29, 2024 07:24:19.610007048 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.613913059 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.613913059 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:19.613923073 CET	443	49833	85.10.240.250	192.168.2.4
Mar 29, 2024 07:24:19.614084005 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.614264965 CET	443	49833	85.10.240.250	192.168.2.4
Mar 29, 2024 07:24:19.614440918 CET	443	49833	85.10.240.250	192.168.2.4
Mar 29, 2024 07:24:19.614522934 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.614522934 CET	49833	443	192.168.2.4	85.10.240.250
Mar 29, 2024 07:24:19.660223961 CET	443	49834	193.23.244.244	192.168.2.4
Mar 29, 2024 07:24:19.786573887 CET	443	49834	193.23.244.244	192.168.2.4
Mar 29, 2024 07:24:19.786705971 CET	443	49834	193.23.244.244	192.168.2.4
Mar 29, 2024 07:24:19.786705971 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:19.786705971 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:19.786813021 CET	49834	443	192.168.2.4	193.23.244.244
Mar 29, 2024 07:24:22.112107992 CET	49746	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:22.632992983 CET	49835	443	192.168.2.4	217.12.203.242
Mar 29, 2024 07:24:22.633038998 CET	443	49835	217.12.203.242	192.168.2.4
Mar 29, 2024 07:24:22.633096933 CET	49835	443	192.168.2.4	217.12.203.242
Mar 29, 2024 07:24:22.633347988 CET	49835	443	192.168.2.4	217.12.203.242
Mar 29, 2024 07:24:22.633363008 CET	443	49835	217.12.203.242	192.168.2.4
Mar 29, 2024 07:24:22.643352985 CET	49757	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:24:23.267935038 CET	443	49835	217.12.203.242	192.168.2.4
Mar 29, 2024 07:24:23.267998934 CET	49835	443	192.168.2.4	217.12.203.242
Mar 29, 2024 07:24:23.287669897 CET	49835	443	192.168.2.4	217.12.203.242
Mar 29, 2024 07:24:23.287688971 CET	443	49835	217.12.203.242	192.168.2.4
Mar 29, 2024 07:24:23.287929058 CET	443	49835	217.12.203.242	192.168.2.4
Mar 29, 2024 07:24:23.288008928 CET	49835	443	192.168.2.4	217.12.203.242
Mar 29, 2024 07:24:23.296205044 CET	49836	9001	192.168.2.4	162.212.158.82
Mar 29, 2024 07:24:24.066128969 CET	49837	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:24:24.066131115 CET	49838	9001	192.168.2.4	184.105.220.24
Mar 29, 2024 07:24:24.274128914 CET	80	49837	171.25.193.9	192.168.2.4
Mar 29, 2024 07:24:24.280251980 CET	49837	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:24:25.143374920 CET	49838	9001	192.168.2.4	184.105.220.24
Mar 29, 2024 07:24:25.457978010 CET	49837	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:24:25.665013075 CET	80	49837	171.25.193.9	192.168.2.4
Mar 29, 2024 07:24:25.669730902 CET	49837	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:24:25.874599934 CET	80	49837	171.25.193.9	192.168.2.4
Mar 29, 2024 07:24:25.875241995 CET	49837	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:24:25.875603914 CET	49839	30001	192.168.2.4	185.220.101.1
Mar 29, 2024 07:24:25.875971079 CET	49840	9001	192.168.2.4	176.67.170.192
Mar 29, 2024 07:24:26.060297966 CET	30001	49839	185.220.101.1	192.168.2.4
Mar 29, 2024 07:24:26.079171896 CET	80	49837	171.25.193.9	192.168.2.4
Mar 29, 2024 07:24:26.079183102 CET	80	49837	171.25.193.9	192.168.2.4
Mar 29, 2024 07:24:26.079240084 CET	49837	80	192.168.2.4	171.25.193.9
Mar 29, 2024 07:24:26.269236088 CET	49841	9001	192.168.2.4	149.34.27.137
Mar 29, 2024 07:24:26.924614906 CET	49774	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:24:26.955858946 CET	49776	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:26.955936909 CET	49773	443	192.168.2.4	104.149.129.210
Mar 29, 2024 07:24:27.362915993 CET	49842	9001	192.168.2.4	51.195.124.251
Mar 29, 2024 07:24:27.363353014 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:27.548480988 CET	10143	49843	185.220.101.143	192.168.2.4
Mar 29, 2024 07:24:27.548576117 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:27.548890114 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:27.549343109 CET	49844	9001	192.168.2.4	185.233.252.14
Mar 29, 2024 07:24:27.734616995 CET	10143	49843	185.220.101.143	192.168.2.4
Mar 29, 2024 07:24:27.734910011 CET	10143	49843	185.220.101.143	192.168.2.4
Mar 29, 2024 07:24:27.740223885 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:27.740595102 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:27.741050959 CET	49845	34049	192.168.2.4	62.216.85.110
Mar 29, 2024 07:24:27.927181959 CET	10143	49843	185.220.101.143	192.168.2.4
Mar 29, 2024 07:24:27.927232027 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:27.927795887 CET	10143	49843	185.220.101.143	192.168.2.4
Mar 29, 2024 07:24:27.927835941 CET	49843	10143	192.168.2.4	185.220.101.143
Mar 29, 2024 07:24:28.144531965 CET	49781	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:24:28.456177950 CET	49783	443	192.168.2.4	217.160.255.217
Mar 29, 2024 07:24:28.752836943 CET	49845	34049	192.168.2.4	62.216.85.110
Mar 29, 2024 07:24:28.787348986 CET	49846	5753	192.168.2.4	185.213.155.169
Mar 29, 2024 07:24:29.658983946 CET	49792	443	192.168.2.4	85.209.157.3
Mar 29, 2024 07:24:29.684797049 CET	49847	10020	192.168.2.4	185.220.101.20
Mar 29, 2024 07:24:29.871937990 CET	10020	49847	185.220.101.20	192.168.2.4
Mar 29, 2024 07:24:30.456341982 CET	49847	10020	192.168.2.4	185.220.101.20
Mar 29, 2024 07:24:30.521070004 CET	49799	443	192.168.2.4	199.249.230.174
Mar 29, 2024 07:24:30.641735077 CET	10020	49847	185.220.101.20	192.168.2.4
Mar 29, 2024 07:24:30.643577099 CET	49798	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:30.652807951 CET	49848	443	192.168.2.4	95.211.136.23
Mar 29, 2024 07:24:30.652844906 CET	443	49848	95.211.136.23	192.168.2.4
Mar 29, 2024 07:24:30.655103922 CET	49848	443	192.168.2.4	95.211.136.23
Mar 29, 2024 07:24:30.656157970 CET	49848	443	192.168.2.4	95.211.136.23
Mar 29, 2024 07:24:30.656171083 CET	443	49848	95.211.136.23	192.168.2.4
Mar 29, 2024 07:24:31.314021111 CET	443	49848	95.211.136.23	192.168.2.4
Mar 29, 2024 07:24:31.371681929 CET	49849	9443	192.168.2.4	94.142.241.226
Mar 29, 2024 07:24:32.420208931 CET	49850	443	192.168.2.4	178.254.31.125
Mar 29, 2024 07:24:32.420254946 CET	443	49850	178.254.31.125	192.168.2.4
Mar 29, 2024 07:24:32.424753904 CET	49850	443	192.168.2.4	178.254.31.125
Mar 29, 2024 07:24:32.425297022 CET	49850	443	192.168.2.4	178.254.31.125
Mar 29, 2024 07:24:32.425311089 CET	443	49850	178.254.31.125	192.168.2.4
Mar 29, 2024 07:24:32.425350904 CET	49851	9001	192.168.2.4	145.239.158.234
Mar 29, 2024 07:24:32.536314011 CET	49850	443	192.168.2.4	178.254.31.125
Mar 29, 2024 07:24:32.536314964 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:32.584239006 CET	443	49850	178.254.31.125	192.168.2.4
Mar 29, 2024 07:24:32.720824957 CET	9001	49852	194.55.13.50	192.168.2.4
Mar 29, 2024 07:24:32.725212097 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:32.725212097 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:32.728291988 CET	49853	9001	192.168.2.4	78.46.174.72
