Edit tour

Windows Analysis Report
Updater.dll.dll

Overview

General Information

Sample name:	Updater.dll.dll (renamed file extension from exe to dll)
Original sample name:	Updater.dll.exe
Analysis ID:	1541407
MD5:	80cd37d9eb33507bf054f32ce2380b09
SHA1:	6e8d57dde537ace0639931569ae2b04b9cb99a26
SHA256:	f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd
Tags:	exeuser-pr0xylife
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5812 cmdline: loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5836 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 2668 cmdline: rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 5820 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 3356 cmdline: rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6972 cmdline: rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3876 cmdline: rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5312 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Talespin\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4404 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3788 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\SnapMobile\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5700 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5660 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T19:49:00.899395+0200	2028765	3	Unknown Traffic	192.168.2.5	49704	185.161.251.26	443	TCP
2024-10-24T19:49:01.948338+0200	2028765	3	Unknown Traffic	192.168.2.5	49705	185.161.251.26	443	TCP
2024-10-24T19:49:03.011817+0200	2028765	3	Unknown Traffic	192.168.2.5	49706	185.161.251.26	443	TCP
2024-10-24T19:49:03.991564+0200	2028765	3	Unknown Traffic	192.168.2.5	49707	185.161.251.26	443	TCP
2024-10-24T19:49:04.959311+0200	2028765	3	Unknown Traffic	192.168.2.5	49708	185.161.251.26	443	TCP
2024-10-24T19:49:06.072096+0200	2028765	3	Unknown Traffic	192.168.2.5	49709	185.161.251.26	443	TCP
2024-10-24T19:49:07.059496+0200	2028765	3	Unknown Traffic	192.168.2.5	49710	185.161.251.26	443	TCP
2024-10-24T19:49:08.049935+0200	2028765	3	Unknown Traffic	192.168.2.5	49711	185.161.251.26	443	TCP
2024-10-24T19:49:09.058832+0200	2028765	3	Unknown Traffic	192.168.2.5	49712	185.161.251.26	443	TCP
2024-10-24T19:49:10.978848+0200	2028765	3	Unknown Traffic	192.168.2.5	49713	185.161.251.26	443	TCP
2024-10-24T19:49:12.409813+0200	2028765	3	Unknown Traffic	192.168.2.5	49714	185.161.251.26	443	TCP
2024-10-24T19:49:13.405175+0200	2028765	3	Unknown Traffic	192.168.2.5	49715	185.161.251.26	443	TCP
2024-10-24T19:49:14.373445+0200	2028765	3	Unknown Traffic	192.168.2.5	49716	185.161.251.26	443	TCP
2024-10-24T19:49:15.375550+0200	2028765	3	Unknown Traffic	192.168.2.5	49719	185.161.251.26	443	TCP
2024-10-24T19:49:16.365682+0200	2028765	3	Unknown Traffic	192.168.2.5	49722	185.161.251.26	443	TCP
2024-10-24T19:49:17.360914+0200	2028765	3	Unknown Traffic	192.168.2.5	49729	185.161.251.26	443	TCP
2024-10-24T19:49:18.364532+0200	2028765	3	Unknown Traffic	192.168.2.5	49736	185.161.251.26	443	TCP
2024-10-24T19:49:19.325587+0200	2028765	3	Unknown Traffic	192.168.2.5	49742	185.161.251.26	443	TCP
2024-10-24T19:49:20.300743+0200	2028765	3	Unknown Traffic	192.168.2.5	49743	185.161.251.26	443	TCP
2024-10-24T19:49:21.271466+0200	2028765	3	Unknown Traffic	192.168.2.5	49754	185.161.251.26	443	TCP
2024-10-24T19:49:22.366829+0200	2028765	3	Unknown Traffic	192.168.2.5	49760	185.161.251.26	443	TCP
2024-10-24T19:49:23.322165+0200	2028765	3	Unknown Traffic	192.168.2.5	49761	185.161.251.26	443	TCP
2024-10-24T19:49:24.343933+0200	2028765	3	Unknown Traffic	192.168.2.5	49772	185.161.251.26	443	TCP
2024-10-24T19:49:25.407185+0200	2028765	3	Unknown Traffic	192.168.2.5	49778	185.161.251.26	443	TCP
2024-10-24T19:49:26.378565+0200	2028765	3	Unknown Traffic	192.168.2.5	49784	185.161.251.26	443	TCP
2024-10-24T19:49:27.340977+0200	2028765	3	Unknown Traffic	192.168.2.5	49790	185.161.251.26	443	TCP
2024-10-24T19:49:28.310365+0200	2028765	3	Unknown Traffic	192.168.2.5	49796	185.161.251.26	443	TCP
2024-10-24T19:49:30.096576+0200	2028765	3	Unknown Traffic	192.168.2.5	49802	185.161.251.26	443	TCP
2024-10-24T19:49:31.305050+0200	2028765	3	Unknown Traffic	192.168.2.5	49808	185.161.251.26	443	TCP
2024-10-24T19:49:32.416309+0200	2028765	3	Unknown Traffic	192.168.2.5	57967	185.161.251.26	443	TCP
2024-10-24T19:49:33.410028+0200	2028765	3	Unknown Traffic	192.168.2.5	57974	185.161.251.26	443	TCP
2024-10-24T19:49:34.410616+0200	2028765	3	Unknown Traffic	192.168.2.5	57981	185.161.251.26	443	TCP
2024-10-24T19:49:35.794624+0200	2028765	3	Unknown Traffic	192.168.2.5	57987	185.161.251.26	443	TCP
2024-10-24T19:49:36.759676+0200	2028765	3	Unknown Traffic	192.168.2.5	57989	185.161.251.26	443	TCP
2024-10-24T19:49:37.719105+0200	2028765	3	Unknown Traffic	192.168.2.5	57995	185.161.251.26	443	TCP
2024-10-24T19:49:38.683182+0200	2028765	3	Unknown Traffic	192.168.2.5	58002	185.161.251.26	443	TCP
2024-10-24T19:49:39.664307+0200	2028765	3	Unknown Traffic	192.168.2.5	58010	185.161.251.26	443	TCP
2024-10-24T19:49:40.630468+0200	2028765	3	Unknown Traffic	192.168.2.5	58019	185.161.251.26	443	TCP
2024-10-24T19:49:41.593084+0200	2028765	3	Unknown Traffic	192.168.2.5	58025	185.161.251.26	443	TCP
2024-10-24T19:49:42.575029+0200	2028765	3	Unknown Traffic	192.168.2.5	58031	185.161.251.26	443	TCP
2024-10-24T19:49:43.545521+0200	2028765	3	Unknown Traffic	192.168.2.5	58037	185.161.251.26	443	TCP
2024-10-24T19:49:44.534315+0200	2028765	3	Unknown Traffic	192.168.2.5	58043	185.161.251.26	443	TCP
2024-10-24T19:49:45.498957+0200	2028765	3	Unknown Traffic	192.168.2.5	58048	185.161.251.26	443	TCP
2024-10-24T19:49:46.471251+0200	2028765	3	Unknown Traffic	192.168.2.5	58054	185.161.251.26	443	TCP
2024-10-24T19:49:47.437813+0200	2028765	3	Unknown Traffic	192.168.2.5	58060	185.161.251.26	443	TCP
2024-10-24T19:49:48.415894+0200	2028765	3	Unknown Traffic	192.168.2.5	58066	185.161.251.26	443	TCP
2024-10-24T19:49:49.539946+0200	2028765	3	Unknown Traffic	192.168.2.5	58072	185.161.251.26	443	TCP
2024-10-24T19:49:50.492893+0200	2028765	3	Unknown Traffic	192.168.2.5	58078	185.161.251.26	443	TCP
2024-10-24T19:49:51.447564+0200	2028765	3	Unknown Traffic	192.168.2.5	58084	185.161.251.26	443	TCP
2024-10-24T19:49:52.415591+0200	2028765	3	Unknown Traffic	192.168.2.5	58090	185.161.251.26	443	TCP
2024-10-24T19:49:53.371842+0200	2028765	3	Unknown Traffic	192.168.2.5	58096	185.161.251.26	443	TCP
2024-10-24T19:49:54.338170+0200	2028765	3	Unknown Traffic	192.168.2.5	58102	185.161.251.26	443	TCP
2024-10-24T19:49:55.342056+0200	2028765	3	Unknown Traffic	192.168.2.5	58108	185.161.251.26	443	TCP
2024-10-24T19:49:56.428505+0200	2028765	3	Unknown Traffic	192.168.2.5	58114	185.161.251.26	443	TCP
2024-10-24T19:49:57.414640+0200	2028765	3	Unknown Traffic	192.168.2.5	58120	185.161.251.26	443	TCP
2024-10-24T19:49:58.441342+0200	2028765	3	Unknown Traffic	192.168.2.5	58126	185.161.251.26	443	TCP
2024-10-24T19:49:59.412170+0200	2028765	3	Unknown Traffic	192.168.2.5	58135	185.161.251.26	443	TCP
2024-10-24T19:50:00.420896+0200	2028765	3	Unknown Traffic	192.168.2.5	58141	185.161.251.26	443	TCP
2024-10-24T19:50:01.539046+0200	2028765	3	Unknown Traffic	192.168.2.5	58147	185.161.251.26	443	TCP
2024-10-24T19:50:02.497580+0200	2028765	3	Unknown Traffic	192.168.2.5	58153	185.161.251.26	443	TCP
2024-10-24T19:50:03.467001+0200	2028765	3	Unknown Traffic	192.168.2.5	58159	185.161.251.26	443	TCP
2024-10-24T19:50:04.430877+0200	2028765	3	Unknown Traffic	192.168.2.5	58165	185.161.251.26	443	TCP
2024-10-24T19:50:05.390712+0200	2028765	3	Unknown Traffic	192.168.2.5	58171	185.161.251.26	443	TCP
2024-10-24T19:50:06.354408+0200	2028765	3	Unknown Traffic	192.168.2.5	58179	185.161.251.26	443	TCP
2024-10-24T19:50:07.331735+0200	2028765	3	Unknown Traffic	192.168.2.5	58185	185.161.251.26	443	TCP
2024-10-24T19:50:08.301140+0200	2028765	3	Unknown Traffic	192.168.2.5	58190	185.161.251.26	443	TCP
2024-10-24T19:50:09.271104+0200	2028765	3	Unknown Traffic	192.168.2.5	58196	185.161.251.26	443	TCP
2024-10-24T19:50:10.235676+0200	2028765	3	Unknown Traffic	192.168.2.5	58198	185.161.251.26	443	TCP
2024-10-24T19:50:11.201944+0200	2028765	3	Unknown Traffic	192.168.2.5	58199	185.161.251.26	443	TCP
2024-10-24T19:50:12.199367+0200	2028765	3	Unknown Traffic	192.168.2.5	58200	185.161.251.26	443	TCP
2024-10-24T19:50:13.195053+0200	2028765	3	Unknown Traffic	192.168.2.5	58201	185.161.251.26	443	TCP
2024-10-24T19:50:14.180027+0200	2028765	3	Unknown Traffic	192.168.2.5	58202	185.161.251.26	443	TCP
2024-10-24T19:50:15.179785+0200	2028765	3	Unknown Traffic	192.168.2.5	58203	185.161.251.26	443	TCP
2024-10-24T19:50:16.155779+0200	2028765	3	Unknown Traffic	192.168.2.5	58204	185.161.251.26	443	TCP
2024-10-24T19:50:17.765365+0200	2028765	3	Unknown Traffic	192.168.2.5	58205	185.161.251.26	443	TCP
2024-10-24T19:50:18.752250+0200	2028765	3	Unknown Traffic	192.168.2.5	58206	185.161.251.26	443	TCP
2024-10-24T19:50:19.734396+0200	2028765	3	Unknown Traffic	192.168.2.5	58207	185.161.251.26	443	TCP
2024-10-24T19:50:20.713865+0200	2028765	3	Unknown Traffic	192.168.2.5	58208	185.161.251.26	443	TCP
2024-10-24T19:50:21.698888+0200	2028765	3	Unknown Traffic	192.168.2.5	58209	185.161.251.26	443	TCP
2024-10-24T19:50:22.689487+0200	2028765	3	Unknown Traffic	192.168.2.5	58210	185.161.251.26	443	TCP
2024-10-24T19:50:23.660369+0200	2028765	3	Unknown Traffic	192.168.2.5	58211	185.161.251.26	443	TCP
2024-10-24T19:50:24.639333+0200	2028765	3	Unknown Traffic	192.168.2.5	58212	185.161.251.26	443	TCP
2024-10-24T19:50:25.620713+0200	2028765	3	Unknown Traffic	192.168.2.5	58213	185.161.251.26	443	TCP
2024-10-24T19:50:26.586957+0200	2028765	3	Unknown Traffic	192.168.2.5	58214	185.161.251.26	443	TCP
2024-10-24T19:50:27.706233+0200	2028765	3	Unknown Traffic	192.168.2.5	58215	185.161.251.26	443	TCP
2024-10-24T19:50:28.779052+0200	2028765	3	Unknown Traffic	192.168.2.5	58216	185.161.251.26	443	TCP
2024-10-24T19:50:29.767683+0200	2028765	3	Unknown Traffic	192.168.2.5	58217	185.161.251.26	443	TCP
2024-10-24T19:50:30.922660+0200	2028765	3	Unknown Traffic	192.168.2.5	58218	185.161.251.26	443	TCP
2024-10-24T19:50:31.939020+0200	2028765	3	Unknown Traffic	192.168.2.5	58219	185.161.251.26	443	TCP
2024-10-24T19:50:32.915001+0200	2028765	3	Unknown Traffic	192.168.2.5	58220	185.161.251.26	443	TCP
2024-10-24T19:50:33.879114+0200	2028765	3	Unknown Traffic	192.168.2.5	58221	185.161.251.26	443	TCP
2024-10-24T19:50:34.856993+0200	2028765	3	Unknown Traffic	192.168.2.5	58222	185.161.251.26	443	TCP
2024-10-24T19:50:35.839053+0200	2028765	3	Unknown Traffic	192.168.2.5	58223	185.161.251.26	443	TCP
2024-10-24T19:50:36.952435+0200	2028765	3	Unknown Traffic	192.168.2.5	58224	185.161.251.26	443	TCP
2024-10-24T19:50:38.297261+0200	2028765	3	Unknown Traffic	192.168.2.5	58225	185.161.251.26	443	TCP
2024-10-24T19:50:39.261316+0200	2028765	3	Unknown Traffic	192.168.2.5	58226	185.161.251.26	443	TCP
2024-10-24T19:50:40.221033+0200	2028765	3	Unknown Traffic	192.168.2.5	58227	185.161.251.26	443	TCP
2024-10-24T19:50:41.270329+0200	2028765	3	Unknown Traffic	192.168.2.5	58228	185.161.251.26	443	TCP
2024-10-24T19:50:43.718408+0200	2028765	3	Unknown Traffic	192.168.2.5	58229	185.161.251.26	443	TCP
2024-10-24T19:50:45.223638+0200	2028765	3	Unknown Traffic	192.168.2.5	58230	185.161.251.26	443	TCP
2024-10-24T19:50:46.192999+0200	2028765	3	Unknown Traffic	192.168.2.5	58231	185.161.251.26	443	TCP
2024-10-24T19:50:47.158624+0200	2028765	3	Unknown Traffic	192.168.2.5	58232	185.161.251.26	443	TCP
2024-10-24T19:50:49.153766+0200	2028765	3	Unknown Traffic	192.168.2.5	58233	185.161.251.26	443	TCP
2024-10-24T19:50:50.130036+0200	2028765	3	Unknown Traffic	192.168.2.5	58234	185.161.251.26	443	TCP
2024-10-24T19:50:51.109720+0200	2028765	3	Unknown Traffic	192.168.2.5	58235	185.161.251.26	443	TCP
2024-10-24T19:50:52.098829+0200	2028765	3	Unknown Traffic	192.168.2.5	58236	185.161.251.26	443	TCP
2024-10-24T19:50:53.088713+0200	2028765	3	Unknown Traffic	192.168.2.5	58237	185.161.251.26	443	TCP
2024-10-24T19:50:54.070886+0200	2028765	3	Unknown Traffic	192.168.2.5	58238	185.161.251.26	443	TCP
2024-10-24T19:50:55.040145+0200	2028765	3	Unknown Traffic	192.168.2.5	58239	185.161.251.26	443	TCP
2024-10-24T19:50:56.022146+0200	2028765	3	Unknown Traffic	192.168.2.5	58240	185.161.251.26	443	TCP
2024-10-24T19:50:57.009618+0200	2028765	3	Unknown Traffic	192.168.2.5	58241	185.161.251.26	443	TCP
2024-10-24T19:50:58.269469+0200	2028765	3	Unknown Traffic	192.168.2.5	58242	185.161.251.26	443	TCP
2024-10-24T19:50:59.272123+0200	2028765	3	Unknown Traffic	192.168.2.5	58243	185.161.251.26	443	TCP
2024-10-24T19:51:00.232682+0200	2028765	3	Unknown Traffic	192.168.2.5	58244	185.161.251.26	443	TCP
2024-10-24T19:51:02.280272+0200	2028765	3	Unknown Traffic	192.168.2.5	58245	185.161.251.26	443	TCP
2024-10-24T19:51:03.274548+0200	2028765	3	Unknown Traffic	192.168.2.5	58246	185.161.251.26	443	TCP

Code function: 7_2_00007FF8B8F71C40 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,SetLastError,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_00007FF8B8F71C40

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: rundll32.exe, 00000007.00000002.3297802931.0000015144241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945698785.0000015144266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/(
Source: rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/0
Source: rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2967607764.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2977904730.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/0J#DQ
Source: rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/0Y#DQ
Source: rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/161.251.26/
Source: rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/5
Source: rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/7
Source: rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/;~
Source: rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/G
Source: rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2212351056.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2088598849.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/K
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/L
Source: rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/LMEM
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/P
Source: rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/PW#DQ
Source: rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/T
Source: rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/Y
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/aenh.dll
Source: rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/aenh.dll(DQ
Source: rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2212351056.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/gits
Source: rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/k
Source: rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2967607764.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/nd
Source: rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/nh.dllD
Source: rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/o
Source: rundll32.exe, 00000007.00000003.2381677338.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2966352070.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2977904730.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2956428842.0000015144266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/ography
Source: rundll32.exe, 00000007.00000003.2149114154.0000015144266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/r
Source: rundll32.exe, 00000007.00000003.2780780539.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/s
Source: rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/vider
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/viderG
Source: rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/viderY
Source: rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/viderw
Source: rundll32.exe, 00000007.00000003.2780780539.0000015144279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/w