Mar 29, 2024 07:24:32.909554005 CET	9001	49852	194.55.13.50	192.168.2.4
Mar 29, 2024 07:24:32.913405895 CET	9001	49852	194.55.13.50	192.168.2.4
Mar 29, 2024 07:24:32.920312881 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:32.967641115 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:33.048712015 CET	49854	9001	192.168.2.4	212.47.227.71
Mar 29, 2024 07:24:33.107161045 CET	9001	49852	194.55.13.50	192.168.2.4
Mar 29, 2024 07:24:33.112406015 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:33.154495001 CET	9001	49852	194.55.13.50	192.168.2.4
Mar 29, 2024 07:24:33.160393953 CET	49852	9001	192.168.2.4	194.55.13.50
Mar 29, 2024 07:24:33.218818903 CET	9001	49854	212.47.227.71	192.168.2.4
Mar 29, 2024 07:24:33.752746105 CET	49854	9001	192.168.2.4	212.47.227.71
Mar 29, 2024 07:24:33.774841070 CET	49855	443	192.168.2.4	185.227.82.7
Mar 29, 2024 07:24:33.774873972 CET	443	49855	185.227.82.7	192.168.2.4
Mar 29, 2024 07:24:33.774930954 CET	49855	443	192.168.2.4	185.227.82.7
Mar 29, 2024 07:24:33.784259081 CET	49855	443	192.168.2.4	185.227.82.7
Mar 29, 2024 07:24:33.784274101 CET	443	49855	185.227.82.7	192.168.2.4
Mar 29, 2024 07:24:33.922734022 CET	9001	49854	212.47.227.71	192.168.2.4
Mar 29, 2024 07:24:34.712529898 CET	49855	443	192.168.2.4	185.227.82.7
Mar 29, 2024 07:24:34.748950958 CET	49856	9001	192.168.2.4	8.209.79.125
Mar 29, 2024 07:24:34.756246090 CET	443	49855	185.227.82.7	192.168.2.4
Mar 29, 2024 07:24:35.467876911 CET	49857	9001	192.168.2.4	212.8.243.229
Mar 29, 2024 07:24:35.468255997 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:35.641618013 CET	9001	49857	212.8.243.229	192.168.2.4
Mar 29, 2024 07:24:35.676306963 CET	9001	49858	45.125.65.112	192.168.2.4
Mar 29, 2024 07:24:35.676376104 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:35.676760912 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:35.677428961 CET	49859	10198	192.168.2.4	185.220.101.198
Mar 29, 2024 07:24:35.862534046 CET	10198	49859	185.220.101.198	192.168.2.4
Mar 29, 2024 07:24:35.884713888 CET	9001	49858	45.125.65.112	192.168.2.4
Mar 29, 2024 07:24:35.885533094 CET	9001	49858	45.125.65.112	192.168.2.4
Mar 29, 2024 07:24:35.889717102 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:35.890028954 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:35.890393972 CET	49860	9001	192.168.2.4	192.46.225.58
Mar 29, 2024 07:24:36.098004103 CET	9001	49858	45.125.65.112	192.168.2.4
Mar 29, 2024 07:24:36.098018885 CET	9001	49858	45.125.65.112	192.168.2.4
Mar 29, 2024 07:24:36.098057985 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:36.098090887 CET	49858	9001	192.168.2.4	45.125.65.112
Mar 29, 2024 07:24:36.524256945 CET	49861	443	192.168.2.4	199.249.230.115
Mar 29, 2024 07:24:36.524315119 CET	443	49861	199.249.230.115	192.168.2.4
Mar 29, 2024 07:24:36.524900913 CET	49861	443	192.168.2.4	199.249.230.115
Mar 29, 2024 07:24:36.525104046 CET	49861	443	192.168.2.4	199.249.230.115
Mar 29, 2024 07:24:36.525124073 CET	443	49861	199.249.230.115	192.168.2.4
Mar 29, 2024 07:24:37.546643019 CET	49861	443	192.168.2.4	199.249.230.115
Mar 29, 2024 07:24:37.553098917 CET	49862	8443	192.168.2.4	45.151.167.10
Mar 29, 2024 07:24:37.553493023 CET	49863	42256	192.168.2.4	143.107.229.210
Mar 29, 2024 07:24:37.592232943 CET	443	49861	199.249.230.115	192.168.2.4
Mar 29, 2024 07:24:37.659940004 CET	49864	443	192.168.2.4	178.20.55.18
Mar 29, 2024 07:24:37.659990072 CET	443	49864	178.20.55.18	192.168.2.4
Mar 29, 2024 07:24:37.660036087 CET	49864	443	192.168.2.4	178.20.55.18
Mar 29, 2024 07:24:37.660357952 CET	49864	443	192.168.2.4	178.20.55.18
Mar 29, 2024 07:24:37.660372019 CET	443	49864	178.20.55.18	192.168.2.4
Mar 29, 2024 07:24:37.731853962 CET	8443	49862	45.151.167.10	192.168.2.4
Mar 29, 2024 07:24:37.793373108 CET	42256	49863	143.107.229.210	192.168.2.4
Mar 29, 2024 07:24:37.832201958 CET	443	49864	178.20.55.18	192.168.2.4
Mar 29, 2024 07:24:37.832861900 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:38.002804995 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.002867937 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:38.003158092 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:38.003676891 CET	49866	30023	192.168.2.4	185.220.101.23
Mar 29, 2024 07:24:38.173059940 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.178956032 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.182904959 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:38.183116913 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:38.183434010 CET	49867	9443	192.168.2.4	116.12.180.234
Mar 29, 2024 07:24:38.188527107 CET	30023	49866	185.220.101.23	192.168.2.4
Mar 29, 2024 07:24:38.353323936 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.393274069 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.399382114 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.399497032 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:38.407377005 CET	9001	49865	62.210.105.46	192.168.2.4
Mar 29, 2024 07:24:38.410235882 CET	49865	9001	192.168.2.4	62.210.105.46
Mar 29, 2024 07:24:39.222125053 CET	49867	9443	192.168.2.4	116.12.180.234
Mar 29, 2024 07:24:39.364240885 CET	49868	443	192.168.2.4	154.59.112.72
Mar 29, 2024 07:24:39.364269018 CET	443	49868	154.59.112.72	192.168.2.4
Mar 29, 2024 07:24:39.368772984 CET	49868	443	192.168.2.4	154.59.112.72
Mar 29, 2024 07:24:39.368984938 CET	49868	443	192.168.2.4	154.59.112.72
Mar 29, 2024 07:24:39.368997097 CET	443	49868	154.59.112.72	192.168.2.4
Mar 29, 2024 07:24:39.568387032 CET	443	49868	154.59.112.72	192.168.2.4
Mar 29, 2024 07:24:39.569264889 CET	49869	30206	192.168.2.4	185.220.101.206
Mar 29, 2024 07:24:39.754637957 CET	30206	49869	185.220.101.206	192.168.2.4
Mar 29, 2024 07:24:39.769009113 CET	49870	443	192.168.2.4	38.145.200.61
Mar 29, 2024 07:24:39.769052029 CET	443	49870	38.145.200.61	192.168.2.4
Mar 29, 2024 07:24:39.769109964 CET	49870	443	192.168.2.4	38.145.200.61
Mar 29, 2024 07:24:39.769330025 CET	49870	443	192.168.2.4	38.145.200.61
Mar 29, 2024 07:24:39.769342899 CET	443	49870	38.145.200.61	192.168.2.4
Mar 29, 2024 07:24:40.795875072 CET	49870	443	192.168.2.4	38.145.200.61
Mar 29, 2024 07:24:40.836232901 CET	443	49870	38.145.200.61	192.168.2.4
Mar 29, 2024 07:24:41.112263918 CET	49814	443	192.168.2.4	45.66.33.45
Mar 29, 2024 07:24:41.815732002 CET	49871	9001	192.168.2.4	198.58.107.53
Mar 29, 2024 07:24:41.946254015 CET	9001	49871	198.58.107.53	192.168.2.4
Mar 29, 2024 07:24:41.946331024 CET	49871	9001	192.168.2.4	198.58.107.53
Mar 29, 2024 07:24:43.105377913 CET	49871	9001	192.168.2.4	198.58.107.53
Mar 29, 2024 07:24:43.235753059 CET	9001	49871	198.58.107.53	192.168.2.4
Mar 29, 2024 07:24:43.237560987 CET	9001	49871	198.58.107.53	192.168.2.4
Mar 29, 2024 07:24:43.247248888 CET	49871	9001	192.168.2.4	198.58.107.53
Mar 29, 2024 07:24:43.379431009 CET	9001	49871	198.58.107.53	192.168.2.4
Mar 29, 2024 07:24:43.379731894 CET	49871	9001	192.168.2.4	198.58.107.53
Mar 29, 2024 07:24:43.511265039 CET	9001	49871	198.58.107.53	192.168.2.4
Mar 29, 2024 07:24:43.511326075 CET	49871	9001	192.168.2.4	198.58.107.53
Mar 29, 2024 07:24:45.283343077 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:45.283526897 CET	49873	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:45.283565044 CET	443	49873	154.35.175.225	192.168.2.4
Mar 29, 2024 07:24:45.283718109 CET	49873	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:45.283880949 CET	49873	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:45.283894062 CET	443	49873	154.35.175.225	192.168.2.4
Mar 29, 2024 07:24:45.467825890 CET	9001	49872	5.181.51.52	192.168.2.4
Mar 29, 2024 07:24:45.467896938 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:45.468233109 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:45.468384027 CET	49873	443	192.168.2.4	154.35.175.225
Mar 29, 2024 07:24:45.512244940 CET	443	49873	154.35.175.225	192.168.2.4
Mar 29, 2024 07:24:45.652550936 CET	9001	49872	5.181.51.52	192.168.2.4
Mar 29, 2024 07:24:45.654562950 CET	9001	49872	5.181.51.52	192.168.2.4
Mar 29, 2024 07:24:45.658706903 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:45.658828020 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:45.843607903 CET	9001	49872	5.181.51.52	192.168.2.4
Mar 29, 2024 07:24:45.843628883 CET	9001	49872	5.181.51.52	192.168.2.4
Mar 29, 2024 07:24:45.843662024 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:45.843689919 CET	49872	9001	192.168.2.4	5.181.51.52
Mar 29, 2024 07:24:46.764756918 CET	49874	443	192.168.2.4	109.150.12.235
Mar 29, 2024 07:24:46.764797926 CET	443	49874	109.150.12.235	192.168.2.4
Mar 29, 2024 07:24:46.765125036 CET	49874	443	192.168.2.4	109.150.12.235
Mar 29, 2024 07:24:46.765125036 CET	49874	443	192.168.2.4	109.150.12.235
Mar 29, 2024 07:24:46.765156984 CET	443	49874	109.150.12.235	192.168.2.4
Mar 29, 2024 07:24:47.768249035 CET	49874	443	192.168.2.4	109.150.12.235
Mar 29, 2024 07:24:47.768712044 CET	49875	9001	192.168.2.4	88.198.112.25
Mar 29, 2024 07:24:47.769004107 CET	49876	443	192.168.2.4	198.100.149.77
Mar 29, 2024 07:24:47.769037008 CET	443	49876	198.100.149.77	192.168.2.4
Mar 29, 2024 07:24:47.769089937 CET	49876	443	192.168.2.4	198.100.149.77
Mar 29, 2024 07:24:47.769272089 CET	49876	443	192.168.2.4	198.100.149.77
Mar 29, 2024 07:24:47.769283056 CET	443	49876	198.100.149.77	192.168.2.4
Mar 29, 2024 07:24:47.816232920 CET	443	49874	109.150.12.235	192.168.2.4
Mar 29, 2024 07:24:48.848726988 CET	49876	443	192.168.2.4	198.100.149.77
Mar 29, 2024 07:24:48.881124020 CET	49877	443	192.168.2.4	178.33.183.251
Mar 29, 2024 07:24:48.881170034 CET	443	49877	178.33.183.251	192.168.2.4
Mar 29, 2024 07:24:48.884701967 CET	49877	443	192.168.2.4	178.33.183.251
Mar 29, 2024 07:24:48.884702921 CET	49877	443	192.168.2.4	178.33.183.251
Mar 29, 2024 07:24:48.884730101 CET	443	49877	178.33.183.251	192.168.2.4
Mar 29, 2024 07:24:48.888938904 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:48.888983965 CET	443	49878	192.42.116.17	192.168.2.4
Mar 29, 2024 07:24:48.892245054 CET	443	49876	198.100.149.77	192.168.2.4
Mar 29, 2024 07:24:48.892379999 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:48.893520117 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:48.893532991 CET	443	49878	192.42.116.17	192.168.2.4
Mar 29, 2024 07:24:49.456537008 CET	443	49878	192.42.116.17	192.168.2.4
Mar 29, 2024 07:24:49.456609011 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:49.461174011 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:49.461184978 CET	443	49878	192.42.116.17	192.168.2.4
Mar 29, 2024 07:24:49.461381912 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:49.461468935 CET	443	49878	192.42.116.17	192.168.2.4
Mar 29, 2024 07:24:49.461523056 CET	49877	443	192.168.2.4	178.33.183.251
Mar 29, 2024 07:24:49.461524963 CET	49878	443	192.168.2.4	192.42.116.17
Mar 29, 2024 07:24:49.469933033 CET	49879	443	192.168.2.4	192.36.38.33
Mar 29, 2024 07:24:49.469973087 CET	443	49879	192.36.38.33	192.168.2.4
Mar 29, 2024 07:24:49.470032930 CET	49879	443	192.168.2.4	192.36.38.33
Mar 29, 2024 07:24:49.470299959 CET	49879	443	192.168.2.4	192.36.38.33
Mar 29, 2024 07:24:49.470319033 CET	443	49879	192.36.38.33	192.168.2.4
Mar 29, 2024 07:24:49.508238077 CET	443	49877	178.33.183.251	192.168.2.4
Mar 29, 2024 07:24:49.807552099 CET	49879	443	192.168.2.4	192.36.38.33
Mar 29, 2024 07:24:49.808073044 CET	49880	40233	192.168.2.4	143.107.229.120
Mar 29, 2024 07:24:49.848237038 CET	443	49879	192.36.38.33	192.168.2.4
Mar 29, 2024 07:24:50.051390886 CET	40233	49880	143.107.229.120	192.168.2.4
Mar 29, 2024 07:24:50.064546108 CET	443	49879	192.36.38.33	192.168.2.4
Mar 29, 2024 07:24:50.064618111 CET	49879	443	192.168.2.4	192.36.38.33
Mar 29, 2024 07:24:50.064618111 CET	49879	443	192.168.2.4	192.36.38.33
Mar 29, 2024 07:24:50.612134933 CET	49880	40233	192.168.2.4	143.107.229.120
Mar 29, 2024 07:24:50.857692003 CET	40233	49880	143.107.229.120	192.168.2.4
Mar 29, 2024 07:24:51.608206034 CET	49881	443	192.168.2.4	23.129.64.239
Mar 29, 2024 07:24:51.608248949 CET	443	49881	23.129.64.239	192.168.2.4
Mar 29, 2024 07:24:51.608328104 CET	49881	443	192.168.2.4	23.129.64.239
Mar 29, 2024 07:24:51.608550072 CET	49881	443	192.168.2.4	23.129.64.239
Mar 29, 2024 07:24:51.608562946 CET	443	49881	23.129.64.239	192.168.2.4
Mar 29, 2024 07:24:51.859863043 CET	443	49881	23.129.64.239	192.168.2.4
Mar 29, 2024 07:24:53.572491884 CET	49882	9001	192.168.2.4	71.200.64.77
Mar 29, 2024 07:24:54.612194061 CET	49882	9001	192.168.2.4	71.200.64.77
Mar 29, 2024 07:24:55.554730892 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:55.761575937 CET	9001	49883	185.82.217.49	192.168.2.4
Mar 29, 2024 07:24:55.761660099 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:55.762021065 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:55.762622118 CET	49884	9001	192.168.2.4	80.66.135.13
Mar 29, 2024 07:24:55.968167067 CET	9001	49883	185.82.217.49	192.168.2.4
Mar 29, 2024 07:24:55.970242023 CET	9001	49883	185.82.217.49	192.168.2.4
Mar 29, 2024 07:24:55.974720001 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:55.975050926 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:55.975450993 CET	49885	9001	192.168.2.4	147.92.88.67
Mar 29, 2024 07:24:56.181308985 CET	9001	49883	185.82.217.49	192.168.2.4
Mar 29, 2024 07:24:56.181773901 CET	9001	49883	185.82.217.49	192.168.2.4
Mar 29, 2024 07:24:56.181813955 CET	9001	49883	185.82.217.49	192.168.2.4
Mar 29, 2024 07:24:56.181824923 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:56.181852102 CET	49883	9001	192.168.2.4	185.82.217.49
Mar 29, 2024 07:24:57.922420979 CET	49886	9001	192.168.2.4	176.123.3.222
Mar 29, 2024 07:24:58.924655914 CET	49886	9001	192.168.2.4	176.123.3.222
Mar 29, 2024 07:25:00.436255932 CET	49887	993	192.168.2.4	194.140.117.58