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 58031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 58220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58216
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58218
Source: unknown	Network traffic detected: HTTP traffic on port 58019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58102
Source: unknown	Network traffic detected: HTTP traffic on port 58208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58222
Source: unknown	Network traffic detected: HTTP traffic on port 57989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58227
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58228
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58230
Source: unknown	Network traffic detected: HTTP traffic on port 57995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58231
Source: unknown	Network traffic detected: HTTP traffic on port 58048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 58214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 58226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58238
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58240
Source: unknown	Network traffic detected: HTTP traffic on port 58232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 58078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58135
Source: unknown	Network traffic detected: HTTP traffic on port 58090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58010
Source: unknown	Network traffic detected: HTTP traffic on port 58237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 58209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 58084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 58025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 58096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 58221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 58238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 58216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58201
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58202
Source: unknown	Network traffic detected: HTTP traffic on port 58179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 58244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58212
Source: unknown	Network traffic detected: HTTP traffic on port 58233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58213
Source: unknown	Network traffic detected: HTTP traffic on port 58205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58210
Source: unknown	Network traffic detected: HTTP traffic on port 58211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58185
Source: unknown	Network traffic detected: HTTP traffic on port 58102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58066
Source: unknown	Network traffic detected: HTTP traffic on port 58234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58060
Source: unknown	Network traffic detected: HTTP traffic on port 58246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58199
Source: unknown	Network traffic detected: HTTP traffic on port 58228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58190
Source: unknown	Network traffic detected: HTTP traffic on port 58245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 58223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 58212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58090
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58141
Source: unknown	Network traffic detected: HTTP traffic on port 58230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57974
Source: unknown	Network traffic detected: HTTP traffic on port 58147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58159
Source: unknown	Network traffic detected: HTTP traffic on port 58199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58031
Source: unknown	Network traffic detected: HTTP traffic on port 58207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 58235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 58241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57989
Source: unknown	Network traffic detected: HTTP traffic on port 58010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57987
Source: unknown	Network traffic detected: HTTP traffic on port 58037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58048
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58043
Source: unknown	Network traffic detected: HTTP traffic on port 58236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58165
Source: unknown	Network traffic detected: HTTP traffic on port 58213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58171
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58159 -> 443

Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:57995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58102 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58135 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58159 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58196 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58198 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58200 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58204 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58206 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58212 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58214 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58215 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58224 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58230 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58235 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58237 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58238 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58239 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58240 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58241 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58242 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:58246 version: TLS 1.2

Source: C:\Windows\System32\loaddll64.exe	File created: C:\Windows\Tasks\Spiralogics.job	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\Tasks\Talespin.job	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\Tasks\Ventuso LLC.job	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\Tasks\SnapMobile.job	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

File deleted: C:\Windows\Tasks\SnapMobile.job

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F71C40	7_2_00007FF8B8F71C40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F745E0	7_2_00007FF8B8F745E0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F72C40	7_2_00007FF8B8F72C40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F768A0	7_2_00007FF8B8F768A0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F818C0	7_2_00007FF8B8F818C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F83508	7_2_00007FF8B8F83508
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F7B310	7_2_00007FF8B8F7B310
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F73F30	7_2_00007FF8B8F73F30
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F7CD38	7_2_00007FF8B8F7CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F82D5C	7_2_00007FF8B8F82D5C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F75160	7_2_00007FF8B8F75160
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F78F68	7_2_00007FF8B8F78F68
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F73170	7_2_00007FF8B8F73170
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F82578	7_2_00007FF8B8F82578
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F71990	7_2_00007FF8B8F71990
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F7EFB0	7_2_00007FF8B8F7EFB0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F821C8	7_2_00007FF8B8F821C8

Source: classification engine

Classification label: mal56.evad.winDLL@19/12@1/1

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F77740 CoInitializeEx,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,SysAllocString,SysAllocString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,

7_2_00007FF8B8F77740

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\5bba9e40-0e32-4b7f-b39a-667bbc0c2293
Source: C:\Windows\System32\rundll32.exe	Mutant created: \BaseNamedObjects\5bba9e40-0e32-4b7f-b39a-667bbc0c2293

Source: Updater.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Talespin\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\SnapMobile\Updater.dll",Start /u
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Updater.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: Updater.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F75A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics,

7_2_00007FF8B8F75A20

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll

Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\SnapMobile\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Ventuso LLC\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Talespin\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe	File created: C:\ProgramData\Spiralogics\Updater.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\SnapMobile\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Ventuso LLC\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Talespin\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe	File created: C:\ProgramData\Spiralogics\Updater.dll	Jump to dropped file

Source: C:\Windows\System32\loaddll64.exe

File created: C:\Windows\Tasks\Spiralogics.job

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F75E70 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

7_2_00007FF8B8F75E70

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_7-8404

Source: C:\Windows\System32\rundll32.exe

Window / User API: threadDelayed 9565

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\ProgramData\SnapMobile\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\ProgramData\Ventuso LLC\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\ProgramData\Talespin\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe	Dropped PE file which has not been started: C:\ProgramData\Spiralogics\Updater.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-7647

Source: C:\Windows\System32\loaddll64.exe TID: 2964	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760	Thread sleep count: 294 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760	Thread sleep time: -294000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760	Thread sleep count: 9565 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6760	Thread sleep time: -9565000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F713A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose,

7_2_00007FF8B8F713A0

Source: C:\Windows\System32\rundll32.exe

7_2_00007FF8B8F75A20

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000007.00000002.3297474319.00000151441FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_7-7648

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F78C1C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

7_2_00007FF8B8F78C1C

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F8036C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_00007FF8B8F8036C

Source: C:\Windows\System32\rundll32.exe

7_2_00007FF8B8F75A20

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F75980 GetProcessHeap,HeapAlloc,

7_2_00007FF8B8F75980

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F7C538 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FF8B8F7C538

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 185.161.251.26 443

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F7BDA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00007FF8B8F7BDA8

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F745E0 GetVolumeInformationW,GetModuleHandleW,GetComputerNameW,GetModuleHandleW,GetComputerNameExW,GetModuleHandleW,GetUserNameW,GetModuleHandleW,OpenMutexW,CloseHandle,GetModuleHandleW,GetTickCount,SleepEx,

7_2_00007FF8B8F745E0

Source: C:\Windows\System32\rundll32.exe

7_2_00007FF8B8F75A20

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	2 Scheduled Task/Job	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Regsvr32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Updater.dll.dll	8%	ReversingLabs	Win64.Malware.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\SnapMobile\Updater.dll	8%	ReversingLabs	Win64.Malware.Generic
C:\ProgramData\Spiralogics\Updater.dll	8%	ReversingLabs	Win64.Malware.Generic
C:\ProgramData\Talespin\Updater.dll	8%	ReversingLabs	Win64.Malware.Generic
C:\ProgramData\Ventuso LLC\Updater.dll	8%	ReversingLabs	Win64.Malware.Generic

Name	IP	Active	Malicious	Antivirus Detection	Reputation
171.39.242.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://185.161.251.26/LMEM	rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/(	rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/nd	rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2967607764.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/k	rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/161.251.26/	rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/o	rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/0	rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/0J#DQ	rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2967607764.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2977904730.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/s	rundll32.exe, 00000007.00000003.2780780539.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/r	rundll32.exe, 00000007.00000003.2149114154.0000015144266000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/5	rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/viderw	rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3297802931.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/PW#DQ	rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/7	rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/w	rundll32.exe, 00000007.00000003.2780780539.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/gits	rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2212351056.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/;~	rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/aenh.dll(DQ	rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/	rundll32.exe, 00000007.00000002.3297802931.0000015144241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945698785.0000015144266000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/aenh.dll	rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/viderG	rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2369713552.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/G	rundll32.exe, 00000007.00000003.3179742057.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/K	rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2212351056.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2088598849.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/vider	rundll32.exe, 00000007.00000003.2192829265.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/nh.dllD	rundll32.exe, 00000007.00000003.3027867820.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/L	rundll32.exe, 00000007.00000002.3297474319.00000151441B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/P	rundll32.exe, 00000007.00000003.2392771122.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2402775016.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2381677338.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/ography	rundll32.exe, 00000007.00000003.2381677338.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2966352070.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2977904730.0000015144266000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2956428842.0000015144266000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/T	rundll32.exe, 00000007.00000003.2222366885.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2935954962.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2945959181.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/viderY	rundll32.exe, 00000007.00000003.2232539180.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/Y	rundll32.exe, 00000007.00000003.2149114154.0000015144279000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2159208682.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/0Y#DQ	rundll32.exe, 00000007.00000003.2956428842.0000015144279000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.161.251.26	unknown	United Kingdom		5089	NTLGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541407
Start date and time:	2024-10-24 19:48:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Updater.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	Updater.dll.exe
Detection:	MAL
Classification:	mal56.evad.winDLL@19/12@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 26

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Updater.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
13:48:55	API Interceptor	5910349x Sleep call for process: rundll32.exe modified
13:49:04	API Interceptor	2x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.161.251.26	Updater.dll.dll	Get hash	malicious	Unknown	Browse
185.161.251.26	Updater.dll.dll	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	newsample	Get hash	malicious	Mirai, Okiru	Browse	217.137.58.145
	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	o2YUBeMZW6.elf	Get hash	malicious	Mirai	Browse	86.8.111.22
	G63E6opeS8.elf	Get hash	malicious	Mirai	Browse	62.253.81.1
	ai3eCONS9Q.elf	Get hash	malicious	Mirai	Browse	62.31.100.51
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	80.5.205.110
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	86.13.197.104
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	86.1.9.11
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	82.10.79.183

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	xxJfSec58P.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	UMrFwHyjUi.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	b157p9L0c1.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	PFlJLzFUqH.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	46QSz6qyKC.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	7ZthFNAqYp.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	M8PoiLFYWM.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	185.161.251.26

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.07698299320588
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
MD5:	80CD37D9EB33507BF054F32CE2380B09
SHA1:	6E8D57DDE537ACE0639931569AE2B04B9CB99A26
SHA-256:	F47144C7159BE31D8116FDC36B66CB72C917CD91A4BBE9EAA55DEC929C1CFFDD
SHA-512:	18F42496C4A66F11AA834E1DB7F727EA7041882408A83BE00F5DDACFBCA439DEBE611F24EADD19E9453BC774D91D33D98AC25290791D501AF2E706DC9EF89BDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\SnapMobile\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Spiralogics\Updater.dll

Download File

Process:	C:\Windows\System32\loaddll64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.07698299320588
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
MD5:	80CD37D9EB33507BF054F32CE2380B09
SHA1:	6E8D57DDE537ACE0639931569AE2B04B9CB99A26
SHA-256:	F47144C7159BE31D8116FDC36B66CB72C917CD91A4BBE9EAA55DEC929C1CFFDD
SHA-512:	18F42496C4A66F11AA834E1DB7F727EA7041882408A83BE00F5DDACFBCA439DEBE611F24EADD19E9453BC774D91D33D98AC25290791D501AF2E706DC9EF89BDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spiralogics\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\loaddll64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Talespin\Updater.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.07698299320588
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
MD5:	80CD37D9EB33507BF054F32CE2380B09
SHA1:	6E8D57DDE537ACE0639931569AE2B04B9CB99A26
SHA-256:	F47144C7159BE31D8116FDC36B66CB72C917CD91A4BBE9EAA55DEC929C1CFFDD
SHA-512:	18F42496C4A66F11AA834E1DB7F727EA7041882408A83BE00F5DDACFBCA439DEBE611F24EADD19E9453BC774D91D33D98AC25290791D501AF2E706DC9EF89BDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Talespin\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Ventuso LLC\Updater.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.07698299320588
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
MD5:	80CD37D9EB33507BF054F32CE2380B09
SHA1:	6E8D57DDE537ACE0639931569AE2B04B9CB99A26
SHA-256:	F47144C7159BE31D8116FDC36B66CB72C917CD91A4BBE9EAA55DEC929C1CFFDD
SHA-512:	18F42496C4A66F11AA834E1DB7F727EA7041882408A83BE00F5DDACFBCA439DEBE611F24EADD19E9453BC774D91D33D98AC25290791D501AF2E706DC9EF89BDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Ventuso LLC\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\SnapMobile.job

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	340
Entropy (8bit):	3.5523166728142095
Encrypted:	false
SSDEEP:	6:fM+R5sjZ/82On+SkSJkJAWhAlAtmbhEZ24DAJDiiXqYEp5t/uy0l2V1:U/hO+fTWlrb94OuifXV0
MD5:	14BA98AA1799F4C051C901828E098E96
SHA1:	3EAF45DD6CF568E0CBF10037DB059C8E8712F271
SHA-256:	8154E99E3897E44907EAD70D94FA17B1F1FC3CA56E6FB2F56D3E16AD6D19C456
SHA-512:	5E9ACD0B45AD4BD77B8491946B22534A6917B3869931D15C9D94D0257F3803F52EF1FABEA286677E51096F3D91C5699D112B78B25B81D0B48A7E8FB3EAACD1AA
Malicious:	false
Preview:	......HO..aO........F.".....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...1.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.S.n.a.p.M.o.b.i.l.e.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................2.............................

C:\Windows\Tasks\Spiralogics.job

Download File

Process:	C:\Windows\System32\loaddll64.exe
File Type:	data
Category:	modified
Size (bytes):	342
Entropy (8bit):	3.5318960731611493
Encrypted:	false
SSDEEP:	6:nDo/82On+SkSJkJAWhAlAtWlubhEZ2kEhlWKJDiiXqYEp5t/uy0l2V1:DohO+fTWlj0b9k6lWouifXV0
MD5:	820D5E049199CBCF9631CE9DD555D71A
SHA1:	A8BA2E611FDC3AE1994F9D5572EDECCD6BE88719
SHA-256:	9D5BB23BA3A36F1F700D51DAAF004C7B52C062954372B40002A4C5CFD6B39EB9
SHA-512:	23761D5251D682AC70B028F04A15D6943239DC0F45F5865BB9C5B0899E5218CFB64588274259C0B45F538F1E621A5EE4B431B3DB039D427EA03291EB864F3050
Malicious:	false
Preview:	.....F..O..G.,.Q.T].F.$.....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...2.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.S.p.i.r.a.l.o.g.i.c.s.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................2.............................

C:\Windows\Tasks\Talespin.job

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	336
Entropy (8bit):	3.534382442225839
Encrypted:	false
SSDEEP:	6:kK1gtM/82On+SkSJkJAWhAlAtom0bhEZRMOD7AJDiiXqYEp5t/uy0l2V1:kuXhO+fTWlu0bhODmuifXV0
MD5:	FB03CBB42377F6F40C30D5684ABC06B6
SHA1:	8C7F411E2F32819C542EE637B332782D86E8B935
SHA-256:	427C9FAC93A7C2B29F89C186AC3C9C4C918AE8CEB29093430E7C4884B8804EF6
SHA-512:	F33994FC882A7B3259874F3ABFA5F35C8EE27939E3F090126F2DB72BE403936FCAA909B0BCE3483C4E4120F5F77CE905E7F3E070B23837A7CDC7A8921AEDAAFB
Malicious:	false
Preview:	.....dX.!..K.3.H.vP<F.......<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e.../.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.T.a.l.e.s.p.i.n.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................2.............................

C:\Windows\Tasks\Ventuso LLC.job

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	342
Entropy (8bit):	3.524457761725954
Encrypted:	false
SSDEEP:	6:7vP78Do/82On+SkSJkJAWhAlAtWlubhEZxDh5JDiiXqYEp5t/uy0l2V1:7XEohO+fTWlj0b69uifXV0
MD5:	FB55A771A26E0B02CB4BB5EEC34AD1F2
SHA1:	9BE307EE63C785B5173F034096E023D35247205B
SHA-256:	EB3C6498A3E8C01E173BDD9479371A5B39D3929D888C0E3BD834014D35224039
SHA-512:	D4A38B2AFDB24A23DDC157DCD85A95CDED94C89DD4DD58512AE7D8AA7AD1D92A107FE420E63E6DFFAC017A01BC2891A913E741B0468931F5274155EDA84B8B0B
Malicious:	false
Preview:	......n.*..O.r..sQ..F.$.....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...2.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.V.e.n.t.u.s.o. .L.L.C.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................2.............................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.07698299320588
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	Updater.dll.dll
File size:	132'096 bytes
MD5:	80cd37d9eb33507bf054f32ce2380b09
SHA1:	6e8d57dde537ace0639931569ae2b04b9cb99a26
SHA256:	f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd
SHA512:	18f42496c4a66f11aa834e1db7f727ea7041882408a83be00f5ddacfbca439debe611f24eadd19e9453bc774d91d33d98ac25290791d501af2e706dc9ef89bde
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
TLSH:	DBD3488B33A150FBD827963AC8A35906E3B6340607B09BDF5B64454A5F373D1AE39B31
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180008abc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B248368 [Sat Jun 16 03:26:32 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	13a0a4f8e18482fece5db74f0e485dc8