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 29, 2024 07:24:23.407975912 CET	162.212.158.82	192.168.2.4	f0	(Unknown)	Destination Unreachable
Mar 29, 2024 07:25:00.644568920 CET	194.140.117.58	192.168.2.4	f930	(Unknown)	Destination Unreachable

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49797	37.187.23.232	80	7608	C:\Users\user\Desktop\Mcb5K3TOWT.exe

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2024 07:22:30.274970055 CET	198	OUT	Data Raw: 16 03 01 00 c1 01 00 00 bd 03 03 f1 1d a0 fb 51 78 1b 8f 83 92 8e b3 d9 b5 4c 27 e4 8e ee 90 a7 9e 20 5e 46 0b 79 79 31 b6 47 3c 00 00 1c c0 2b c0 2f c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 33 00 39 00 2f 00 35 00 0a 00 ff 01 00 00 78 00 00 00 1f Data Ascii: QxL' ^Fyy1G<+/,039/5xwww.ni4uxeeu74g62hibb4.com#
Mar 29, 2024 07:22:30.460635900 CET	1016	IN	Data Raw: 16 03 03 00 39 02 00 00 35 03 03 80 23 de ab 63 b9 a5 ab 4b b5 9c bb cf b6 f6 cd 07 85 9f 02 71 c1 34 bc 44 4f 57 4e 47 52 44 01 00 c0 30 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 5a 0b 00 02 56 00 02 53 00 02 50 30 82 02 4c 30 Data Ascii: 95#cKq4DOWNGRD0ZVSP0L0F"x0H0'1%0#Uwww.y6ohuswrnh5wnccrnewf.com0240130000000Z240517235959Z0&1$0"Uwww.6zmotagjwt5hschnqx3.net0"0H
Mar 29, 2024 07:22:30.465219975 CET	126	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 75 7f e5 8b 8e 87 0a 42 25 9d ef 4d 7c b3 f6 c2 13 b1 1c 8e e9 b3 17 07 e6 d5 7c 97 bb 6c e8 f4 83 8c 4d 04 0d da 9c 9d 83 75 ca 5c d0 21 61 f7 31 18 38 b2 df 15 01 e6 8e c6 90 ce 66 1a 22 58 14 03 03 00 01 01 16 Data Ascii: FBAuB%M\|\|lMu\!a18f"X(}8m@;SmGr{'Fq(AU//
Mar 29, 2024 07:22:30.639997005 CET	51	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 ae eb 53 67 1f 70 87 7e c7 33 ee fd 19 d0 22 9e aa ec 5c 5a d1 ab 35 19 ce eb c5 29 c6 59 cb 68 c6 f6 20 0e d1 68 48 a8 Data Ascii: (Sgp~3"\Z5)Yh hH
Mar 29, 2024 07:22:30.742796898 CET	31	IN	Data Raw: 15 03 03 00 1a ae eb 53 67 1f 70 87 7f ae d0 68 75 7e 1b 25 3e d8 52 ff c1 9d b3 06 55 05 b4 Data Ascii: Sgphu~%>RU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49803	171.25.193.9	80	7608	C:\Users\user\Desktop\Mcb5K3TOWT.exe