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F040CF99777h
call 00007F040CF9CA40h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F040CF99778h
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+20h], ebx
dec esp
mov dword ptr [eax+18h], eax
mov dword ptr [eax+10h], edx
dec eax
mov dword ptr [eax+08h], ecx
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 50h
dec ecx
mov esi, eax
mov ebx, edx
dec esp
mov esi, ecx
mov edx, 00000001h
mov dword ptr [eax-48h], edx
test ebx, ebx
jne 00007F040CF99781h
cmp dword ptr [000180C0h], ebx
jne 00007F040CF99779h
xor eax, eax
jmp 00007F040CF99847h
lea eax, dword ptr [ebx-01h]
cmp eax, 01h
jnbe 00007F040CF997AAh
dec eax
mov eax, dword ptr [0000E8E0h]
dec eax
test eax, eax
je 00007F040CF9977Ch
mov edx, ebx
call eax
mov edx, eax
mov dword ptr [esp+20h], eax
test edx, edx
je 00007F040CF99789h
dec esp
mov eax, esi
mov edx, ebx
dec ecx
mov ecx, esi
call 00007F040CF99569h
mov edx, eax
mov dword ptr [esp+20h], eax
test eax, eax
jne 00007F040CF99779h
xor eax, eax
jmp 00007F040CF99807h
dec esp
mov eax, esi
mov edx, ebx
dec ecx
mov ecx, esi
call 00007F040CFA26BFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da50	0xb8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1db08	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x23000	0x1170	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x5c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c550	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13234	0x13400	862093ad77e963afd99b61075ed339cc	False	0.5498046875	data	6.375620691199119	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x96b8	0x9800	0ae1de3882fc516473a41ceef8f482fa	False	0.4322317023026316	DIY-Thermocam raw data (Lepton 2.x), scale 20079-30309, spot sensor temperature 4543427629910840780059159035904.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 4437014241515289928777334784.000000	5.00357346652478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x3fb8	0x1a00	abf2d368a635e26bc1d8aa2dfeb13a81	False	0.291015625	data	3.36721144417636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x23000	0x1170	0x1200	21cc64f597d7a7a7591094f0cd1471d5	False	0.466796875	data	4.955152847884263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x1e0	0x200	399816b231dc16da0611f2508f87678f	False	0.52734375	data	4.715442022345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0x5c0	0x600	01f533fcce3c005ecfaf87ad049dbea2	False	0.66796875	data	5.343193155137574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x25060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	CreateThread, GetLastError, SetLastError, ExpandEnvironmentStringsW, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateFileW, DeleteFileW, GetFileAttributesW, GetVolumeInformationW, ReadFile, RemoveDirectoryW, SetFilePointer, WriteFile, SetHandleInformation, CreatePipe, PeekNamedPipe, WaitForSingleObject, Sleep, OpenMutexW, TerminateProcess, CreateProcessW, GlobalMemoryStatusEx, GetTickCount, GetComputerNameExW, GetModuleFileNameW, GetComputerNameW, MultiByteToWideChar, WideCharToMultiByte, HeapAlloc, HeapReAlloc, HeapFree, GetProcessHeap, GetTempFileNameW, GetTempPathW, GetSystemDirectoryW, LocalFree, CloseHandle, LoadLibraryW, GetProcAddress, GetModuleHandleW, CreateMutexW, GetSystemInfo, HeapSize, OutputDebugStringW, WriteConsoleW, SetStdHandle, LoadLibraryExW, LCMapStringW, FlushFileBuffers, GetStringTypeW, GetCommandLineA, GetCurrentThreadId, IsDebuggerPresent, EncodePointer, DecodePointer, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, ExitProcess, GetModuleHandleExW, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwindEx, EnterCriticalSection, LeaveCriticalSection, GetConsoleCP, GetConsoleMode, SetFilePointerEx
ADVAPI32.dll	RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, GetUserNameW
SHELL32.dll	SHGetFolderPathW
ole32.dll	CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitializeEx
OLEAUT32.dll	SysAllocString, SysFreeString, VariantInit, VariantClear
WS2_32.dll	WSAStartup, gethostbyname, inet_ntoa, gethostname

Exports

Name	Ordinal	Address
DllGetClassObject	1	0x180001a70
DllRegisterServer	2	0x180001b50
DllRegisterServerEx	3	0x180001b90
DllUnregisterServer	4	0x180001bd0
Start	5	0x180001c10

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T19:49:00.899395+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49704	185.161.251.26	443	TCP
2024-10-24T19:49:01.948338+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49705	185.161.251.26	443	TCP
2024-10-24T19:49:03.011817+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49706	185.161.251.26	443	TCP
2024-10-24T19:49:03.991564+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49707	185.161.251.26	443	TCP
2024-10-24T19:49:04.959311+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49708	185.161.251.26	443	TCP
2024-10-24T19:49:06.072096+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49709	185.161.251.26	443	TCP
2024-10-24T19:49:07.059496+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49710	185.161.251.26	443	TCP
2024-10-24T19:49:08.049935+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49711	185.161.251.26	443	TCP
2024-10-24T19:49:09.058832+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49712	185.161.251.26	443	TCP
2024-10-24T19:49:10.978848+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49713	185.161.251.26	443	TCP
2024-10-24T19:49:12.409813+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49714	185.161.251.26	443	TCP
2024-10-24T19:49:13.405175+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49715	185.161.251.26	443	TCP
2024-10-24T19:49:14.373445+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49716	185.161.251.26	443	TCP
2024-10-24T19:49:15.375550+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49719	185.161.251.26	443	TCP
2024-10-24T19:49:16.365682+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49722	185.161.251.26	443	TCP
2024-10-24T19:49:17.360914+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49729	185.161.251.26	443	TCP
2024-10-24T19:49:18.364532+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49736	185.161.251.26	443	TCP
2024-10-24T19:49:19.325587+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49742	185.161.251.26	443	TCP
2024-10-24T19:49:20.300743+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49743	185.161.251.26	443	TCP
2024-10-24T19:49:21.271466+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49754	185.161.251.26	443	TCP
2024-10-24T19:49:22.366829+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49760	185.161.251.26	443	TCP
2024-10-24T19:49:23.322165+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49761	185.161.251.26	443	TCP
2024-10-24T19:49:24.343933+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49772	185.161.251.26	443	TCP
2024-10-24T19:49:25.407185+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49778	185.161.251.26	443	TCP
2024-10-24T19:49:26.378565+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49784	185.161.251.26	443	TCP
2024-10-24T19:49:27.340977+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49790	185.161.251.26	443	TCP
2024-10-24T19:49:28.310365+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49796	185.161.251.26	443	TCP
2024-10-24T19:49:30.096576+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49802	185.161.251.26	443	TCP
2024-10-24T19:49:31.305050+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49808	185.161.251.26	443	TCP
2024-10-24T19:49:32.416309+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	57967	185.161.251.26	443	TCP
2024-10-24T19:49:33.410028+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	57974	185.161.251.26	443	TCP
2024-10-24T19:49:34.410616+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	57981	185.161.251.26	443	TCP
2024-10-24T19:49:35.794624+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	57987	185.161.251.26	443	TCP
2024-10-24T19:49:36.759676+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	57989	185.161.251.26	443	TCP
2024-10-24T19:49:37.719105+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	57995	185.161.251.26	443	TCP
2024-10-24T19:49:38.683182+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58002	185.161.251.26	443	TCP
2024-10-24T19:49:39.664307+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58010	185.161.251.26	443	TCP
2024-10-24T19:49:40.630468+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58019	185.161.251.26	443	TCP
2024-10-24T19:49:41.593084+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58025	185.161.251.26	443	TCP
2024-10-24T19:49:42.575029+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58031	185.161.251.26	443	TCP
2024-10-24T19:49:43.545521+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58037	185.161.251.26	443	TCP
2024-10-24T19:49:44.534315+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58043	185.161.251.26	443	TCP
2024-10-24T19:49:45.498957+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58048	185.161.251.26	443	TCP
2024-10-24T19:49:46.471251+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58054	185.161.251.26	443	TCP
2024-10-24T19:49:47.437813+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58060	185.161.251.26	443	TCP
2024-10-24T19:49:48.415894+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58066	185.161.251.26	443	TCP
2024-10-24T19:49:49.539946+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58072	185.161.251.26	443	TCP
2024-10-24T19:49:50.492893+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58078	185.161.251.26	443	TCP
2024-10-24T19:49:51.447564+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58084	185.161.251.26	443	TCP
2024-10-24T19:49:52.415591+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58090	185.161.251.26	443	TCP
2024-10-24T19:49:53.371842+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58096	185.161.251.26	443	TCP
2024-10-24T19:49:54.338170+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58102	185.161.251.26	443	TCP
2024-10-24T19:49:55.342056+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58108	185.161.251.26	443	TCP
2024-10-24T19:49:56.428505+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58114	185.161.251.26	443	TCP
2024-10-24T19:49:57.414640+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58120	185.161.251.26	443	TCP
2024-10-24T19:49:58.441342+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58126	185.161.251.26	443	TCP
2024-10-24T19:49:59.412170+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58135	185.161.251.26	443	TCP
2024-10-24T19:50:00.420896+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58141	185.161.251.26	443	TCP
2024-10-24T19:50:01.539046+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58147	185.161.251.26	443	TCP
2024-10-24T19:50:02.497580+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58153	185.161.251.26	443	TCP
2024-10-24T19:50:03.467001+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58159	185.161.251.26	443	TCP
2024-10-24T19:50:04.430877+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58165	185.161.251.26	443	TCP
2024-10-24T19:50:05.390712+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58171	185.161.251.26	443	TCP
2024-10-24T19:50:06.354408+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58179	185.161.251.26	443	TCP
2024-10-24T19:50:07.331735+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58185	185.161.251.26	443	TCP
2024-10-24T19:50:08.301140+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58190	185.161.251.26	443	TCP
2024-10-24T19:50:09.271104+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58196	185.161.251.26	443	TCP
2024-10-24T19:50:10.235676+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58198	185.161.251.26	443	TCP
2024-10-24T19:50:11.201944+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58199	185.161.251.26	443	TCP
2024-10-24T19:50:12.199367+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58200	185.161.251.26	443	TCP
2024-10-24T19:50:13.195053+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58201	185.161.251.26	443	TCP
2024-10-24T19:50:14.180027+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58202	185.161.251.26	443	TCP
2024-10-24T19:50:15.179785+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58203	185.161.251.26	443	TCP
2024-10-24T19:50:16.155779+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58204	185.161.251.26	443	TCP
2024-10-24T19:50:17.765365+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58205	185.161.251.26	443	TCP
2024-10-24T19:50:18.752250+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58206	185.161.251.26	443	TCP
2024-10-24T19:50:19.734396+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58207	185.161.251.26	443	TCP
2024-10-24T19:50:20.713865+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58208	185.161.251.26	443	TCP
2024-10-24T19:50:21.698888+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58209	185.161.251.26	443	TCP
2024-10-24T19:50:22.689487+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58210	185.161.251.26	443	TCP
2024-10-24T19:50:23.660369+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58211	185.161.251.26	443	TCP
2024-10-24T19:50:24.639333+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58212	185.161.251.26	443	TCP
2024-10-24T19:50:25.620713+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58213	185.161.251.26	443	TCP
2024-10-24T19:50:26.586957+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58214	185.161.251.26	443	TCP
2024-10-24T19:50:27.706233+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58215	185.161.251.26	443	TCP
2024-10-24T19:50:28.779052+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58216	185.161.251.26	443	TCP
2024-10-24T19:50:29.767683+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58217	185.161.251.26	443	TCP
2024-10-24T19:50:30.922660+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58218	185.161.251.26	443	TCP
2024-10-24T19:50:31.939020+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58219	185.161.251.26	443	TCP
2024-10-24T19:50:32.915001+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58220	185.161.251.26	443	TCP
2024-10-24T19:50:33.879114+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58221	185.161.251.26	443	TCP
2024-10-24T19:50:34.856993+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58222	185.161.251.26	443	TCP
2024-10-24T19:50:35.839053+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58223	185.161.251.26	443	TCP
2024-10-24T19:50:36.952435+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58224	185.161.251.26	443	TCP
2024-10-24T19:50:38.297261+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58225	185.161.251.26	443	TCP
2024-10-24T19:50:39.261316+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58226	185.161.251.26	443	TCP
2024-10-24T19:50:40.221033+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58227	185.161.251.26	443	TCP
2024-10-24T19:50:41.270329+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58228	185.161.251.26	443	TCP
2024-10-24T19:50:43.718408+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58229	185.161.251.26	443	TCP
2024-10-24T19:50:45.223638+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58230	185.161.251.26	443	TCP
2024-10-24T19:50:46.192999+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58231	185.161.251.26	443	TCP
2024-10-24T19:50:47.158624+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58232	185.161.251.26	443	TCP
2024-10-24T19:50:49.153766+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58233	185.161.251.26	443	TCP
2024-10-24T19:50:50.130036+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58234	185.161.251.26	443	TCP
2024-10-24T19:50:51.109720+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58235	185.161.251.26	443	TCP
2024-10-24T19:50:52.098829+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58236	185.161.251.26	443	TCP
2024-10-24T19:50:53.088713+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58237	185.161.251.26	443	TCP
2024-10-24T19:50:54.070886+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58238	185.161.251.26	443	TCP
2024-10-24T19:50:55.040145+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58239	185.161.251.26	443	TCP
2024-10-24T19:50:56.022146+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58240	185.161.251.26	443	TCP
2024-10-24T19:50:57.009618+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58241	185.161.251.26	443	TCP
2024-10-24T19:50:58.269469+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58242	185.161.251.26	443	TCP
2024-10-24T19:50:59.272123+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58243	185.161.251.26	443	TCP
2024-10-24T19:51:00.232682+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58244	185.161.251.26	443	TCP
2024-10-24T19:51:02.280272+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58245	185.161.251.26	443	TCP
2024-10-24T19:51:03.274548+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	58246	185.161.251.26	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 19:49:00.010437012 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:00.010488987 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:00.010555983 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:00.029858112 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:00.029879093 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:00.899291992 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:00.899394989 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:00.961780071 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:00.961951017 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:00.962080002 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:01.098547935 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:01.098635912 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:01.098756075 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:01.098978043 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:01.098999977 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:01.948227882 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:01.948338032 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:02.001589060 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:02.001691103 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:02.001775026 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:02.161122084 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:02.161159992 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:02.161240101 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:02.161508083 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:02.161518097 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.011701107 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.011816978 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.013966084 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.014113903 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.014202118 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.132126093 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.132216930 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.132301092 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.132690907 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.132716894 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.991355896 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.991564035 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.994931936 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:03.995013952 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:03.995100021 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:04.098778009 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:04.098829985 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:04.098948956 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:04.099234104 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:04.099251986 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:04.959223986 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:04.959311008 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:05.047621965 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:05.047699928 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:05.047781944 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:05.213128090 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:05.213172913 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:05.213260889 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:05.214091063 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:05.214112043 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:06.071768045 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:06.072096109 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.076180935 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.076297998 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:06.076581955 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.076600075 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:06.076702118 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.192600012 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.192636013 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:06.192732096 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.192945004 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:06.192958117 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:07.059401989 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:07.059495926 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:07.061799049 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:07.061836958 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:07.061897039 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:07.176966906 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:07.177050114 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:07.177155972 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:07.177577972 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:07.177612066 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:08.049803972 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:08.049935102 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.052881002 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.052937031 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:08.053071976 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:08.053085089 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.053215981 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.193047047 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.193155050 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:08.193245888 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.193569899 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:08.193603992 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:09.058672905 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:09.058831930 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.062405109 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.062470913 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:09.062606096 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:09.062680960 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.062680960 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.192517996 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.192564964 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:09.192785025 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.192976952 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:09.192991018 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:10.978626966 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:10.978847980 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:10.981913090 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:10.981960058 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:10.982058048 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:11.084192038 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:11.084278107 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:11.084568977 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:11.084717035 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:11.084748030 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:12.409670115 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:12.409812927 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:12.413474083 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:12.413554907 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:12.413621902 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:12.551990032 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:12.552028894 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:12.552133083 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:12.552686930 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:12.552700996 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:13.405049086 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:13.405174971 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:13.407730103 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:13.407807112 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:13.407883883 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:13.521085978 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:13.521117926 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:13.521177053 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:13.521411896 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:13.521425009 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:14.373337030 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:14.373445034 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:14.376543999 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:14.376840115 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:14.376904011 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:14.520648003 CEST	49719	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:14.520680904 CEST	443	49719	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:14.520744085 CEST	49719	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:14.521306992 CEST	49719	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:14.521322012 CEST	443	49719	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:15.375452995 CEST	443	49719	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:15.375550032 CEST	49719	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:15.378346920 CEST	49719	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:15.378422976 CEST	443	49719	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:15.378484011 CEST	49719	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:15.505201101 CEST	49722	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:15.505242109 CEST	443	49722	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:15.505304098 CEST	49722	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:15.505618095 CEST	49722	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:15.505635977 CEST	443	49722	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:16.365360022 CEST	443	49722	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:16.365681887 CEST	49722	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:16.368329048 CEST	49722	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:16.368423939 CEST	443	49722	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:16.368662119 CEST	49722	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:16.520806074 CEST	49729	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:16.520853996 CEST	443	49729	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:16.521039963 CEST	49729	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:16.521498919 CEST	49729	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:16.521513939 CEST	443	49729	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:17.360773087 CEST	443	49729	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:17.360913992 CEST	49729	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:17.371535063 CEST	49729	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:17.371684074 CEST	443	49729	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:17.371759892 CEST	49729	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:17.514445066 CEST	49736	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:17.514482975 CEST	443	49736	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:17.514570951 CEST	49736	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:17.515501022 CEST	49736	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:17.515516043 CEST	443	49736	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:18.364188910 CEST	443	49736	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:18.364531994 CEST	49736	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:18.373512983 CEST	49736	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:18.373572111 CEST	443	49736	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:18.373756886 CEST	49736	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:18.489526987 CEST	49742	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:18.489561081 CEST	443	49742	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:18.490015984 CEST	49742	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:18.490041018 CEST	49742	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:18.490046024 CEST	443	49742	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:19.325493097 CEST	443	49742	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:19.325587034 CEST	49742	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:19.328469992 CEST	49742	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:19.328511953 CEST	443	49742	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:19.328648090 CEST	49742	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:19.442481995 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:19.442569017 CEST	443	49743	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:19.442846060 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:19.442958117 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:19.442987919 CEST	443	49743	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:20.300591946 CEST	443	49743	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:20.300743103 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.303956032 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.304006100 CEST	443	49743	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:20.304105997 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.304111958 CEST	443	49743	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:20.304193974 CEST	49743	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.411735058 CEST	49754	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.411742926 CEST	443	49754	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:20.411818027 CEST	49754	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.411984921 CEST	49754	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:20.411995888 CEST	443	49754	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:21.271374941 CEST	443	49754	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:21.271466017 CEST	49754	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:21.275743008 CEST	49754	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:21.275908947 CEST	443	49754	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:21.275981903 CEST	49754	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:21.379918098 CEST	49760	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:21.379988909 CEST	443	49760	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:21.380120993 CEST	49760	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:21.380309105 CEST	49760	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:21.380342007 CEST	443	49760	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:22.366736889 CEST	443	49760	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:22.366828918 CEST	49760	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:22.369513988 CEST	49760	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:22.369657993 CEST	443	49760	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:22.369736910 CEST	49760	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:22.473545074 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:22.473575115 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:22.473680973 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:22.473851919 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:22.473860025 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:23.322069883 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:23.322165012 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:23.363734007 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:23.364005089 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:23.364097118 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:23.481039047 CEST	49772	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:23.481098890 CEST	443	49772	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:23.481200933 CEST	49772	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:23.484972000 CEST	49772	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:23.485006094 CEST	443	49772	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:24.343800068 CEST	443	49772	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:24.343933105 CEST	49772	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:24.346360922 CEST	49772	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:24.346453905 CEST	443	49772	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:24.346554995 CEST	49772	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:24.457921028 CEST	49778	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:24.457993031 CEST	443	49778	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:24.458069086 CEST	49778	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:24.458323002 CEST	49778	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:24.458354950 CEST	443	49778	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:25.407094955 CEST	443	49778	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:25.407185078 CEST	49778	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:25.410003901 CEST	49778	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:25.410084009 CEST	443	49778	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:25.410140038 CEST	49778	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:25.520524025 CEST	49784	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:25.520550966 CEST	443	49784	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:25.520628929 CEST	49784	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:25.520833015 CEST	49784	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:25.520839930 CEST	443	49784	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:26.378465891 CEST	443	49784	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:26.378565073 CEST	49784	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:26.381139040 CEST	49784	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:26.381186008 CEST	443	49784	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:26.381263971 CEST	49784	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:26.489581108 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:26.489604950 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:26.489728928 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:26.489906073 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:26.489914894 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:27.340900898 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:27.340976954 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:27.343261003 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:27.343311071 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:27.343394995 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:27.458142996 CEST	49796	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:27.458184958 CEST	443	49796	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:27.458266973 CEST	49796	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:27.458534956 CEST	49796	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:27.458544016 CEST	443	49796	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:28.310290098 CEST	443	49796	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:28.310364962 CEST	49796	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:28.312737942 CEST	49796	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:28.312804937 CEST	443	49796	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:28.312899113 CEST	49796	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:28.431936026 CEST	49802	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:28.432034016 CEST	443	49802	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:28.432148933 CEST	49802	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:28.432477951 CEST	49802	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:28.432511091 CEST	443	49802	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:30.096484900 CEST	443	49802	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:30.096575975 CEST	49802	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:30.098792076 CEST	49802	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:30.098886013 CEST	443	49802	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:30.098965883 CEST	49802	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:30.239289999 CEST	49808	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:30.239343882 CEST	443	49808	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:30.239588976 CEST	49808	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:30.239829063 CEST	49808	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:30.239855051 CEST	443	49808	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:31.304930925 CEST	443	49808	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:31.305049896 CEST	49808	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:31.309278011 CEST	49808	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:31.309405088 CEST	443	49808	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:31.309474945 CEST	49808	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:31.518106937 CEST	57967	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:31.518129110 CEST	443	57967	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:31.518210888 CEST	57967	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:31.560471058 CEST	57967	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:31.560486078 CEST	443	57967	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:32.416227102 CEST	443	57967	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:32.416309118 CEST	57967	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:32.418669939 CEST	57967	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:32.418760061 CEST	443	57967	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:32.418821096 CEST	57967	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:32.551723003 CEST	57974	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:32.551764011 CEST	443	57974	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:32.551877022 CEST	57974	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:32.552114964 CEST	57974	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:32.552134037 CEST	443	57974	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:33.409797907 CEST	443	57974	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:33.410027981 CEST	57974	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:33.419141054 CEST	57974	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:33.419187069 CEST	443	57974	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:33.419246912 CEST	57974	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:33.551635981 CEST	57981	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:33.551678896 CEST	443	57981	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:33.551764965 CEST	57981	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:33.551985979 CEST	57981	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:33.551995039 CEST	443	57981	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:34.410501957 CEST	443	57981	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:34.410615921 CEST	57981	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:34.413032055 CEST	57981	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:34.413121939 CEST	443	57981	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:34.413196087 CEST	57981	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:34.520440102 CEST	57987	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:34.520473003 CEST	443	57987	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:34.524604082 CEST	57987	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:34.524908066 CEST	57987	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:34.524919033 CEST	443	57987	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:35.794548988 CEST	443	57987	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:35.794624090 CEST	57987	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:35.798069954 CEST	57987	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:35.798137903 CEST	443	57987	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:35.798197985 CEST	57987	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:35.911020041 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:35.911060095 CEST	443	57989	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:35.911143064 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:35.911385059 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:35.911391020 CEST	443	57989	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:36.759597063 CEST	443	57989	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:36.759675980 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.762461901 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.762507915 CEST	443	57989	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:36.762665033 CEST	443	57989	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:36.762722015 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.762737036 CEST	57989	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.871236086 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.871292114 CEST	443	57995	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:36.871360064 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.871699095 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:36.871726990 CEST	443	57995	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:37.719037056 CEST	443	57995	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:37.719105005 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.723921061 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.724150896 CEST	443	57995	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:37.724308968 CEST	443	57995	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:37.724391937 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.724391937 CEST	57995	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.833453894 CEST	58002	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.833539963 CEST	443	58002	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:37.833628893 CEST	58002	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.834021091 CEST	58002	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:37.834057093 CEST	443	58002	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:38.683080912 CEST	443	58002	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:38.683182001 CEST	58002	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:38.685808897 CEST	58002	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:38.685863972 CEST	443	58002	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:38.685929060 CEST	58002	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:38.801800013 CEST	58010	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:38.801841021 CEST	443	58010	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:38.801908016 CEST	58010	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:38.802176952 CEST	58010	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:38.802191019 CEST	443	58010	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:39.664206982 CEST	443	58010	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:39.664307117 CEST	58010	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:39.666707993 CEST	58010	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:39.667006016 CEST	443	58010	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:39.667093039 CEST	58010	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:39.770570993 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:39.770653009 CEST	443	58019	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:39.770735025 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:39.771203041 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:39.771281958 CEST	443	58019	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:40.630383015 CEST	443	58019	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:40.630467892 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.634619951 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.634705067 CEST	443	58019	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:40.634836912 CEST	443	58019	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:40.635010004 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.635010958 CEST	58019	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.739362955 CEST	58025	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.739444971 CEST	443	58025	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:40.739536047 CEST	58025	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.739794970 CEST	58025	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:40.739818096 CEST	443	58025	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:41.593005896 CEST	443	58025	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:41.593084097 CEST	58025	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:41.595309973 CEST	58025	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:41.595410109 CEST	443	58025	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:41.595541000 CEST	58025	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:41.707993984 CEST	58031	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:41.708075047 CEST	443	58031	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:41.708376884 CEST	58031	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:41.708477974 CEST	58031	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:41.708506107 CEST	443	58031	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:42.574908972 CEST	443	58031	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:42.575028896 CEST	58031	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:42.577832937 CEST	58031	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:42.577922106 CEST	443	58031	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:42.578006983 CEST	58031	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:42.692536116 CEST	58037	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:42.692578077 CEST	443	58037	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:42.692678928 CEST	58037	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:42.692923069 CEST	58037	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:42.692940950 CEST	443	58037	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:43.545437098 CEST	443	58037	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:43.545521021 CEST	58037	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:43.555632114 CEST	58037	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:43.555903912 CEST	443	58037	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:43.555985928 CEST	58037	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:43.661122084 CEST	58043	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:43.661161900 CEST	443	58043	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:43.661375999 CEST	58043	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:43.661451101 CEST	58043	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:43.661465883 CEST	443	58043	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:44.533910036 CEST	443	58043	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:44.534315109 CEST	58043	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:44.537175894 CEST	58043	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:44.537462950 CEST	443	58043	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:44.537693977 CEST	58043	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:44.645610094 CEST	58048	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:44.645684004 CEST	443	58048	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:44.645776033 CEST	58048	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:44.646024942 CEST	58048	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:44.646035910 CEST	443	58048	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:45.498872042 CEST	443	58048	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:45.498956919 CEST	58048	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:45.503907919 CEST	58048	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:45.504113913 CEST	443	58048	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:45.504209995 CEST	58048	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:45.623465061 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:45.623506069 CEST	443	58054	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:45.623733044 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:45.623992920 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:45.624012947 CEST	443	58054	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:46.470773935 CEST	443	58054	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:46.471251011 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.474152088 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.474350929 CEST	443	58054	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:46.474514961 CEST	443	58054	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:46.474577904 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.474577904 CEST	58054	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.583225012 CEST	58060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.583259106 CEST	443	58060	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:46.583467960 CEST	58060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.583787918 CEST	58060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:46.583801031 CEST	443	58060	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:47.437618017 CEST	443	58060	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:47.437813044 CEST	58060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:47.441059113 CEST	58060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:47.441247940 CEST	443	58060	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:47.441338062 CEST	58060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:47.556673050 CEST	58066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:47.556756020 CEST	443	58066	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:47.556860924 CEST	58066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:47.557790995 CEST	58066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:47.557828903 CEST	443	58066	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:48.415683985 CEST	443	58066	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:48.415894032 CEST	58066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:48.418894053 CEST	58066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:48.419209003 CEST	443	58066	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:48.419399977 CEST	58066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:48.521925926 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:48.521938086 CEST	443	58072	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:48.522022963 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:48.523230076 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:48.523245096 CEST	443	58072	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:49.539726973 CEST	443	58072	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:49.539946079 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.543273926 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.543385029 CEST	443	58072	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:49.543570042 CEST	443	58072	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:49.543572903 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.543632030 CEST	58072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.645703077 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.645787954 CEST	443	58078	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:49.645903111 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.646239996 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:49.646300077 CEST	443	58078	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:50.492583036 CEST	443	58078	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:50.492892981 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.496771097 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.496890068 CEST	443	58078	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:50.497056007 CEST	443	58078	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:50.497100115 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.497172117 CEST	58078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.598931074 CEST	58084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.599014997 CEST	443	58084	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:50.599271059 CEST	58084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.599502087 CEST	58084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:50.599539042 CEST	443	58084	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:51.447386980 CEST	443	58084	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:51.447563887 CEST	58084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:51.449851036 CEST	58084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:51.450150967 CEST	443	58084	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:51.450242996 CEST	58084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:51.551978111 CEST	58090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:51.552017927 CEST	443	58090	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:51.552140951 CEST	58090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:51.552450895 CEST	58090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:51.552484989 CEST	443	58090	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:52.415304899 CEST	443	58090	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:52.415591002 CEST	58090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:52.417617083 CEST	58090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:52.417882919 CEST	443	58090	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:52.417969942 CEST	58090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:52.520462990 CEST	58096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:52.520494938 CEST	443	58096	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:52.520596027 CEST	58096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:52.520781040 CEST	58096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:52.520793915 CEST	443	58096	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:53.371664047 CEST	443	58096	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:53.371841908 CEST	58096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:53.374284029 CEST	58096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:53.374377012 CEST	443	58096	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:53.374454021 CEST	58096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:53.489548922 CEST	58102	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:53.489631891 CEST	443	58102	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:53.489725113 CEST	58102	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:53.489959955 CEST	58102	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:53.489994049 CEST	443	58102	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:54.338052034 CEST	443	58102	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:54.338170052 CEST	58102	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:54.340456009 CEST	58102	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:54.340593100 CEST	443	58102	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:54.340681076 CEST	58102	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:54.478107929 CEST	58108	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:54.478159904 CEST	443	58108	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:54.478224993 CEST	58108	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:54.478727102 CEST	58108	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:54.478746891 CEST	443	58108	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:55.341968060 CEST	443	58108	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:55.342056036 CEST	58108	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:55.344094992 CEST	58108	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:55.344408035 CEST	443	58108	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:55.344549894 CEST	58108	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:55.458107948 CEST	58114	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:55.458194971 CEST	443	58114	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:55.458276987 CEST	58114	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:55.458492041 CEST	58114	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:55.458522081 CEST	443	58114	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:56.428296089 CEST	443	58114	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:56.428504944 CEST	58114	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:56.431687117 CEST	58114	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:56.431768894 CEST	443	58114	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:56.431849003 CEST	58114	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:56.535965919 CEST	58120	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:56.535999060 CEST	443	58120	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:56.536102057 CEST	58120	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:56.536348104 CEST	58120	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:56.536356926 CEST	443	58120	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:57.414554119 CEST	443	58120	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:57.414639950 CEST	58120	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:57.478543997 CEST	58120	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:57.478842974 CEST	443	58120	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:57.478914976 CEST	58120	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:57.583040953 CEST	58126	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:57.583074093 CEST	443	58126	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:57.583132029 CEST	58126	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:57.583301067 CEST	58126	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:57.583309889 CEST	443	58126	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:58.441205025 CEST	443	58126	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:58.441342115 CEST	58126	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:58.450124979 CEST	58126	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:58.450206041 CEST	443	58126	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:58.450279951 CEST	58126	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:58.551765919 CEST	58135	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:58.551791906 CEST	443	58135	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:58.551858902 CEST	58135	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:58.552047968 CEST	58135	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:58.552053928 CEST	443	58135	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:59.412067890 CEST	443	58135	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:59.412169933 CEST	58135	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:59.415492058 CEST	58135	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:59.415638924 CEST	443	58135	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:59.415779114 CEST	58135	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:59.537070036 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:59.537152052 CEST	443	58141	185.161.251.26	192.168.2.5
Oct 24, 2024 19:49:59.537246943 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:59.539016008 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:49:59.539048910 CEST	443	58141	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:00.420629978 CEST	443	58141	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:00.420896053 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.423506975 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.423736095 CEST	443	58141	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:00.423885107 CEST	443	58141	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:00.423964977 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.423965931 CEST	58141	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.537852049 CEST	58147	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.537892103 CEST	443	58147	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:00.538265944 CEST	58147	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.538444042 CEST	58147	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:00.538459063 CEST	443	58147	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:01.538916111 CEST	443	58147	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:01.539046049 CEST	58147	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:01.541445971 CEST	58147	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:01.541609049 CEST	443	58147	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:01.541687012 CEST	58147	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:01.646013975 CEST	58153	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:01.646116972 CEST	443	58153	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:01.646323919 CEST	58153	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:01.646672964 CEST	58153	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:01.646713018 CEST	443	58153	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:02.497456074 CEST	443	58153	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:02.497580051 CEST	58153	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:02.500349998 CEST	58153	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:02.500432968 CEST	443	58153	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:02.500535011 CEST	58153	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:02.614778042 CEST	58159	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:02.614861012 CEST	443	58159	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:02.615102053 CEST	58159	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:02.615340948 CEST	58159	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:02.615372896 CEST	443	58159	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:03.466864109 CEST	443	58159	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:03.467000961 CEST	58159	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:03.469227076 CEST	58159	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:03.469372988 CEST	443	58159	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:03.469449043 CEST	58159	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:03.585133076 CEST	58165	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:03.585205078 CEST	443	58165	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:03.585277081 CEST	58165	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:03.585474014 CEST	58165	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:03.585496902 CEST	443	58165	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:04.430807114 CEST	443	58165	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:04.430876970 CEST	58165	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:04.433377981 CEST	58165	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:04.433454037 CEST	443	58165	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:04.433516026 CEST	58165	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:04.537858009 CEST	58171	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:04.537905931 CEST	443	58171	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:04.537983894 CEST	58171	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:04.538233995 CEST	58171	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:04.538259983 CEST	443	58171	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:05.390620947 CEST	443	58171	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:05.390712023 CEST	58171	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:05.393218040 CEST	58171	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:05.393269062 CEST	443	58171	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:05.393326998 CEST	58171	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:05.506409883 CEST	58179	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:05.506442070 CEST	443	58179	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:05.506489992 CEST	58179	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:05.506705046 CEST	58179	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:05.506727934 CEST	443	58179	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:06.354322910 CEST	443	58179	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:06.354408026 CEST	58179	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:06.365390062 CEST	58179	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:06.365418911 CEST	443	58179	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:06.365534067 CEST	58179	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:06.475269079 CEST	58185	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:06.475379944 CEST	443	58185	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:06.475698948 CEST	58185	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:06.478650093 CEST	58185	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:06.478729963 CEST	443	58185	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:07.331667900 CEST	443	58185	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:07.331734896 CEST	58185	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:07.335170984 CEST	58185	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:07.335237026 CEST	443	58185	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:07.335298061 CEST	58185	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:07.445610046 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:07.445627928 CEST	443	58190	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:07.445694923 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:07.445986986 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:07.445998907 CEST	443	58190	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:08.301044941 CEST	443	58190	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:08.301140070 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.306813002 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.306852102 CEST	443	58190	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:08.306962967 CEST	443	58190	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:08.307066917 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.307066917 CEST	58190	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.413784027 CEST	58196	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.413891077 CEST	443	58196	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:08.414072990 CEST	58196	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.418840885 CEST	58196	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:08.418883085 CEST	443	58196	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:09.270900011 CEST	443	58196	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:09.271104097 CEST	58196	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:09.274246931 CEST	58196	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:09.274312019 CEST	443	58196	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:09.274374008 CEST	58196	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:09.384001017 CEST	58198	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:09.384094954 CEST	443	58198	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:09.384206057 CEST	58198	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:09.384399891 CEST	58198	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:09.384435892 CEST	443	58198	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:10.235451937 CEST	443	58198	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:10.235676050 CEST	58198	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:10.239355087 CEST	58198	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:10.239465952 CEST	443	58198	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:10.239608049 CEST	58198	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:10.350637913 CEST	58199	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:10.350657940 CEST	443	58199	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:10.350789070 CEST	58199	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:10.351011038 CEST	58199	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:10.351017952 CEST	443	58199	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:11.201864958 CEST	443	58199	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:11.201944113 CEST	58199	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:11.204719067 CEST	58199	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:11.204768896 CEST	443	58199	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:11.204833984 CEST	58199	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:11.335264921 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:11.335304976 CEST	443	58200	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:11.335372925 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:11.335715055 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:11.335727930 CEST	443	58200	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:12.196455956 CEST	443	58200	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:12.199367046 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.204111099 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.204196930 CEST	443	58200	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:12.204407930 CEST	443	58200	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:12.204479933 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.204480886 CEST	58200	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.334928036 CEST	58201	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.335012913 CEST	443	58201	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:12.335220098 CEST	58201	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.336064100 CEST	58201	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:12.336100101 CEST	443	58201	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:13.194973946 CEST	443	58201	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:13.195053101 CEST	58201	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:13.198446035 CEST	58201	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:13.198555946 CEST	443	58201	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:13.198645115 CEST	58201	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:13.319874048 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:13.319910049 CEST	443	58202	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:13.319969893 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:13.320282936 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:13.320291996 CEST	443	58202	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:14.179878950 CEST	443	58202	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:14.180027008 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.187165976 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.187211037 CEST	443	58202	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:14.187376022 CEST	443	58202	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:14.188147068 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.188147068 CEST	58202	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.322792053 CEST	58203	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.322874069 CEST	443	58203	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:14.327428102 CEST	58203	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.327428102 CEST	58203	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:14.327517986 CEST	443	58203	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:15.179693937 CEST	443	58203	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:15.179785013 CEST	58203	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:15.183233023 CEST	58203	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:15.183288097 CEST	443	58203	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:15.183391094 CEST	58203	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:15.304924965 CEST	58204	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:15.304977894 CEST	443	58204	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:15.305053949 CEST	58204	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:15.305385113 CEST	58204	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:15.305399895 CEST	443	58204	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:16.155630112 CEST	443	58204	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:16.155778885 CEST	58204	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:16.158281088 CEST	58204	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:16.158369064 CEST	443	58204	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:16.158638000 CEST	58204	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:16.303282976 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:16.303334951 CEST	443	58205	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:16.304491997 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:16.304745913 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:16.304768085 CEST	443	58205	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:17.761126995 CEST	443	58205	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:17.765364885 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.765364885 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.765465975 CEST	443	58205	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:17.765611887 CEST	443	58205	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:17.765794039 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.765794039 CEST	58205	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.883342028 CEST	58206	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.883375883 CEST	443	58206	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:17.886749029 CEST	58206	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.887360096 CEST	58206	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:17.887377977 CEST	443	58206	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:18.752165079 CEST	443	58206	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:18.752249956 CEST	58206	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:18.756453037 CEST	58206	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:18.756751060 CEST	443	58206	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:18.756881952 CEST	58206	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:18.868014097 CEST	58207	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:18.868099928 CEST	443	58207	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:18.868180990 CEST	58207	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:18.869334936 CEST	58207	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:18.869370937 CEST	443	58207	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:19.734175920 CEST	443	58207	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:19.734395981 CEST	58207	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:19.739166021 CEST	58207	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:19.739250898 CEST	443	58207	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:19.739458084 CEST	58207	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:19.851063967 CEST	58208	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:19.851149082 CEST	443	58208	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:19.851381063 CEST	58208	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:19.855351925 CEST	58208	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:19.855386019 CEST	443	58208	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:20.713644028 CEST	443	58208	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:20.713865042 CEST	58208	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:20.716794014 CEST	58208	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:20.716886997 CEST	443	58208	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:20.717060089 CEST	58208	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:20.847048998 CEST	58209	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:20.847131968 CEST	443	58209	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:20.847198009 CEST	58209	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:20.847490072 CEST	58209	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:20.847511053 CEST	443	58209	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:21.698741913 CEST	443	58209	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:21.698888063 CEST	58209	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:21.702050924 CEST	58209	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:21.702105999 CEST	443	58209	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:21.702162981 CEST	58209	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:21.830133915 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:21.830180883 CEST	443	58210	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:21.830269098 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:21.846187115 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:21.846223116 CEST	443	58210	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:22.689212084 CEST	443	58210	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:22.689486980 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.692614079 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.692682981 CEST	443	58210	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:22.692842960 CEST	443	58210	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:22.692878008 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.693088055 CEST	58210	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.804631948 CEST	58211	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.804685116 CEST	443	58211	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:22.804753065 CEST	58211	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.805051088 CEST	58211	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:22.805068970 CEST	443	58211	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:23.660276890 CEST	443	58211	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:23.660368919 CEST	58211	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:23.662899017 CEST	58211	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:23.662983894 CEST	443	58211	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:23.663037062 CEST	58211	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:23.772612095 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:23.772661924 CEST	443	58212	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:23.776881933 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:23.776881933 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:23.776926041 CEST	443	58212	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:24.638809919 CEST	443	58212	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:24.639333010 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.644604921 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.644665956 CEST	443	58212	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:24.644800901 CEST	443	58212	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:24.645255089 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.645255089 CEST	58212	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.756639957 CEST	58213	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.756689072 CEST	443	58213	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:24.756748915 CEST	58213	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.757006884 CEST	58213	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:24.757030964 CEST	443	58213	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:25.620631933 CEST	443	58213	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:25.620712996 CEST	58213	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:25.623662949 CEST	58213	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:25.623836994 CEST	443	58213	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:25.623900890 CEST	58213	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:25.743350983 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:25.743400097 CEST	443	58214	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:25.743818045 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:25.743818045 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:25.743855953 CEST	443	58214	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:26.581825972 CEST	443	58214	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:26.586956978 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.586957932 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.587054968 CEST	443	58214	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:26.587186098 CEST	443	58214	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:26.587368011 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.587368011 CEST	58214	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.850816011 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.850871086 CEST	443	58215	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:26.850939989 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.851260900 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:26.851270914 CEST	443	58215	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:27.706089020 CEST	443	58215	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:27.706233025 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.708909988 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.708996058 CEST	443	58215	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:27.709182024 CEST	443	58215	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:27.709223986 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.709223986 CEST	58215	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.915411949 CEST	58216	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.915466070 CEST	443	58216	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:27.919060946 CEST	58216	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.919060946 CEST	58216	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:27.919106960 CEST	443	58216	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:28.778994083 CEST	443	58216	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:28.779052019 CEST	58216	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:28.782092094 CEST	58216	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:28.782141924 CEST	443	58216	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:28.782195091 CEST	58216	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:28.913220882 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:28.913328886 CEST	443	58217	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:28.913404942 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:28.913691998 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:28.913719893 CEST	443	58217	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:29.766868114 CEST	443	58217	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:29.767683029 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:29.769865036 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:29.769905090 CEST	443	58217	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:29.770064116 CEST	443	58217	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:29.771013975 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:29.771013975 CEST	58217	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:30.068907976 CEST	58218	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:30.068952084 CEST	443	58218	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:30.069142103 CEST	58218	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:30.070669889 CEST	58218	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:30.070687056 CEST	443	58218	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:30.922601938 CEST	443	58218	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:30.922660112 CEST	58218	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:30.928808928 CEST	58218	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:30.928895950 CEST	443	58218	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:30.928945065 CEST	58218	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.073159933 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.073204041 CEST	443	58219	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:31.073259115 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.074605942 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.074620962 CEST	443	58219	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:31.936466932 CEST	443	58219	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:31.939019918 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.939019918 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.939167023 CEST	443	58219	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:31.939311028 CEST	443	58219	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:31.939774990 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:31.939774990 CEST	58219	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:32.056611061 CEST	58220	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:32.056665897 CEST	443	58220	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:32.059910059 CEST	58220	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:32.061094999 CEST	58220	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:32.061116934 CEST	443	58220	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:32.914928913 CEST	443	58220	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:32.915000916 CEST	58220	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:32.918426991 CEST	58220	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:32.918515921 CEST	443	58220	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:32.918566942 CEST	58220	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.022672892 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.022783041 CEST	443	58221	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:33.022862911 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.023138046 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.023173094 CEST	443	58221	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:33.878940105 CEST	443	58221	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:33.879113913 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.881696939 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.881786108 CEST	443	58221	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:33.882003069 CEST	443	58221	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:33.882138014 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.882138014 CEST	58221	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.990914106 CEST	58222	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.991005898 CEST	443	58222	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:33.996937037 CEST	58222	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.996937037 CEST	58222	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:33.997037888 CEST	443	58222	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:34.856913090 CEST	443	58222	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:34.856992960 CEST	58222	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:34.860085011 CEST	58222	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:34.860143900 CEST	443	58222	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:34.860192060 CEST	58222	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:34.975878954 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:34.975951910 CEST	443	58223	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:34.976013899 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:34.976300955 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:34.976315975 CEST	443	58223	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:35.834877968 CEST	443	58223	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:35.839052916 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:35.839054108 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:35.839180946 CEST	443	58223	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:35.839378119 CEST	443	58223	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:35.839567900 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:35.839567900 CEST	58223	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:36.100615025 CEST	58224	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:36.100668907 CEST	443	58224	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:36.101067066 CEST	58224	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:36.104650021 CEST	58224	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:36.104697943 CEST	443	58224	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:36.952200890 CEST	443	58224	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:36.952435017 CEST	58224	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:36.955199003 CEST	58224	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:36.955271006 CEST	443	58224	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:36.955342054 CEST	58224	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:37.068839073 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:37.068873882 CEST	443	58225	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:37.068937063 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:37.069169998 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:37.069175959 CEST	443	58225	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:38.297178984 CEST	443	58225	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:38.297261000 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.300653934 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.300715923 CEST	443	58225	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:38.300961971 CEST	443	58225	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:38.301017046 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.301095963 CEST	58225	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.414870024 CEST	58226	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.414957047 CEST	443	58226	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:38.415096045 CEST	58226	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.419157982 CEST	58226	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:38.419192076 CEST	443	58226	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:39.261238098 CEST	443	58226	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:39.261316061 CEST	58226	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:39.264411926 CEST	58226	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:39.264494896 CEST	443	58226	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:39.264550924 CEST	58226	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:39.381949902 CEST	58227	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:39.381989956 CEST	443	58227	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:39.382052898 CEST	58227	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:39.382312059 CEST	58227	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:39.382327080 CEST	443	58227	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:40.220952988 CEST	443	58227	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:40.221033096 CEST	58227	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:40.227358103 CEST	58227	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:40.227401972 CEST	443	58227	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:40.227520943 CEST	58227	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:40.334984064 CEST	58228	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:40.335063934 CEST	443	58228	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:40.335186958 CEST	58228	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:40.335349083 CEST	58228	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:40.335369110 CEST	443	58228	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:41.270257950 CEST	443	58228	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:41.270328999 CEST	58228	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:41.278812885 CEST	58228	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:41.278879881 CEST	443	58228	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:41.278935909 CEST	58228	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:41.813153028 CEST	58229	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:41.813271999 CEST	443	58229	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:41.814852953 CEST	58229	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:41.822603941 CEST	58229	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:41.822645903 CEST	443	58229	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:43.718318939 CEST	443	58229	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:43.718408108 CEST	58229	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:43.721417904 CEST	58229	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:43.721481085 CEST	443	58229	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:43.721539021 CEST	58229	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:43.834832907 CEST	58230	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:43.834914923 CEST	443	58230	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:43.839189053 CEST	58230	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:43.843353033 CEST	58230	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:43.843389034 CEST	443	58230	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:45.223536968 CEST	443	58230	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:45.223638058 CEST	58230	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:45.227349043 CEST	58230	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:45.227447033 CEST	443	58230	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:45.227526903 CEST	58230	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:45.351042986 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:45.351135969 CEST	443	58231	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:45.351218939 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:45.351658106 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:45.351697922 CEST	443	58231	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:46.192831039 CEST	443	58231	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:46.192998886 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.196108103 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.196192980 CEST	443	58231	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:46.196510077 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.196510077 CEST	443	58231	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:46.196626902 CEST	58231	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.303761005 CEST	58232	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.303858042 CEST	443	58232	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:46.304151058 CEST	58232	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.304501057 CEST	58232	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:46.304538012 CEST	443	58232	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:47.158524990 CEST	443	58232	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:47.158623934 CEST	58232	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:47.162182093 CEST	58232	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:47.162237883 CEST	443	58232	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:47.162302971 CEST	58232	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:47.273588896 CEST	58233	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:47.273684978 CEST	443	58233	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:47.273803949 CEST	58233	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:47.274044991 CEST	58233	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:47.274069071 CEST	443	58233	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:49.153557062 CEST	443	58233	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:49.153765917 CEST	58233	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:49.156650066 CEST	58233	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:49.156753063 CEST	443	58233	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:49.156824112 CEST	58233	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:49.272532940 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:49.272619009 CEST	443	58234	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:49.272690058 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:49.272962093 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:49.272995949 CEST	443	58234	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:50.129897118 CEST	443	58234	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:50.130036116 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.132440090 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.132498980 CEST	443	58234	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:50.132672071 CEST	443	58234	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:50.132822037 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.132822037 CEST	58234	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.244651079 CEST	58235	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.244735956 CEST	443	58235	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:50.247936010 CEST	58235	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.247936010 CEST	58235	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:50.248064041 CEST	443	58235	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:51.109626055 CEST	443	58235	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:51.109719992 CEST	58235	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:51.113189936 CEST	58235	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:51.113281012 CEST	443	58235	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:51.113338947 CEST	58235	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:51.241414070 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:51.241456032 CEST	443	58236	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:51.241529942 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:51.241831064 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:51.241843939 CEST	443	58236	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:52.098525047 CEST	443	58236	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:52.098829031 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.102089882 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.102144957 CEST	443	58236	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:52.102303982 CEST	443	58236	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:52.102330923 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.102410078 CEST	58236	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.227065086 CEST	58237	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.227164984 CEST	443	58237	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:52.227628946 CEST	58237	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.227628946 CEST	58237	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:52.227725029 CEST	443	58237	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:53.088610888 CEST	443	58237	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:53.088712931 CEST	58237	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:53.091842890 CEST	58237	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:53.091939926 CEST	443	58237	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:53.092012882 CEST	58237	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:53.210361004 CEST	58238	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:53.210414886 CEST	443	58238	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:53.210510969 CEST	58238	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:53.210773945 CEST	58238	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:53.210783958 CEST	443	58238	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:54.070736885 CEST	443	58238	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:54.070885897 CEST	58238	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:54.073090076 CEST	58238	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:54.073178053 CEST	443	58238	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:54.073316097 CEST	58238	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:54.178451061 CEST	58239	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:54.178550005 CEST	443	58239	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:54.178909063 CEST	58239	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:54.179645061 CEST	58239	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:54.179682016 CEST	443	58239	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:55.040056944 CEST	443	58239	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:55.040144920 CEST	58239	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:55.048033953 CEST	58239	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:55.048104048 CEST	443	58239	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:55.048191071 CEST	58239	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:55.163062096 CEST	58240	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:55.163177013 CEST	443	58240	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:55.163264036 CEST	58240	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:55.163528919 CEST	58240	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:55.163562059 CEST	443	58240	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:56.022027969 CEST	443	58240	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:56.022145987 CEST	58240	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:56.025003910 CEST	58240	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:56.025094032 CEST	443	58240	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:56.025249004 CEST	58240	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:56.147360086 CEST	58241	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:56.147428036 CEST	443	58241	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:56.147608995 CEST	58241	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:56.147726059 CEST	58241	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:56.147744894 CEST	443	58241	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:57.009530067 CEST	443	58241	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:57.009618044 CEST	58241	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:57.013268948 CEST	58241	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:57.013381958 CEST	443	58241	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:57.013444901 CEST	58241	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:57.131989002 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:57.132060051 CEST	443	58242	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:57.132196903 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:57.132371902 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:57.132380962 CEST	443	58242	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:58.263389111 CEST	443	58242	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:58.269469023 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.269469023 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.269620895 CEST	443	58242	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:58.270030975 CEST	443	58242	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:58.271094084 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.271094084 CEST	58242	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.415034056 CEST	58243	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.415141106 CEST	443	58243	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:58.419636011 CEST	58243	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.419636011 CEST	58243	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:58.419723034 CEST	443	58243	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:59.272027969 CEST	443	58243	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:59.272123098 CEST	58243	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:59.276057959 CEST	58243	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:59.276213884 CEST	443	58243	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:59.276283026 CEST	58243	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:59.382525921 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:59.382570982 CEST	443	58244	185.161.251.26	192.168.2.5
Oct 24, 2024 19:50:59.382622957 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:59.382999897 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:50:59.383012056 CEST	443	58244	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:00.232454062 CEST	443	58244	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:00.232681990 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.236675024 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.236932993 CEST	443	58244	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:00.237360954 CEST	443	58244	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:00.239269972 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.239269972 CEST	58244	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.384783030 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.384888887 CEST	443	58245	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:00.388994932 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.388995886 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:00.389086008 CEST	443	58245	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:02.280177116 CEST	443	58245	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:02.280272007 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.282996893 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.283060074 CEST	443	58245	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:02.283199072 CEST	443	58245	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:02.283231020 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.284421921 CEST	58245	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.412714005 CEST	58246	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.412744999 CEST	443	58246	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:02.412859917 CEST	58246	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.413867950 CEST	58246	443	192.168.2.5	185.161.251.26
Oct 24, 2024 19:51:02.413878918 CEST	443	58246	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:03.274468899 CEST	443	58246	185.161.251.26	192.168.2.5
Oct 24, 2024 19:51:03.274548054 CEST	58246	443	192.168.2.5	185.161.251.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 19:49:30.902308941 CEST	53	49912	162.159.36.2	192.168.2.5
Oct 24, 2024 19:49:31.585494995 CEST	61019	53	192.168.2.5	1.1.1.1
Oct 24, 2024 19:49:31.593513012 CEST	53	61019	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 19:49:31.585494995 CEST	192.168.2.5	1.1.1.1	0x9e5	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 19:49:31.593513012 CEST	1.1.1.1	192.168.2.5	0x9e5	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	13:48:55
Start date:	24/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll"
Imagebase:	0x7ff623870000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:48:55
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:48:55
Start date:	24/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Imagebase:	0x7ff68aba0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:48:55
Start date:	24/10/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll
Imagebase:	0x7ff7ecc50000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:48:55
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:48:55
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:48:58
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Talespin\Updater.dll",Start /u
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:48:58
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:49:00
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:49:01
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:49:04
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\SnapMobile\Updater.dll",Start /u
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:49:07
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:50:00
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Spiralogics\Updater.dll",Start /u
Imagebase:	0x7ff7e0140000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 5312, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.9%
Total number of Nodes:	1602
Total number of Limit Nodes:	36