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2024 07:22:31.094077110 CET	187	OUT	Data Raw: 16 03 01 00 b6 01 00 00 b2 03 03 61 1f b8 2f 2d 24 ae d7 f3 1d b6 8c 34 70 1f 15 d0 4a f2 e4 66 9e b7 2e 94 8b 52 b2 1c a2 2b 67 00 00 1c c0 2b c0 2f c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 33 00 39 00 2f 00 35 00 0a 00 ff 01 00 00 6d 00 00 00 14 Data Ascii: a/-$4pJf.R+g+/,039/5mwww.rdhdnif.com#
Mar 29, 2024 07:22:31.298589945 CET	1003	IN	Data Raw: 16 03 03 00 39 02 00 00 35 03 03 0e bc 29 f3 27 e4 b9 b3 54 a5 36 1d a9 b0 5e 06 49 c8 92 16 39 95 9e e9 44 4f 57 4e 47 52 44 01 00 c0 30 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 4d 0b 00 02 49 00 02 46 00 02 43 30 82 02 3f 30 Data Ascii: 95)'T6^I9DOWNGRD0MIFC0?0utth0H010Uwww.xzowmjc2o.com0231024000000Z241009000000Z0#1!0Uwww.ljfd3fwwyjrmvlgk.net0"0H0
Mar 29, 2024 07:22:31.302618027 CET	126	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 76 34 93 30 8e 05 c9 98 0b 88 59 68 b5 a5 72 3f 0b 4c 47 3f cd bb 71 70 be ac f0 59 bb 44 ed 2a 87 ff e7 f8 d1 22 9c f0 d9 8f d5 80 cd 2d 5f f1 f9 35 bc 12 d5 59 a1 4c 10 32 86 28 68 82 bb 4e 14 03 03 00 01 01 16 Data Ascii: FBAv40Yhr?LG?qpYD*"-_5YL2(hN(sP^I&,`!L~DMg@9
Mar 29, 2024 07:22:31.505060911 CET	51	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 41 e8 1e fb 83 68 0f e6 c8 e2 1b 31 6d b1 69 94 23 76 e5 94 95 f8 c1 bf 22 38 fb 20 c6 57 7a 89 8a 9d f3 3b a1 c0 95 d7 Data Ascii: (Ah1mi#v"8 Wz;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49837	171.25.193.9	80	7608	C:\Users\user\Desktop\Mcb5K3TOWT.exe