Executed Functions

Function 00007FF8B8F71C40 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 320
networklibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D
GetProcAddress.KERNEL32 ref: 00007FF8B8F71E44
InternetOpenW.WININET ref: 00007FF8B8F71E68
InternetSetOptionW.WININET ref: 00007FF8B8F71E94
InternetSetOptionW.WININET ref: 00007FF8B8F71EAC
InternetSetOptionW.WININET ref: 00007FF8B8F71EC4
InternetConnectW.WININET ref: 00007FF8B8F71EED
HttpOpenRequestW.WININET ref: 00007FF8B8F71F7B
SetLastError.KERNEL32 ref: 00007FF8B8F7204C
HttpSendRequestW.WININET ref: 00007FF8B8F72066
GetLastError.KERNEL32 ref: 00007FF8B8F72071
InternetQueryOptionW.WININET ref: 00007FF8B8F7209F
InternetSetOptionW.WININET ref: 00007FF8B8F720BF
HttpSendRequestW.WININET ref: 00007FF8B8F720D4

Part of subcall function 00007FF8B8F75980: GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

InternetReadFile.WININET ref: 00007FF8B8F72101

Part of subcall function 00007FF8B8F759B0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759C0

InternetReadFile.WININET ref: 00007FF8B8F72144
InternetCloseHandle.WININET ref: 00007FF8B8F7216C
InternetCloseHandle.WININET ref: 00007FF8B8F72177
InternetCloseHandle.WININET ref: 00007FF8B8F72180

Strings

`, xrefs: 00007FF8B8F71E8C

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Internet$AddressProc$Option$CloseHandleHttpRequest$ErrorFileHeapLastOpenProcessReadSend$ConnectLibraryLoadQuery
String ID: `
API String ID: 843668234-1850852036
Opcode ID: 6cb4934f4c525d6e04b816347d414d37ea1e3fbc419628574f7db5a22d50bb1f
Instruction ID: 4e1b39f07fe27ec4d94520f65fc4aa8e11516b3b2781063ffac719398598275c
Opcode Fuzzy Hash: 6cb4934f4c525d6e04b816347d414d37ea1e3fbc419628574f7db5a22d50bb1f
Instruction Fuzzy Hash: A2E16C39A09A4282FA50DF59E8546BA77A0FF89BE2F444035DF4E43755EF3CE0468748

Function 00007FF8B8F745E0 Relevance: 19.7, APIs: 13, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 00007FF8B8F74637
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74647
GetComputerNameW.KERNEL32 ref: 00007FF8B8F7465C
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74664
GetComputerNameExW.KERNELBASE ref: 00007FF8B8F74686
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F7468E
GetUserNameW.ADVAPI32 ref: 00007FF8B8F746A6
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F746AE
OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Handle$Module$Name$Computer$CloseCountInformationMutexOpenSleepTickUserVolume
String ID:
API String ID: 2838846479-0
Opcode ID: a7d98a780d92d368d99f5791a47d12559dcb0c590ddaab72dbf075023832e14a
Instruction ID: 051507c9eec5436a0f235b98022e111f0a24c4427424b7ca682fbcebfd28c204
Opcode Fuzzy Hash: a7d98a780d92d368d99f5791a47d12559dcb0c590ddaab72dbf075023832e14a
Instruction Fuzzy Hash: 0AB19F36A08B428AFB10DB68E8406AE3BA4FB487D5F904235DB5E47795EF3CD146CB04

Function 00007FF8B8F75A20 Relevance: 16.7, APIs: 11, Instructions: 178
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F75A50
GetProcAddress.KERNEL32 ref: 00007FF8B8F75A88
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75AB9
GetProcAddress.KERNEL32 ref: 00007FF8B8F75AF1
GetProcAddress.KERNEL32 ref: 00007FF8B8F75B29
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75B5A
GetProcAddress.KERNEL32 ref: 00007FF8B8F75B92
RtlGetVersion.NTDLL ref: 00007FF8B8F75BC6
GetNativeSystemInfo.KERNELBASE ref: 00007FF8B8F75BF9
GetSystemInfo.KERNEL32 ref: 00007FF8B8F75BFD

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$InfoSystem$NativeVersion
String ID:
API String ID: 2883576749-0
Opcode ID: edaa7cecb2ce61e8d08a04a1f2505cbfd62d8f4ea06d9fe782e15e0f68590704
Instruction ID: 041238f2fef29c4ee9774622f91f60744dc95b0306d35040bc99095f59cdd817
Opcode Fuzzy Hash: edaa7cecb2ce61e8d08a04a1f2505cbfd62d8f4ea06d9fe782e15e0f68590704
Instruction Fuzzy Hash: 7D914F34E0CA4386FF649B68E8547B96B90EF887D2F540039D75E86791EF2CE446C708

Function 00007FF8B8F713A0 Relevance: 12.1, APIs: 8, Instructions: 120
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F713D7
GetProcAddress.KERNEL32 ref: 00007FF8B8F7140E
GetProcAddress.KERNEL32 ref: 00007FF8B8F71445
GetProcAddress.KERNEL32 ref: 00007FF8B8F7147C
sprintf_s.LIBCMTD ref: 00007FF8B8F714B3
FindFirstFileW.KERNELBASE ref: 00007FF8B8F714CD
FindNextFileW.KERNELBASE ref: 00007FF8B8F71562
FindClose.KERNELBASE ref: 00007FF8B8F7157F

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressFindProc$File$CloseFirstLibraryLoadNextsprintf_s
String ID:
API String ID: 3482909146-0
Opcode ID: 22d0c2b1a28d00ed540bf15ff744353af3ceb3754b5d0a5077885d68ed8e5c0d
Instruction ID: c32aa9aed136b79455580ebb09e341392bb6cfc727c43d412b7ba251d2e5d00d
Opcode Fuzzy Hash: 22d0c2b1a28d00ed540bf15ff744353af3ceb3754b5d0a5077885d68ed8e5c0d
Instruction Fuzzy Hash: 05515A39A19E4381FB50DB5AE8541B927A0AF89BC2F544135DB5E43396FF3CE84B8308

Function 00007FF8B8F77BB0 Relevance: 10.6, APIs: 7, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77BDF
GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C16
LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C46
GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C7D
GetCommandLineW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C92
CommandLineToArgvW.SHELL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77CA0
LocalFree.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77D0E

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressCommandLibraryLineLoadProc$ArgvFreeLocal
String ID:
API String ID: 1914251671-0
Opcode ID: 055a219286a0850f7018c79609365c8502faa3a2cecd4e08f0dab71379c2a6f4
Instruction ID: c03258ee545f93754c88008a4c894a75218354aaadb7436882018fa40c9d01fa
Opcode Fuzzy Hash: 055a219286a0850f7018c79609365c8502faa3a2cecd4e08f0dab71379c2a6f4
Instruction Fuzzy Hash: 2E411B39E29F02C1FE51DB59E8546792AA0AF89BC6F544035DB4E83352EF3CE446C608

Function 00007FF8B8F74B50 Relevance: 7.7, APIs: 5, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: d16eecc91746005fe88b48e1243f16a1d3d0187000c98afbb7822189259a7abf
Instruction ID: 3cb4fd7f668a3316c429b45ceb23b683578c288a31808555abc01b94ba863530
Opcode Fuzzy Hash: d16eecc91746005fe88b48e1243f16a1d3d0187000c98afbb7822189259a7abf
Instruction Fuzzy Hash: BA716D76A08B4286FB10CB28E8446AA7BA4FB457E5F540235DB6D477D5EF3CE046CB08

Function 00007FF8B8F74A6D Relevance: 7.6, APIs: 5, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: db2c93b9a8bb71eed27fe1124890a34b3e5ad34da3d0b448050d87d654aa9ec2
Instruction ID: 5098299e27a22b2134553d17dd927486f1ad54bfca953a40a4f944f1dc131b1e
Opcode Fuzzy Hash: db2c93b9a8bb71eed27fe1124890a34b3e5ad34da3d0b448050d87d654aa9ec2
Instruction Fuzzy Hash: 79618F35A08B428AFB50DB28E4446AE7BA4FB457D6F500235DB5D47795EF3CE046CB08

Function 00007FF8B8F7497C Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F73020: GetModuleHandleW.KERNEL32 ref: 00007FF8B8F730ED

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$Module$CloseCountHeapLibraryLoadMutexOpenProcessSleepTick
String ID:
API String ID: 2321454388-0
Opcode ID: ea4f16c014b59073cc8f5d6b610da928ceb4e233ce794afe2b6dee2f5f9978f3
Instruction ID: 9bcb00d82924ccdcfafed82a53993acf99e3e176337de8dad24e1ef450fbe71d
Opcode Fuzzy Hash: ea4f16c014b59073cc8f5d6b610da928ceb4e233ce794afe2b6dee2f5f9978f3
Instruction Fuzzy Hash: D3517B75A08B428AFB10DB29E8446BA7BA4FB897C6F500135DB5D43795EF3CE046CB08

Function 00007FF8B8F749A3 Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: 7a580459977b9964d557fef637bfe6f08bfa79b23d7ecff0e220c8c46af59cf3
Instruction ID: a0fb654b43c1078dd3888a323d9df8d0c7916a158eec84093aadf03359e39556
Opcode Fuzzy Hash: 7a580459977b9964d557fef637bfe6f08bfa79b23d7ecff0e220c8c46af59cf3
Instruction Fuzzy Hash: 60517B75A08B428AFB10DB29E8446BA7BA4FB897C6F500135DB5D43795EF3CE046CB08

Function 00007FF8B8F749CA Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F73F30: CreatePipe.KERNEL32 ref: 00007FF8B8F73F90
Part of subcall function 00007FF8B8F73F30: SetHandleInformation.KERNEL32 ref: 00007FF8B8F73FB2
Part of subcall function 00007FF8B8F73F30: sprintf_s.LIBCMTD ref: 00007FF8B8F7406B
Part of subcall function 00007FF8B8F73F30: GetCurrentDirectoryW.KERNEL32 ref: 00007FF8B8F74084
Part of subcall function 00007FF8B8F73F30: CreateProcessW.KERNEL32 ref: 00007FF8B8F740C9
Part of subcall function 00007FF8B8F73F30: WaitForSingleObject.KERNEL32 ref: 00007FF8B8F740E1

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CreateProcess$CloseCountCurrentDirectoryHeapInformationLibraryLoadModuleMutexObjectOpenPipeSingleSleepTickWaitsprintf_s
String ID:
API String ID: 3732969655-0
Opcode ID: ba4f6bc2ec75780c302ac81e3c307eb0cf5cf99330ae4b9c9c1729213cce2c26
Instruction ID: dd6f2836ad70c29b0f4ff27df054c65444df54a87dafde9f7a96362f38dd4311
Opcode Fuzzy Hash: ba4f6bc2ec75780c302ac81e3c307eb0cf5cf99330ae4b9c9c1729213cce2c26
Instruction Fuzzy Hash: D6517D35A08B428AFB10DB29E8446BA7BA4FB497D6F540135DB5D43796EF3CE046CB08

Function 00007FF8B8F748E2 Relevance: 7.6, APIs: 5, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F72C40: WSAStartup.WS2_32 ref: 00007FF8B8F72C84
Part of subcall function 00007FF8B8F72C40: gethostname.WS2_32 ref: 00007FF8B8F72C95
Part of subcall function 00007FF8B8F72C40: gethostbyname.WS2_32 ref: 00007FF8B8F72CA4
Part of subcall function 00007FF8B8F72C40: GetModuleHandleW.KERNEL32 ref: 00007FF8B8F72CBF
Part of subcall function 00007FF8B8F72C40: inet_ntoa.WS2_32 ref: 00007FF8B8F72CC7
Part of subcall function 00007FF8B8F72C40: RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D1B
Part of subcall function 00007FF8B8F72C40: RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F72D69
Part of subcall function 00007FF8B8F72C40: RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D9F
Part of subcall function 00007FF8B8F72C40: RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F72DD2
Part of subcall function 00007FF8B8F72C40: RegCloseKey.ADVAPI32 ref: 00007FF8B8F72DE1

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleOpen$CloseModule$CountEnumHeapLibraryLoadMutexProcessQuerySleepStartupTickValuegethostbynamegethostnameinet_ntoa
String ID:
API String ID: 51037661-0
Opcode ID: a6862768191938aedb4d2179c42331d9c76e41a9b2bf2ef8ecb1b2155ce9b823
Instruction ID: f23bdbeb398522aae3dabb59c8de0d246e9af4346d03c1739aff4f5e09301911
Opcode Fuzzy Hash: a6862768191938aedb4d2179c42331d9c76e41a9b2bf2ef8ecb1b2155ce9b823
Instruction Fuzzy Hash: 3D517C35A08B428AFB10DB29E8446BA7BA4FB497D6F500135DB5D43795EF3CE046CB08

Function 00007FF8B8F74C35 Relevance: 7.6, APIs: 5, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F768A0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F768E5
Part of subcall function 00007FF8B8F768A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7690B
Part of subcall function 00007FF8B8F768A0: GetTempPathW.KERNEL32 ref: 00007FF8B8F76928
Part of subcall function 00007FF8B8F768A0: GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76946
Part of subcall function 00007FF8B8F768A0: DeleteFileW.KERNEL32 ref: 00007FF8B8F76953
Part of subcall function 00007FF8B8F768A0: GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76990
Part of subcall function 00007FF8B8F768A0: DeleteFileW.KERNEL32 ref: 00007FF8B8F7699A

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$Temp$DeleteHandleName$AddressCloseCountHeapLibraryLoadModuleMutexOpenPathProcProcessSleepTick
String ID:
API String ID: 3639944527-0
Opcode ID: 8d719ceab6d8d7e53d0274f050039b4cfc6d783270bfcb1f42072c3fd141ad19
Instruction ID: 423ddef2ae812d922c60b698abf495386a2aee596d2426fdbb51fb2c366e80ab
Opcode Fuzzy Hash: 8d719ceab6d8d7e53d0274f050039b4cfc6d783270bfcb1f42072c3fd141ad19
Instruction Fuzzy Hash: 67517935A08A4286FB10DB69E8046B97BA0FF487D6F944135DB5E47796EF3CE046CB08

Function 00007FF8B8F74C96 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F722D0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F722F9
Part of subcall function 00007FF8B8F722D0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7231F
Part of subcall function 00007FF8B8F722D0: GetProcAddress.KERNEL32 ref: 00007FF8B8F72345
Part of subcall function 00007FF8B8F722D0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7236B
Part of subcall function 00007FF8B8F722D0: GetModuleFileNameW.KERNEL32 ref: 00007FF8B8F72396
Part of subcall function 00007FF8B8F722D0: DeleteFileW.KERNEL32 ref: 00007FF8B8F723D6

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$FileHandleModule$CloseCountDeleteHeapLibraryLoadMutexNameOpenProcessSleepTick
String ID:
API String ID: 2411591737-0
Opcode ID: aaccbc2ed6a62b374cf1b3482786e29b781fb4819d4d040a4fe17441c6d66a16
Instruction ID: c07390a47ea27b1240efdeca9b0d064ed6ad61f937c79de1f2a5a3271df93627
Opcode Fuzzy Hash: aaccbc2ed6a62b374cf1b3482786e29b781fb4819d4d040a4fe17441c6d66a16
Instruction Fuzzy Hash: 8C419D75A08A428AFB10DB28E8446B93BA0FF487D6F944135DB5E43795EF3CE046CB08

Function 00007FF8B8F71900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF8B8F71374), ref: 00007FF8B8F7191C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF8B8F71374), ref: 00007FF8B8F71942
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF8B8F71960

Strings

@, xrefs: 00007FF8B8F71958

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: @
API String ID: 2450578220-2766056989
Opcode ID: 0afb79ebcdfbdeb580ecc7f8eacd47776bfb190c1650612288748f96ddd47335
Instruction ID: 8c18079f3eff54cbbc5144aef34919e6b081c41ac2bb865215fa1ce8e2ceffa7
Opcode Fuzzy Hash: 0afb79ebcdfbdeb580ecc7f8eacd47776bfb190c1650612288748f96ddd47335
Instruction Fuzzy Hash: 9DF06D25B18A4682FE10EB6AF8140695790AF88BC1F880134DB4D47756FF2CD0868B08

Function 00007FF8B8F721E0 Relevance: 6.1, APIs: 4, Instructions: 61
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F7220A
CreateMutexExW.KERNELBASE(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F72217
GetLastError.KERNEL32(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F72229
CloseHandle.KERNEL32(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F722A8

Part of subcall function 00007FF8B8F77BB0: LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77BDF
Part of subcall function 00007FF8B8F77BB0: GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C16
Part of subcall function 00007FF8B8F77BB0: LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C46
Part of subcall function 00007FF8B8F77BB0: GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C7D
Part of subcall function 00007FF8B8F77BB0: GetCommandLineW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C92
Part of subcall function 00007FF8B8F77BB0: CommandLineToArgvW.SHELL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77CA0
Part of subcall function 00007FF8B8F77BB0: LocalFree.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77D0E

Part of subcall function 00007FF8B8F75670: CreateMutexW.KERNEL32 ref: 00007FF8B8F756A5
Part of subcall function 00007FF8B8F75670: Sleep.KERNEL32 ref: 00007FF8B8F756B8
Part of subcall function 00007FF8B8F75670: CloseHandle.KERNEL32 ref: 00007FF8B8F756C1
Part of subcall function 00007FF8B8F75670: Sleep.KERNEL32 ref: 00007FF8B8F7570F
Part of subcall function 00007FF8B8F75670: GetTickCount.KERNEL32 ref: 00007FF8B8F75715
Part of subcall function 00007FF8B8F75670: rand.LIBCMT ref: 00007FF8B8F75722

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressCloseCommandCreateErrorHandleLastLibraryLineLoadMutexProcSleep$ArgvCountFreeLocalTickrand
String ID:
API String ID: 1739745066-0
Opcode ID: 007474db8946118fe8e355bdae2cebbab7dfe6101b2419ff64d7ce1083001067
Instruction ID: 75e161c0aabb86457b677a467edbd0a1ede9e01255a185c48bbec72c12b15736
Opcode Fuzzy Hash: 007474db8946118fe8e355bdae2cebbab7dfe6101b2419ff64d7ce1083001067
Instruction Fuzzy Hash: 4A215E38E1CE43C1FB44AB6AA91157E5A916F49BC2F540034EF1E86797EF2CE4038368

Function 00007FF8B8F71870 Relevance: 6.0, APIs: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F7188C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F718B2
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F718CD
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F718DE

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID:
API String ID: 3433367815-0
Opcode ID: ecfc0f5c20cdda23f03c0372d60a1f9a9daa0108346c0d72a78978d45894affb
Instruction ID: b77935c7d2b104ce4a793f902e8256f6882d6b7d0e2b15a05137694a24b8741b
Opcode Fuzzy Hash: ecfc0f5c20cdda23f03c0372d60a1f9a9daa0108346c0d72a78978d45894affb
Instruction Fuzzy Hash: 32F06D35B18A4693FA00EB5AF904479A3A1BF8CFD2F980034DB4D47756FF2CE4468608

Function 00007FF8B8F715B0 Relevance: 3.0, APIs: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F715DB
GetProcAddress.KERNEL32 ref: 00007FF8B8F71615

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 504d3d5ea27a1ec0ca3ae44b2ac06d5499e97c70d6572123b3758e013bd21691
Instruction ID: 154f2c3a508cefc5e05b4116ca704692a84f4df964a650f44af894f5136a19c6
Opcode Fuzzy Hash: 504d3d5ea27a1ec0ca3ae44b2ac06d5499e97c70d6572123b3758e013bd21691
Instruction Fuzzy Hash: 8D110938E19E4381FA50AB59EC553B923A0BF897C6F880135DB4D477A2EF2CE546C708

Function 00007FF8B8F71AD0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF8B8F71AF4
CloseHandle.KERNELBASE(?,?,?,?,?,?,00007FF8B8F78B86), ref: 00007FF8B8F71B02