Timestamp	Bytes transferred	Direction	Data
Mar 29, 2024 07:24:25.457978010 CET	198	OUT	Data Raw: 16 03 01 00 c1 01 00 00 bd 03 03 b0 c1 68 e3 8a d4 6b 10 56 18 fb 92 36 0e 92 55 45 ae b1 db 28 80 52 41 09 51 dd 13 c9 87 4e cb 00 00 1c c0 2b c0 2f c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 33 00 39 00 2f 00 35 00 0a 00 ff 01 00 00 78 00 00 00 1f Data Ascii: hkV6UE(RAQN+/,039/5xwww.3dojexpyv2h6ehabxd.com#
Mar 29, 2024 07:24:25.665013075 CET	1003	IN	Data Raw: 16 03 03 00 39 02 00 00 35 03 03 fd a2 9e f4 7c 41 bb dd 96 e6 b5 a3 fa 71 ff 26 f8 4f 83 ba 78 bd 58 e6 44 4f 57 4e 47 52 44 01 00 c0 30 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 4d 0b 00 02 49 00 02 46 00 02 43 30 82 02 3f 30 Data Ascii: 95\|Aq&OxXDOWNGRD0MIFC0?0utth0H010Uwww.xzowmjc2o.com0231024000000Z241009000000Z0#1!0Uwww.ljfd3fwwyjrmvlgk.net0"0H0
Mar 29, 2024 07:24:25.669730902 CET	126	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 22 28 cd 66 80 32 49 38 21 9e a1 19 cf 9a 9b 3a d4 b9 af d6 05 1e 46 89 15 1c 81 b9 11 b2 c7 d9 22 29 a3 43 18 78 17 e2 5e 7c ed 6a 40 a3 c1 f2 39 7c a0 94 37 10 db 87 bd 87 0a 36 99 4d 9c f4 14 03 03 00 01 01 16 Data Ascii: FBA"(f2I8!:F")Cx^\|j@9\|76M(Dqmz@z#PM1]97E
Mar 29, 2024 07:24:25.874599934 CET	51	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 61 c9 92 66 71 af 5e 7b 7c a7 21 a0 29 c5 4e 16 d8 16 2d be c2 b2 10 58 b3 a0 c5 0e 03 55 19 5a ad d7 75 24 44 02 07 09 Data Ascii: (afq^{\|!)N-XUZu$D

Target ID:	0
Start time:	07:20:55
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\Mcb5K3TOWT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mcb5K3TOWT.exe"
Imagebase:	0x400000
File size:	1'981'440 bytes
MD5 hash:	97E5F2C04BAAD060D0169B7D76CFA5DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:20:56
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\Mcb5K3TOWT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mcb5K3TOWT.exe"
Imagebase:	0x400000
File size:	1'981'440 bytes
MD5 hash:	97E5F2C04BAAD060D0169B7D76CFA5DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:21:06
Start date:	29/03/2024
Path:	C:\ProgramData\Drivers\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Drivers\csrss.exe"
Imagebase:	0x400000
File size:	1'981'440 bytes
MD5 hash:	97E5F2C04BAAD060D0169B7D76CFA5DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.1734753448.0000000002E00000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:21:06
Start date:	29/03/2024
Path:	C:\ProgramData\Drivers\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Drivers\csrss.exe"
Imagebase:	0x400000
File size:	1'981'440 bytes
MD5 hash:	97E5F2C04BAAD060D0169B7D76CFA5DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	29.5%
Dynamic/Decrypted Code Coverage:	32.8%
Signature Coverage:	27.6%
Total number of Nodes:	116
Total number of Limit Nodes:	8

Executed Functions

Function 02B90110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 02B90156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 02B9016C
CreateProcessA.KERNELBASE(?,00000000), ref: 02B90255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02B90270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02B90283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 02B9029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 02B902C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 02B902E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 02B90304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 02B9032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 02B90399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 02B903BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 02B903E1
ResumeThread.KERNELBASE(00000000), ref: 02B903ED
ExitProcess.KERNEL32(00000000), ref: 02B90412

Memory Dump Source

Source File: 00000000.00000002.1631878963.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_Mcb5K3TOWT.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 5d9a7c1e9877f6e4b26ca8327a7f15a9ea5102d9c0d2b7c5ecb6c65281ddd86b
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: BDB1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E949AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 029C87C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029C87EE
Module32First.KERNEL32(00000000,00000224), ref: 029C880E

Memory Dump Source

Source File: 00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp, Offset: 029C8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c8000_Mcb5K3TOWT.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9ff92901d49a3994afedac7e247e70c762ea10b27d1222426a298864b5d25c10
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: A0F096312007116FD7213BF5A88DB6E76ECBF89669F20053CE656E14C0DB70E8454A62

Uniqueness

Uniqueness Score: -1.00%

Function 02B90420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 02B90533

Strings

saodkfnosa9uin, xrefs: 02B904DA
0, xrefs: 02B90492
mfoaskdfnoa, xrefs: 02B90520, 02B90523
d, xrefs: 02B90584