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 8cfc052431e2fe914d99a1079fcf1934225668cbea66fe8ac47fcc2c739b686d
Instruction ID: 99fa90b4846c9faa71a63c859da71c4e0f5fe6398e456d3325b98b7f88c6bfcd
Opcode Fuzzy Hash: 8cfc052431e2fe914d99a1079fcf1934225668cbea66fe8ac47fcc2c739b686d
Instruction Fuzzy Hash: 8FE04F35E09B8282FB24CF59A8011A52B60FB88786F904135DB4D02760FF3CD24AC608

Function 00007FF8B8F71300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8F715B0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F715DB
Part of subcall function 00007FF8B8F715B0: GetProcAddress.KERNEL32 ref: 00007FF8B8F71615

SHGetFolderPathW.SHELL32 ref: 00007FF8B8F7132C

Part of subcall function 00007FF8B8F713A0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F713D7
Part of subcall function 00007FF8B8F713A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7140E
Part of subcall function 00007FF8B8F713A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F71445
Part of subcall function 00007FF8B8F713A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7147C
Part of subcall function 00007FF8B8F713A0: sprintf_s.LIBCMTD ref: 00007FF8B8F714B3
Part of subcall function 00007FF8B8F713A0: FindFirstFileW.KERNELBASE ref: 00007FF8B8F714CD

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$FileFindFirstFolderPathsprintf_s
String ID:
API String ID: 2295756454-0
Opcode ID: a93a366b1067c516a2c5388df4c4fc0c196fb9a44ef68532cc3e3670074d5784
Instruction ID: 386350eb8558547e718e9a000638b24d38bb2ca6794d0eb976a53d3ae8677c0b
Opcode Fuzzy Hash: a93a366b1067c516a2c5388df4c4fc0c196fb9a44ef68532cc3e3670074d5784
Instruction Fuzzy Hash: C3011639D1CD4381FAA06E78A4857B81A609F5A3C3F540431E74EC5B879F2CE1DF4519

Function 00007FF8B8F7C558 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_calloc_impl.LIBCMT ref: 00007FF8B8F7C586

Part of subcall function 00007FF8B8F7FA44: _errno.LIBCMT ref: 00007FF8B8F7FA67

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _calloc_impl_errno
String ID:
API String ID: 4065619757-0
Opcode ID: 538fe93ea9992acf1591b26f960fc3ac031700773fee56e07433acb565dd0874
Instruction ID: 6957ef955194ed8759fe5b74481974bf897bbfb590ee9980f6fd7f43bc4d369c
Opcode Fuzzy Hash: 538fe93ea9992acf1591b26f960fc3ac031700773fee56e07433acb565dd0874
Instruction Fuzzy Hash: A701D635B14B8089F7949F1A98900297A64EB98FC1F541135DF4D03B95DF3DE4828708

Function 00007FF8B8F71C10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 00007FF8B8F71C25

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 354914485c76ce71eee5e368870040763071e6f1620a4b606cf0e1d3c0a82ec0
Instruction ID: 251f6b985fdd83e0768b098e524a4cb8f51b03ab69dd68d72f4390c381ee9db8
Opcode Fuzzy Hash: 354914485c76ce71eee5e368870040763071e6f1620a4b606cf0e1d3c0a82ec0
Instruction Fuzzy Hash: 03D09239D0A64BC7F7941B49EC9876426A1AB953A6F904034C209013E08F3C68DACA4D

Non-executed Functions

Function 00007FF8B8F73F30 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 311pipesleepprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00007FF8B8F73F90
SetHandleInformation.KERNEL32 ref: 00007FF8B8F73FB2

Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F725DB
Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F72614

sprintf_s.LIBCMTD ref: 00007FF8B8F7406B
GetCurrentDirectoryW.KERNEL32 ref: 00007FF8B8F74084
CreateProcessW.KERNEL32 ref: 00007FF8B8F740C9
WaitForSingleObject.KERNEL32 ref: 00007FF8B8F740E1
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F740FB
PeekNamedPipe.KERNEL32 ref: 00007FF8B8F7411D
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F7413E
Sleep.KERNEL32 ref: 00007FF8B8F7414E
PeekNamedPipe.KERNEL32 ref: 00007FF8B8F74172
GetCurrentDirectoryW.KERNEL32 ref: 00007FF8B8F74198
ReadFile.KERNEL32 ref: 00007FF8B8F742A0
TerminateProcess.KERNEL32 ref: 00007FF8B8F743CB
CloseHandle.KERNEL32 ref: 00007FF8B8F743D6
CloseHandle.KERNEL32 ref: 00007FF8B8F743E1
CloseHandle.KERNEL32 ref: 00007FF8B8F74418
CloseHandle.KERNEL32 ref: 00007FF8B8F74423

Strings

2, xrefs: 00007FF8B8F74144

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Handle$Close$Pipe$ByteCharCreateCurrentDirectoryModuleMultiNamedPeekProcessWide$FileInformationObjectReadSingleSleepTerminateWaitsprintf_s
String ID: 2
API String ID: 1694488271-450215437
Opcode ID: 38a6ae005b0e439cb8ec2566f9d1b37c37a108df72dff2e15824a6651920a5ee
Instruction ID: f430dc10ef01cf7b7c3b0d4fa6621abf3305f541fb42c6e3b4cf6f0e2a3a46fc
Opcode Fuzzy Hash: 38a6ae005b0e439cb8ec2566f9d1b37c37a108df72dff2e15824a6651920a5ee
Instruction Fuzzy Hash: 39E1B236A08B8286FB50DF69E8406AA7BA0FB98BC5F444134DB4D47B95EF3CD106CB44

Function 00007FF8B8F768A0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 258filelibraryprocessCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F768E5
GetProcAddress.KERNEL32 ref: 00007FF8B8F7690B
GetTempPathW.KERNEL32 ref: 00007FF8B8F76928
GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76946
DeleteFileW.KERNEL32 ref: 00007FF8B8F76953
GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76990
DeleteFileW.KERNEL32 ref: 00007FF8B8F7699A
GetSystemDirectoryW.KERNEL32 ref: 00007FF8B8F76ABB
sprintf_s.LIBCMTD ref: 00007FF8B8F76AF8
CreateProcessW.KERNEL32 ref: 00007FF8B8F76CA0
CloseHandle.KERNEL32 ref: 00007FF8B8F76CAF
CloseHandle.KERNEL32 ref: 00007FF8B8F76CBA
DeleteFileW.KERNEL32 ref: 00007FF8B8F76CCB

Strings

dat, xrefs: 00007FF8B8F76935, 00007FF8B8F7697F
h, xrefs: 00007FF8B8F76BCA
%ls\%ls "%ls",, xrefs: 00007FF8B8F76AD4

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$DeleteTemp$CloseHandleName$AddressCreateDirectoryLibraryLoadPathProcProcessSystemsprintf_s
String ID: %ls\%ls "%ls",$dat$h
API String ID: 2143415541-650927715
Opcode ID: 67e320bd700a9eddc28fe40f1a4a6760eb798dc9e6c7093fe6d0b7cac3e57d15
Instruction ID: e476a8ccf32b9a0c2ffad4f229dc961d141f21b4355412b50775a805fc23a1d1
Opcode Fuzzy Hash: 67e320bd700a9eddc28fe40f1a4a6760eb798dc9e6c7093fe6d0b7cac3e57d15
Instruction Fuzzy Hash: A8C16A76A18A8295EB10DF68D8516B977B0FB84B8AF848136DB0D43795EF3CD14AC344

Function 00007FF8B8F72C40 Relevance: 22.7, APIs: 15, Instructions: 238registrynetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF8B8F72C84
gethostname.WS2_32 ref: 00007FF8B8F72C95
gethostbyname.WS2_32 ref: 00007FF8B8F72CA4
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F72CBF
inet_ntoa.WS2_32 ref: 00007FF8B8F72CC7
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D1B
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F72D69
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D9F
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F72DD2
RegCloseKey.ADVAPI32 ref: 00007FF8B8F72DE1
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F72E18
RegCloseKey.ADVAPI32 ref: 00007FF8B8F72E3E
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF8B8F72E57
WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72E8E
WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72ED4

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: ByteCharCloseEnumMultiOpenWide$GlobalHandleMemoryModuleQueryStartupStatusValuegethostbynamegethostnameinet_ntoa
String ID:
API String ID: 2767472909-0
Opcode ID: 54ecd7c7871a8d545fae399a6e3bd0531385e3487ea1baadf868db1cd637cb4e
Instruction ID: 9df8895f0c29a8534eef1ac941decb35fc02e6a637df8998cbbd2fb9ddbda110
Opcode Fuzzy Hash: 54ecd7c7871a8d545fae399a6e3bd0531385e3487ea1baadf868db1cd637cb4e
Instruction Fuzzy Hash: 7FB19536608B8286E720CF29E8406AEBBA4FB887D5F444135DB9E47B98DF3CD146C704

Function 00007FF8B8F77740 Relevance: 22.6, APIs: 15, Instructions: 101memorycomCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF8B8F77759
CoCreateInstance.OLE32 ref: 00007FF8B8F77791
VariantInit.OLEAUT32 ref: 00007FF8B8F777A4
VariantInit.OLEAUT32 ref: 00007FF8B8F777AF
VariantInit.OLEAUT32 ref: 00007FF8B8F777BA
VariantInit.OLEAUT32 ref: 00007FF8B8F777C5
SysAllocString.OLEAUT32 ref: 00007FF8B8F7784C
SysAllocString.OLEAUT32 ref: 00007FF8B8F7786E
SysFreeString.OLEAUT32 ref: 00007FF8B8F7788E
SysFreeString.OLEAUT32 ref: 00007FF8B8F77897
VariantClear.OLEAUT32 ref: 00007FF8B8F778AA
VariantClear.OLEAUT32 ref: 00007FF8B8F778B5
VariantClear.OLEAUT32 ref: 00007FF8B8F778C0
VariantClear.OLEAUT32 ref: 00007FF8B8F778CB
CoUninitialize.OLE32 ref: 00007FF8B8F778DB

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Variant$ClearInitString$AllocFree$CreateInitializeInstanceUninitialize
String ID:
API String ID: 2615526013-0
Opcode ID: a3ed77044e1bac965df96e1fa07373414ce81337b406c852ab00482a6af9236a
Instruction ID: 02edc5a0e0baa79b982aa1e729eefc600e18a54f6efcd5c3fcd4755926d92af2
Opcode Fuzzy Hash: a3ed77044e1bac965df96e1fa07373414ce81337b406c852ab00482a6af9236a
Instruction Fuzzy Hash: D5512C32A18E96C6EB01CF79E8445A96371FB89BCAF504121EB4E52625EF38D18AC704

Function 00007FF8B8F75E70 Relevance: 21.3, APIs: 14, Instructions: 270libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F75EA2
GetProcAddress.KERNEL32 ref: 00007FF8B8F75ED9
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75F09
GetProcAddress.KERNEL32 ref: 00007FF8B8F75F40
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75F70
GetProcAddress.KERNEL32 ref: 00007FF8B8F75FA7
GetProcAddress.KERNEL32 ref: 00007FF8B8F75FDE
GetProcAddress.KERNEL32 ref: 00007FF8B8F76015
GetProcAddress.KERNEL32 ref: 00007FF8B8F7604C
GetProcAddress.KERNEL32 ref: 00007FF8B8F76083
GetProcAddress.KERNEL32 ref: 00007FF8B8F760BA
GetProcAddress.KERNEL32 ref: 00007FF8B8F760F1
LoadLibraryW.KERNEL32 ref: 00007FF8B8F76121
GetProcAddress.KERNEL32 ref: 00007FF8B8F76158

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 608d2bcb61eb91b858a4f29967afd084a0e5ad2accde1eab9e887eeda7ded303
Instruction ID: 210e738a05f5865d06c9217709ccf69dccc03417a842436caf9bfe7f72acd8c0
Opcode Fuzzy Hash: 608d2bcb61eb91b858a4f29967afd084a0e5ad2accde1eab9e887eeda7ded303
Instruction Fuzzy Hash: A3D10B39A0AE0785FB50EBAAE9545B927A1AF84BD6F440035CB0E47756EF3CE446C348

Function 00007FF8B8F75160 Relevance: 18.3, APIs: 12, Instructions: 307fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF8B8F75336
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF8B8F75350
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F75457
DeleteFileW.KERNEL32 ref: 00007FF8B8F75467
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F75474
DeleteFileW.KERNEL32 ref: 00007FF8B8F75486
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F75598
DeleteFileW.KERNEL32 ref: 00007FF8B8F755A8
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F755B5
DeleteFileW.KERNEL32 ref: 00007FF8B8F755C7
RemoveDirectoryW.KERNEL32 ref: 00007FF8B8F755D4
RemoveDirectoryW.KERNEL32 ref: 00007FF8B8F755E1

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$AttributesDelete$DirectoryEnvironmentExpandRemoveStrings
String ID:
API String ID: 4255994873-0
Opcode ID: e546ce504db48212e5272dbf9f723b57ca87e23394bff795ec25ce4fdcdf01af
Instruction ID: 15d9fb48b400d1ade76ad7fb5511b336046f3c8e38192025e661308e3b402202
Opcode Fuzzy Hash: e546ce504db48212e5272dbf9f723b57ca87e23394bff795ec25ce4fdcdf01af
Instruction Fuzzy Hash: 7DE16A7A62498285EB60DF28D4512BD7771FB94B8AFD49132DB0E472A0EF38D24BC314

Function 00007FF8B8F73170 Relevance: 13.8, APIs: 9, Instructions: 332registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F731C0

Part of subcall function 00007FF8B8F75980: GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F73291
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F732C2
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F732FE

Part of subcall function 00007FF8B8F72500: WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72535
Part of subcall function 00007FF8B8F72500: WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72578

RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F733EE
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F734D0
RegCloseKey.ADVAPI32 ref: 00007FF8B8F73595
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F735D4
RegCloseKey.ADVAPI32 ref: 00007FF8B8F73653

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: QueryValue$ByteCharCloseEnumMultiOpenWide$HeapProcess
String ID:
API String ID: 2740835775-0
Opcode ID: 469f3e7d77bf945a5d21d899bc956f286afaa66563636dd96b4698f720f0fc5d
Instruction ID: 8336b00e354fb264ca594377b7cadca0c623f0a3b61375c82af38989fdccfb35
Opcode Fuzzy Hash: 469f3e7d77bf945a5d21d899bc956f286afaa66563636dd96b4698f720f0fc5d
Instruction Fuzzy Hash: 21F18C76A08BC295EB60CF29E4403A9BBA1FB85789F884135CB8D47795EF3DD10AC714

Function 00007FF8B8F75980 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f2239b6c7c65b7681f7147bf219d47c8a1c53c4d007d25a0176d686ccf38a12f
Instruction ID: a89b52882091ccc7674be9833906afcd31301c0f45a22662bb001d119eca5891
Opcode Fuzzy Hash: f2239b6c7c65b7681f7147bf219d47c8a1c53c4d007d25a0176d686ccf38a12f
Instruction Fuzzy Hash: 67C08CA1E25A05C2EB54079268116600250A71CFC2F085030CF0C06302AE2C80C64704

Function 00007FF8B8F71990 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce9d91ef6712de882bb66c4feffc82626b6abde2748bdc3da009eb6c5ce1676
Instruction ID: 23ff725af1575ae553eff0502051686949b978247ae59f646e323fddef1363e3
Opcode Fuzzy Hash: 1ce9d91ef6712de882bb66c4feffc82626b6abde2748bdc3da009eb6c5ce1676
Instruction Fuzzy Hash: 3811653B330916076B4D853D9833DB81292C7D66057C9F73DED4ACA785DA2A441A8305

Function 00007FF8B8F763E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76404
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F7643B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76472
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F764A9
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F764D9
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76510
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76547
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F7657E
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F765B5
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F765EC

Strings

, xrefs: 00007FF8B8F7667D

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-3916222277
Opcode ID: a37ed814ba2cf336e4cbddf834b1582fd7b3911756c1b499f3e3b000daf6ff87
Instruction ID: ad74d7a48778b79c03e2b27785fa0a212a2385b7f7cdbf85e8bdce3ec17e3554
Opcode Fuzzy Hash: a37ed814ba2cf336e4cbddf834b1582fd7b3911756c1b499f3e3b000daf6ff87
Instruction Fuzzy Hash: 3C81DC35A09E4281FE51EB59EC1457967A1BF89BE2F440039DB4E86B62EF3CE057834C

Function 00007FF8B8F7B0EC Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FF8B8F78A17,?,?,?,00007FF8B8F78BDB), ref: 00007FF8B8F7B0FD
free.LIBCMT ref: 00007FF8B8F7B11A

Part of subcall function 00007FF8B8F7BD68: HeapFree.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD7E
Part of subcall function 00007FF8B8F7BD68: _errno.LIBCMT ref: 00007FF8B8F7BD88
Part of subcall function 00007FF8B8F7BD68: GetLastError.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD90

free.LIBCMT ref: 00007FF8B8F7B12F
free.LIBCMT ref: 00007FF8B8F7B150
free.LIBCMT ref: 00007FF8B8F7B165
free.LIBCMT ref: 00007FF8B8F7B179
free.LIBCMT ref: 00007FF8B8F7B185
free.LIBCMT ref: 00007FF8B8F7B1B0
EncodePointer.KERNEL32(?,?,00000000,00007FF8B8F78A17,?,?,?,00007FF8B8F78BDB), ref: 00007FF8B8F7B1B8
free.LIBCMT ref: 00007FF8B8F7B1D1
free.LIBCMT ref: 00007FF8B8F7B1EA
free.LIBCMT ref: 00007FF8B8F7B21B

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: d50e3eed459c5a564bc60c06b1be1ee3dad7a8f450d3f2393c249fb5f7f75772
Instruction ID: 4503d5acddc58e6bc9e80e6fb1d148412a098c8f71c2690a4354c7310eeeb1ec
Opcode Fuzzy Hash: d50e3eed459c5a564bc60c06b1be1ee3dad7a8f450d3f2393c249fb5f7f75772
Instruction Fuzzy Hash: B4312A3AE0EE0381FE55AB1DE8543782651AF86BD7F480136DB1D463A6DF6DE442C308

Function 00007FF8B8F7DDF4 Relevance: 16.3, APIs: 13, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8B8F7DE12

Part of subcall function 00007FF8B8F7BD68: HeapFree.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD7E
Part of subcall function 00007FF8B8F7BD68: _errno.LIBCMT ref: 00007FF8B8F7BD88
Part of subcall function 00007FF8B8F7BD68: GetLastError.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD90

free.LIBCMT ref: 00007FF8B8F7DE24
free.LIBCMT ref: 00007FF8B8F7DE36
free.LIBCMT ref: 00007FF8B8F7DE48
free.LIBCMT ref: 00007FF8B8F7DE5A
free.LIBCMT ref: 00007FF8B8F7DE6C
free.LIBCMT ref: 00007FF8B8F7DE7E
free.LIBCMT ref: 00007FF8B8F7DE90
free.LIBCMT ref: 00007FF8B8F7DEA2
free.LIBCMT ref: 00007FF8B8F7DEB4
free.LIBCMT ref: 00007FF8B8F7DEC9
free.LIBCMT ref: 00007FF8B8F7DEDE
free.LIBCMT ref: 00007FF8B8F7DEF3

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: a8b2a289d4c0a6b6613f778cf812589fef98729b94d43987965d83073c14ea8e
Instruction ID: 31eca4e0ae780ae0f15ca5d4b402b87cbe1f69c3b2ff23325ae3f7e0c4cb8356
Opcode Fuzzy Hash: a8b2a289d4c0a6b6613f778cf812589fef98729b94d43987965d83073c14ea8e
Instruction Fuzzy Hash: 16319B36E09C0291FAA1EB69D8654781761AFD1BC6F840033D70E96795DF6DF882C329

Function 00007FF8B8F77470 Relevance: 15.1, APIs: 10, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F774A2
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F774DA
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F77512
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F7754A
LoadLibraryW.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F7757B
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F775B3
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F775EB
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F77623
LoadLibraryW.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F77654
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F7768C

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 0e2ac940d25909e8ea2453ce127a0fa38817dae2df4a139c0689f8913fe7d8ff
Instruction ID: b07e31325a2bdee42e2b46cead6ba03d37e641823f8ebc31b335a1c6e5c32501
Opcode Fuzzy Hash: 0e2ac940d25909e8ea2453ce127a0fa38817dae2df4a139c0689f8913fe7d8ff
Instruction Fuzzy Hash: 71517538D19E03C5FE50EF59EC6577567A0AF89BD6F440039DA4D86362EF3CE0468608

Function 00007FF8B8F74DC0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F74DFC
GetProcAddress.KERNEL32 ref: 00007FF8B8F74E22
GetProcAddress.KERNEL32 ref: 00007FF8B8F74E48
LoadLibraryW.KERNEL32 ref: 00007FF8B8F74E6B
GetProcAddress.KERNEL32 ref: 00007FF8B8F74E91
GetModuleFileNameW.KERNEL32 ref: 00007FF8B8F74FAC
sprintf_s.LIBCMTD ref: 00007FF8B8F75016

Strings

"%ls",%ls %ls, xrefs: 00007FF8B8F74FF5

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$FileModuleNamesprintf_s
String ID: "%ls",%ls %ls
API String ID: 516877753-3684409233
Opcode ID: bfabd3e6904ca4b10914a67c278fe26b76a8ce5c833b3c8ae61e8cc866bba34c
Instruction ID: 21c15f07c3f0c114fd75a548fa753afbb6230b9730bd4c2061371f54bfca3e5c
Opcode Fuzzy Hash: bfabd3e6904ca4b10914a67c278fe26b76a8ce5c833b3c8ae61e8cc866bba34c
Instruction Fuzzy Hash: 8D718179A28A8281FB10DB5AD8555BA67A0FF95BC2F844035DB0E47796EF3CD107C344

Function 00007FF8B8F77900 Relevance: 12.1, APIs: 8, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F77927
GetProcAddress.KERNEL32 ref: 00007FF8B8F7795E
GetProcAddress.KERNEL32 ref: 00007FF8B8F77995
LoadLibraryW.KERNEL32 ref: 00007FF8B8F779C5
GetProcAddress.KERNEL32 ref: 00007FF8B8F779FC
GetProcAddress.KERNEL32 ref: 00007FF8B8F77A33
GetProcAddress.KERNEL32 ref: 00007FF8B8F77A6A
GetProcAddress.KERNEL32 ref: 00007FF8B8F77AA1

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 63974f7ae690ebcc6e1d5143ed89a4fa998730f06a66b0b24ab67e4e65d458da
Instruction ID: 5752d7b92b0acbbbddfc4a4c76a85dbae47b59334ca69087af3c09b928f6c50f
Opcode Fuzzy Hash: 63974f7ae690ebcc6e1d5143ed89a4fa998730f06a66b0b24ab67e4e65d458da
Instruction Fuzzy Hash: 6961B639A19F0282FE40EF5AEC6457967A0AF89BD6F540035DB4D87762EF3CE4468708

Function 00007FF8B8F78DDC Relevance: 12.1, APIs: 8, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 00007FF8B8F78DF9

Part of subcall function 00007FF8B8F7CBCC: _errno.LIBCMT ref: 00007FF8B8F7CBD5
Part of subcall function 00007FF8B8F7CBCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F7CBE0

_errno.LIBCMT ref: 00007FF8B8F78E09

Part of subcall function 00007FF8B8F79B98: _getptd_noexit.LIBCMT ref: 00007FF8B8F79B9C

_errno.LIBCMT ref: 00007FF8B8F78E25
_isatty.LIBCMT ref: 00007FF8B8F78E86
_getbuf.LIBCMT ref: 00007FF8B8F78E92
_write.LIBCMT ref: 00007FF8B8F78EC5
_lseeki64.LIBCMT ref: 00007FF8B8F78F14
_write.LIBCMT ref: 00007FF8B8F78F3E

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _errno$_write$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64
String ID:
API String ID: 2111832858-0
Opcode ID: 7cce346b07e141824153703f7002546526c968b2cadd93361a8cb30d444bcdf2
Instruction ID: 0e4cc85a07d30aedbac97b9cf837bb5fb357330b1471ecbd853840582fe120c7
Opcode Fuzzy Hash: 7cce346b07e141824153703f7002546526c968b2cadd93361a8cb30d444bcdf2
Instruction Fuzzy Hash: 0C41BB76A28A428AFB659F2CD4412BC3AA1EB44BD5F140235DB5D473C6DF3CE852C748

Function 00007FF8B8F77FEC Relevance: 10.6, APIs: 7, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F78017
_errno.LIBCMT ref: 00007FF8B8F7800C

Part of subcall function 00007FF8B8F79B98: _getptd_noexit.LIBCMT ref: 00007FF8B8F79B9C

_errno.LIBCMT ref: 00007FF8B8F780BA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F780C5

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 6674f68310a896f2c3fef97c531cc157da707083ba8e2f1388e7ea58d2d12ecc
Instruction ID: c5b7d84f08d38515e5b06a9b9733c59f425d635fe62066ed85d5a096611a4024
Opcode Fuzzy Hash: 6674f68310a896f2c3fef97c531cc157da707083ba8e2f1388e7ea58d2d12ecc
Instruction Fuzzy Hash: 6341277AE38A9285FFA1AB1995401BA6AA0EF107D6F884131DB9C137C5DF3CE552830C

Function 00007FF8B8F716C0 Relevance: 10.6, APIs: 7, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F71701
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F71767
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F717A3
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F717C8
RegCloseKey.ADVAPI32 ref: 00007FF8B8F717DC
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F7181A
RegCloseKey.ADVAPI32 ref: 00007FF8B8F71838

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: CloseEnumOpen$QueryValue
String ID:
API String ID: 2548805652-0
Opcode ID: 5d7b43181d3d4d73633ebb36b72b8cfe0eee21ba08ea4b38994a31654aafabc1
Instruction ID: a68d14cd840377a37e7696babe571e1fd13420ec1a0527572a1bc27ea5a5424f
Opcode Fuzzy Hash: 5d7b43181d3d4d73633ebb36b72b8cfe0eee21ba08ea4b38994a31654aafabc1
Instruction Fuzzy Hash: 58415336618AC282EB708F15F8847AA77A4FB88795F400135DACD53B58DF3CD14A9708

Function 00007FF8B8F80674 Relevance: 10.5, APIs: 7, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8B8F80689

Part of subcall function 00007FF8B8F79B98: _getptd_noexit.LIBCMT ref: 00007FF8B8F79B9C

_invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F80694
_flush.LIBCMT ref: 00007FF8B8F806A3
_freebuf.LIBCMT ref: 00007FF8B8F806AD
_fileno.LIBCMT ref: 00007FF8B8F806B5
_close.LIBCMT ref: 00007FF8B8F806BC

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _close_errno_fileno_flush_freebuf_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2366826396-0
Opcode ID: 89fb5cea9b6ee5bb09bbb3bb6aa743988ab54a6a14af7b79b44bd93ebf78b2e4
Instruction ID: 496803ba0e060e20b602ea40e140e2e473d58d692b576a1c5a6c7487d7d4d735
Opcode Fuzzy Hash: 89fb5cea9b6ee5bb09bbb3bb6aa743988ab54a6a14af7b79b44bd93ebf78b2e4
Instruction Fuzzy Hash: A601A236E09A4381FB24AA7D845577C16509FD47EAFA80230EB2D463D3EF3CD8428208

Function 00007FF8B8F75670 Relevance: 9.2, APIs: 6, Instructions: 177sleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FF8B8F756A5
Sleep.KERNEL32 ref: 00007FF8B8F756B8
CloseHandle.KERNEL32 ref: 00007FF8B8F756C1
Sleep.KERNEL32 ref: 00007FF8B8F7570F
GetTickCount.KERNEL32 ref: 00007FF8B8F75715
rand.LIBCMT ref: 00007FF8B8F75722

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Sleep$CloseCountCreateHandleMutexTickrand
String ID:
API String ID: 2360725408-0
Opcode ID: a32011b2d91c7620bf13179f0503f160f340ac96adcb2a6ebed98f9122dbb530
Instruction ID: 6083daa78fb4d93feddb9ffd591bdbe94b4391c9dbb2c3c59ce168215cd9f388
Opcode Fuzzy Hash: a32011b2d91c7620bf13179f0503f160f340ac96adcb2a6ebed98f9122dbb530
Instruction Fuzzy Hash: 4B717D7AA28A82C1EB14DB59D4551BAA7A1FF88BC2F848135DB5E43395EF3CE507C304

Function 00007FF8B8F722D0 Relevance: 9.1, APIs: 6, Instructions: 71libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F722F9
GetProcAddress.KERNEL32 ref: 00007FF8B8F7231F
GetProcAddress.KERNEL32 ref: 00007FF8B8F72345
GetProcAddress.KERNEL32 ref: 00007FF8B8F7236B
GetModuleFileNameW.KERNEL32 ref: 00007FF8B8F72396
DeleteFileW.KERNEL32 ref: 00007FF8B8F723D6

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$File$DeleteLibraryLoadModuleName
String ID:
API String ID: 3615269725-0
Opcode ID: e4ac4f7ceeb8d0e53d313407caf9963976f0c950728a3915b3837e31b5afdf68
Instruction ID: ddcf99b2a31e2bcddea997c20ceb090a33b1f7e64510420172021da02474d26d
Opcode Fuzzy Hash: e4ac4f7ceeb8d0e53d313407caf9963976f0c950728a3915b3837e31b5afdf68
Instruction Fuzzy Hash: 6F313C35A18A4796FE10EB9AE8585A967A0BF88BC6F880035DF4E47756FF3CD106C704

Function 00007FF8B8F7DA54 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF8B8F7DAB6
_isleadbyte_l.LIBCMT ref: 00007FF8B8F7DAE6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B8F7970E), ref: 00007FF8B8F7DB25
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B8F7970E), ref: 00007FF8B8F7DB73
_errno.LIBCMT ref: 00007FF8B8F7DB7D

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: c1980f434cffeb90a237ddd52e95a6ef554b239d004aac1eacc3ead14d471610
Instruction ID: 858eea3b9d75dfaf4fd3f9d4e82263ffc8330b569e0c4b389f5b4f9ed8608b95
Opcode Fuzzy Hash: c1980f434cffeb90a237ddd52e95a6ef554b239d004aac1eacc3ead14d471610
Instruction Fuzzy Hash: 8F41D23560AB8286FB609F1D9580139BFA0FB84BD5F584131EB8C47B99DF3CD8428708

Function 00007FF8B8F73A90 Relevance: 7.6, APIs: 5, Instructions: 81fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F725DB
Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F72614

CreateFileW.KERNEL32 ref: 00007FF8B8F73AF2
SetFilePointer.KERNEL32 ref: 00007FF8B8F73B16
CloseHandle.KERNEL32 ref: 00007FF8B8F73B91

Part of subcall function 00007FF8B8F75980: GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

SetFilePointer.KERNEL32 ref: 00007FF8B8F73B44
ReadFile.KERNEL32 ref: 00007FF8B8F73B60

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$CloseCreateHandleHeapProcessRead
String ID:
API String ID: 1454824168-0
Opcode ID: 19ccafb05b1d58ca20a77fedad7d4d846288eae6ef233b1bf7ffd70703a7a879
Instruction ID: 62225d1dffe55db03cbd5376ae8f5e66bc4605eed7c5c6fa7b977a8c9ce95103
Opcode Fuzzy Hash: 19ccafb05b1d58ca20a77fedad7d4d846288eae6ef233b1bf7ffd70703a7a879
Instruction Fuzzy Hash: F731B335B09A5286FB509B2E641066A76E0FF89BE1F584134DF9D07B95DF3CE4038B48

Function 00007FF8B8F72BA0 Relevance: 7.5, APIs: 5, Instructions: 39networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF8B8F72BB6
gethostname.WS2_32 ref: 00007FF8B8F72BC8
gethostbyname.WS2_32 ref: 00007FF8B8F72BD8
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F72BFB
inet_ntoa.WS2_32 ref: 00007FF8B8F72C03

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: HandleModuleStartupgethostbynamegethostnameinet_ntoa
String ID:
API String ID: 3950597033-0
Opcode ID: 820f33a72edd462d6bbf95b7c83a6fc285ab115bf962e10fae1457ffdc9254b3
Instruction ID: 2ea7ba65745e3bf15ae6ab7dc0203f9954b2a4d00c18f9063c5fdd23891a62e5
Opcode Fuzzy Hash: 820f33a72edd462d6bbf95b7c83a6fc285ab115bf962e10fae1457ffdc9254b3
Instruction Fuzzy Hash: A8115236608B86C3EB119B28E45477977A1FBA8B91F844535C74E43395EF7CD449C704

Function 00007FF8B8F73850 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F725DB
Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F72614

CreateFileW.KERNEL32 ref: 00007FF8B8F738B8
SetFilePointer.KERNEL32 ref: 00007FF8B8F738D2
WriteFile.KERNEL32 ref: 00007FF8B8F738EB
CloseHandle.KERNEL32 ref: 00007FF8B8F73905

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$ByteCharMultiWide$CloseCreateHandlePointerWrite
String ID:
API String ID: 2756471129-0
Opcode ID: 5403cfd95db986b316707241514d924a2bc15e613ed6cb99a5253c2fec971d89
Instruction ID: a23dc486d006458ca293356a515af17261438eec021753942c9bbb0841b4ab0c
Opcode Fuzzy Hash: 5403cfd95db986b316707241514d924a2bc15e613ed6cb99a5253c2fec971d89
Instruction Fuzzy Hash: 3611EB35708B4286FB509F2A745572A6AA1FB89BD1F480234EF9E03B95DF3CD4438B44

Function 00007FF8B8F76D90 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF8B8F76DCC
SetFilePointer.KERNEL32 ref: 00007FF8B8F76DE6
WriteFile.KERNEL32 ref: 00007FF8B8F76E04
CloseHandle.KERNEL32 ref: 00007FF8B8F76E17

Memory Dump Source

Source File: 00000007.00000002.3298122460.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3298063419.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298161564.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298208682.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3298234448.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: b8dd40a9ccc700a02c156772fcb841ebd7cc93f99e9ee328cf72f3f13bff9a5c
Instruction ID: c2d05301c75ca5de116595c5483fddce2f07c6baa6ff6962811d999862386092
Opcode Fuzzy Hash: b8dd40a9ccc700a02c156772fcb841ebd7cc93f99e9ee328cf72f3f13bff9a5c
Instruction Fuzzy Hash: 90018231708B51C3E7108B69B85461AB691FB88BE4F544234EBAD43F98DF3CD4558B44

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49709 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49708 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49712 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49705 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49710 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49706 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49743 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49778 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49711 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49802 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49760 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57974 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49808 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49772 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49790 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49714 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58002 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58010 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58031 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57987 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57989 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49796 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57981 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58048 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58066 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58078 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57995 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58072 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58037 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58084 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58108 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58025 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58090 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49784 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58043 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58054 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49754 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58153 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58126 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58147 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58120 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58171 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58165 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58096 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58135 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58159 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58179 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58196 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58198 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58114 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58190 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58201 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58202 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58204 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58224 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58199 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58210 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58185 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58220 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58200 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58205 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58213 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58232 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58230 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58217 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58237 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58239 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58221 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58060 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58216 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58019 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58241 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58243 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58223 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58222 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58235 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58229 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58203 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58226 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58215 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58218 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58234 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58233 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58206 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58245 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58246 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58228 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58227 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58208 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58211 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58236 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:57967 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58209 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58238 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58244 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58219 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58240 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58225 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58242 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58212 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58214 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58102 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58141 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58207 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:58231 -> 185.161.251.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Updater.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\SnapMobile\Updater.dll

C:\ProgramData\SnapMobile\Updater.dll:Zone.Identifier

C:\ProgramData\Spiralogics\Updater.dll

C:\ProgramData\Spiralogics\Updater.dll:Zone.Identifier

C:\ProgramData\Talespin\Updater.dll

C:\ProgramData\Talespin\Updater.dll:Zone.Identifier

C:\ProgramData\Ventuso LLC\Updater.dll

C:\ProgramData\Ventuso LLC\Updater.dll:Zone.Identifier

C:\Windows\Tasks\SnapMobile.job

C:\Windows\Tasks\Spiralogics.job

C:\Windows\Tasks\Talespin.job

C:\Windows\Tasks\Ventuso LLC.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Updater.dll.dll

Function 00007FF8B8F71C40 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 320
networklibraryloaderCOMMON

Function 00007FF8B8F745E0 Relevance: 19.7, APIs: 13, Instructions: 228
COMMON

Function 00007FF8B8F75A20 Relevance: 16.7, APIs: 11, Instructions: 178
libraryloaderCOMMON

Function 00007FF8B8F713A0 Relevance: 12.1, APIs: 8, Instructions: 120
libraryloaderfileCOMMON

Function 00007FF8B8F77BB0 Relevance: 10.6, APIs: 7, Instructions: 90
libraryloaderCOMMON

Function 00007FF8B8F74B50 Relevance: 7.7, APIs: 5, Instructions: 156
COMMON