Memory Dump Source

Source File: 00000000.00000002.1631878963.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_Mcb5K3TOWT.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: d4f5f4290167dc1e1a042ee580d56e90570a350e9e3aaffe69906b129a111e59
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 2D511870D08388DAEF11DBE8C849BDDBFB2AF11708F144099D5447F286C3BA5658CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02B905B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 02B905EC

Strings

apfHQ, xrefs: 02B905E2, 02B905E5
o, xrefs: 02B90600

Memory Dump Source

Source File: 00000000.00000002.1631878963.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_Mcb5K3TOWT.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 4d4cbf5eac75d55d895bd54d99981dd4afbf4750f5f77d251e3d72cda70cf71e
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: E1011E70C0425CEADF10EB98C5583AEBFB5AF41308F1484EDC4492B242D7769B58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029C8485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 029C84D6

Memory Dump Source

Source File: 00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp, Offset: 029C8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c8000_Mcb5K3TOWT.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: aa787997646e6918743ab39499fe07a6c366d0f1086e9154c1211f4367acc7df
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 43113C79A00208EFDB01DF98C985E99BBF5AF08351F1580A4F9489B361D371EA90DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408B8C Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00408C1E,00412378,00000001,?,00408D35,00412378,00000017), ref: 00408B91
UnhandledExceptionFilter.KERNEL32(00412378,?,00408C1E,00412378,00000001,?,00408D35,00412378,00000017), ref: 00408B9A

Memory Dump Source

Source File: 00000000.00000002.1630767382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1630748792.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630781485.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630889446.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630949393.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630949393.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631196231.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631196231.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631393059.0000000000C85000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mcb5K3TOWT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4f6bf54deb8ceaeae4aff51af1cb8250d22e34f1a483baa8fc3972d3a1b88e1a
Instruction ID: e52052bfb3cb61cf75e2bddbb0a1e6d6fcf4c2d3658885ae81a692bca33f4cad
Opcode Fuzzy Hash: 4f6bf54deb8ceaeae4aff51af1cb8250d22e34f1a483baa8fc3972d3a1b88e1a
Instruction Fuzzy Hash: EBB09231084208BBCB402F91EC09BCC3F28EB04752F008020FA0D84070CBB754908A99

Uniqueness

Uniqueness Score: -1.00%

Function 004080CC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00403C99,00415CF8,00000014), ref: 004080CC

Memory Dump Source

Source File: 00000000.00000002.1630767382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1630748792.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630781485.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630889446.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630949393.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630949393.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631196231.00000000005DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631196231.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631393059.0000000000C85000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mcb5K3TOWT.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3d1555dcc6185ba67351b9e25629ef51310d6c7d4bb7f57b8f8e41bf3758f2b7
Instruction ID: 33325b281f4a055e15f9279f33d7c1754b98b79ed80d7265be70cd26c338bd62
Opcode Fuzzy Hash: 3d1555dcc6185ba67351b9e25629ef51310d6c7d4bb7f57b8f8e41bf3758f2b7
Instruction Fuzzy Hash: 7EB012B03061024787080B397C140493BE8971C301310C03FB003C6160DF71C450FF04

Uniqueness

Uniqueness Score: -1.00%

Function 029C80A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1631676309.00000000029C8000.00000040.00000020.00020000.00000000.sdmp, Offset: 029C8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c8000_Mcb5K3TOWT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 2cdca17698a18aee3c747e7446ac7d8df66b61bf5ebfd335f7ffe3b638db122b
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: AF117CB2340100AFD754DE55DC80EA673EAFB89264B298169ED08CB312D676E842CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B90042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1631878963.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_Mcb5K3TOWT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 2241e444824a3cdbc3e05b7e1b7cd7c2b7eb50c8c3f067c697478a93873ba0b8
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 6D118E72340104AFEB54EF65DC91FA673EAEB88320B1985A5ED08CB311D676E841CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Mcb5K3TOWT.exePID: 7608, Parent PID: 7592COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00694A87 Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___sbh_find_block.LIBCMT ref: 00694AB0
___sbh_free_block.LIBCMT ref: 00694ABF
RtlFreeHeap.NTDLL(00000000,?,0081B8C0,0000000C,00695999,00000000,?,?,006959B0,?,006C5FF8,0081C690,0000000C,006C60AA,?,00000000), ref: 00694AEF
GetLastError.KERNEL32(?,?,006959B0,?,006C5FF8,0081C690,0000000C,006C60AA,?,00000000), ref: 00694B00

Memory Dump Source

Source File: 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4085798664.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085798664.000000000083C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085798664.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcb5K3TOWT.jbxd

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 78909d6c4936e91804b8b1daa8b3149c3f077c8927f69aac5a87e0b9846f729e
Instruction ID: d2f168f1c234fbc1eb0db84b56c896eb6ac808ee96d716f7e41c0537d1ba3495
Opcode Fuzzy Hash: 78909d6c4936e91804b8b1daa8b3149c3f077c8927f69aac5a87e0b9846f729e
Instruction Fuzzy Hash: E501A271945301AADF60BF74AC06F9F3B6EAF00765F10000DF510A6A99CE788A42DA68

Uniqueness

Uniqueness Score: -1.00%

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 006C5FF3

Part of subcall function 006959A8: __getptd_noexit.LIBCMT ref: 006959AB
Part of subcall function 006959A8: __amsg_exit.LIBCMT ref: 006959B8

__endthreadex.LIBCMT ref: 006C6003

Part of subcall function 006C5FAA: __IsNonwritableInCurrentImage.LIBCMT ref: 006C5FBD
Part of subcall function 006C5FAA: __getptd_noexit.LIBCMT ref: 006C5FCD
Part of subcall function 006C5FAA: __freeptd.LIBCMT ref: 006C5FD7
Part of subcall function 006C5FAA: RtlExitUserThread.NTDLL(?,?,006C6008,00000000), ref: 006C5FE0
Part of subcall function 006C5FAA: __XcptFilter.LIBCMT ref: 006C6014

Memory Dump Source

Source File: 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4085798664.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085798664.000000000083C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085798664.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcb5K3TOWT.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction ID: d5ace2e70bc2d3c52d8088d9385be9d0b72b17dae02ad738aec28fd26f28fbfb
Opcode Fuzzy Hash: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction Fuzzy Hash: 65E0ECB5954605DFEB58ABA0C806E7E776AEF48311F20404CF1029B6A2CA75A984DF25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00694A78 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 006999D2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006999E7
UnhandledExceptionFilter.KERNEL32(006D9C6C), ref: 006999F2
GetCurrentProcess.KERNEL32(C0000409), ref: 00699A0E
TerminateProcess.KERNEL32(00000000), ref: 00699A15

Memory Dump Source

Source File: 00000001.00000002.4085798664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4085798664.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085798664.000000000083C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.4085798664.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcb5K3TOWT.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5e4f057abdc76eb51c15de7ff52c5ade2ab544b117bf26ad20e1fd5a877e97fd
Instruction ID: dcde4617195335d5d3c577808627ec0208f30a12f7e2c262b8b14ad4a69ab474
Opcode Fuzzy Hash: 5e4f057abdc76eb51c15de7ff52c5ade2ab544b117bf26ad20e1fd5a877e97fd
Instruction Fuzzy Hash: F021E0B4902305DFCB91DF69FD856447BA9FB88360F10681AF509833A0EFB059828F35

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exePID: 7708, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	41%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	7

Executed Functions

Function 03000110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 03000156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0300016C
CreateProcessA.KERNELBASE(?,00000000), ref: 03000255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03000270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 03000283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0300029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 030002C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 030002E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 03000304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0300032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 03000399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 030003BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 030003E1
ResumeThread.KERNELBASE(00000000), ref: 030003ED
ExitProcess.KERNEL32(00000000), ref: 03000412

Memory Dump Source

Source File: 00000002.00000002.1734991226.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3000000_csrss.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: bb32e2d3f378a2993ecdf83059871761ad2cc77ba5f6c531f54e5d0fb7ae7451
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 90B1C674A00208AFDB44CF98C895F9EBBB5FF88314F248158E909AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03000420 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClassExA.USER32(00000030), ref: 030004F1
CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 03000533

Strings

saodkfnosa9uin, xrefs: 030004DA
d, xrefs: 03000584
mfoaskdfnoa, xrefs: 03000520, 03000523
0, xrefs: 03000492

Memory Dump Source

Source File: 00000002.00000002.1734991226.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3000000_csrss.jbxd

Similarity

API ID: ClassCreateRegisterWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 3469048531-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 9d3d329dc880da19d927fd10f8c42b401eff69219da075dd66ec8aaa58c0f061
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 89512A70D08388DAEB11CBD8C849BDEBFB66F11708F144198D5447F2C6C7BA5658CB66

Uniqueness

Uniqueness Score: -1.00%

Function 030005B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 030005EC

Strings

apfHQ, xrefs: 030005E2, 030005E5
o, xrefs: 03000600

Memory Dump Source

Source File: 00000002.00000002.1734991226.0000000003000000.00000040.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3000000_csrss.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 5a201e8c4c49413711f6915e882a7f9278a509531207c6ebdf1b0a4f05906eb4
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 67011E70C0524CEAEB10DB98C5183EEBFB5AF41308F188099C4092B281D7769B58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E007A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E007CE
Module32First.KERNEL32(00000000,00000224), ref: 02E007EE

Memory Dump Source

Source File: 00000002.00000002.1734753448.0000000002E00000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e00000_csrss.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2dd8554805baaf626c84f68e0cc07822041983bbe2015a1e229fcd261847b95f
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 32F096311417156FD7203BF5D8CCB6F76E8AF49769F145528E643910C0DB74F8864E61

Uniqueness

Uniqueness Score: -1.00%

Function 02E00465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E004B6

Memory Dump Source

Source File: 00000002.00000002.1734753448.0000000002E00000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e00000_csrss.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b8462103caf9d0de1f885c711bf519752d41638162d9b2a7d6760224f4e27ea4
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 14113C79A40208EFDB01DF98C985E98BBF5AF08351F05C094F9489B361D775EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exePID: 7724, Parent PID: 7708COMMON

Executed Functions

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 006C5FF3

Part of subcall function 006959A8: __getptd_noexit.LIBCMT ref: 006959AB
Part of subcall function 006959A8: __amsg_exit.LIBCMT ref: 006959B8

__endthreadex.LIBCMT ref: 006C6003

Part of subcall function 006C5FAA: __IsNonwritableInCurrentImage.LIBCMT ref: 006C5FBD
Part of subcall function 006C5FAA: __getptd_noexit.LIBCMT ref: 006C5FCD
Part of subcall function 006C5FAA: __freeptd.LIBCMT ref: 006C5FD7
Part of subcall function 006C5FAA: RtlExitUserThread.NTDLL(?,?,006C6008,00000000), ref: 006C5FE0
Part of subcall function 006C5FAA: __XcptFilter.LIBCMT ref: 006C6014

Memory Dump Source

Source File: 00000003.00000002.4085831673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4085831673.0000000000824000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085831673.000000000083D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4085831673.0000000000843000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_csrss.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction ID: d5ace2e70bc2d3c52d8088d9385be9d0b72b17dae02ad738aec28fd26f28fbfb
Opcode Fuzzy Hash: a89283c4aba3c99d0b47ffbdad6a7f8d104b49c00d8e382c7f34c9978f4e5ab4
Instruction Fuzzy Hash: 65E0ECB5954605DFEB58ABA0C806E7E776AEF48311F20404CF1029B6A2CA75A984DF25

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mcb5K3TOWT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Drivers\csrss.exe

C:\Users\user\AppData\Local\Temp\4KPV6A~1\state (copy)

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\state.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

ICMP Packets

HTTP Packets

Windows Analysis Report
Mcb5K3TOWT.exe

Function 02B90110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 029C87C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02B90420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 02B905B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 029C8485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 00408B8C Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 00694A87 Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 006C5FE7 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Function 00694A78 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 03000110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 03000420 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113
registryCOMMON

Function 030005B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 02E007A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02E00465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON