Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://files.catbox.moe/iz3lne.zip

Overview

General Information

Sample URL:https://files.catbox.moe/iz3lne.zip
Analysis ID:1555093
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Sigma detected: PUA - NSudo Execution
Drops PE files
Enables debug privileges
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2556 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 3528 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • 7za.exe (PID: 6764 cmdline: 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\iz3lne.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GenP-3.4.14.1.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe" MD5: 5AA73CE6297B35AAC0067529A47B44C5)
    • NSudoLG.exe (PID: 6160 cmdline: C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe" MD5: 7AACFD85B8DFF0AA6867BEDE82CFD147)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe", CommandLine: C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\NSudoLG.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\NSudoLG.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\NSudoLG.exe, ParentCommandLine: "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe", ParentImage: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe, ParentProcessId: 6472, ParentProcessName: GenP-3.4.14.1.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe", ProcessId: 6160, ProcessName: NSudoLG.exe
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5464, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1, ProcessId: 2556, ProcessName: cmd.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-13T12:44:48.851307+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549705TCP
2024-11-13T12:45:27.953968+010020229301A Network Trojan was detected4.175.87.197443192.168.2.549905TCP

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://files.catbox.moe/iz3lne.zipAvira URL Cloud: detection malicious, Label: malware
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeReversingLabs: Detection: 34%
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\Desktop\extract\SOURCE\README.txtJump to behavior
Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdb source: GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169712040.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe, 00000008.00000002.2209815076.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.dr
Source: Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdbON source: GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169712040.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe, 00000008.00000002.2209815076.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.dr
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49705
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49905
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /iz3lne.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: files.catbox.moeConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
Source: COMPILE.txt.4.drString found in binary or memory: http://www.fairdell.com/hexcmp/HexCmp2_Setup.zip).
Source: GenP-3.4.14.1.exe, 00000007.00000003.2170298059.0000028926F3F000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2170549783.0000028926F43000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000002.2175195218.0000028926F43000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2170166104.0000028926F34000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.au3.4.drString found in binary or memory: https://a.dove.isdumb.one/list.txt
Source: wget.exe, 00000002.00000002.2127726835.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2127221457.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2126809718.0000000002B3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe
Source: wget.exe, 00000002.00000002.2127495029.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2127682012.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: https://files.catbox.moe/iz3lne.zip
Source: wget.exe, 00000002.00000003.2127243247.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2127682012.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/iz3lne.zipES
Source: wget.exe, 00000002.00000003.2127243247.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2127682012.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/iz3lne.zipSS
Source: wget.exe, 00000002.00000002.2127495029.0000000000A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/iz3lne.zipel
Source: wget.exe, 00000002.00000002.2127495029.0000000000A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/iz3lne.zippp
Source: wget.exe, 00000002.00000002.2127726835.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2127221457.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2126809718.0000000002B3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe;
Source: 7za.exe, 00000004.00000003.2129828145.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, README.txt.4.drString found in binary or memory: https://github.com/M2TeamArchived/NSudo
Source: NSudoLG.exe.4.drString found in binary or memory: https://github.com/Thdub/NSudo_Installer
Source: NSudoLG.exe, 00000008.00000002.2209627865.000001DD8DAA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://m2team.gi
Source: NSudoLG.exe.4.drString found in binary or memory: https://m2team.github.io/NSudo.
Source: NSudoLG.exe, 00000008.00000002.2209627865.000001DD8DAA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://m2team.github.io/NSudo.64
Source: 7za.exe, 00000004.00000003.2129828145.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169746302.00007FF679ACD000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.drString found in binary or memory: https://m2team.github.io/NSudo/zh-hans
Source: 7za.exe, 00000004.00000003.2129828145.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169746302.00007FF679ACD000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.drString found in binary or memory: https://m2team.github.io/NSudo/zh-hant
Source: COMPILE.txt.4.drString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?../autoit3/scite/download/SciTE4AutoIt3.exe)
Source: COMPILE.txt.4.drString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.zip)
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

barindex
Source: GenP-3.4.14.1.exe, 00000007.00000002.2175487009.00007FF6359C8000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fcffad1d-5
Source: GenP-3.4.14.1.exe, 00000007.00000002.2175487009.00007FF6359C8000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*memstr_685104dd-6
Source: GenP-3.4.14.1.exe.4.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_310215c4-e
Source: GenP-3.4.14.1.exe.4.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*memstr_95c9b5b4-1
Source: classification engineClassification label: mal64.win@9/14@1/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeMutant created: \Sessions\1\BaseNamedObjects\GenP v3.4.14.1
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeFile created: C:\Users\user\AppData\Local\Temp\aut8F40.tmpJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeFile read: C:\Users\user\Desktop\extract\config.iniJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip"
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\iz3lne.zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe"
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeProcess created: C:\Users\user\AppData\Local\Temp\NSudoLG.exe C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" Jump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeProcess created: C:\Users\user\AppData\Local\Temp\NSudoLG.exe C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile written: C:\Users\user\Desktop\extract\SOURCE\config.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdb source: GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169712040.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe, 00000008.00000002.2209815076.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.dr
Source: Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdbON source: GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169712040.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe, 00000008.00000002.2209815076.00007FF679AC5000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.dr
Source: GenP-3.4.14.1.exe.4.drStatic PE information: real checksum: 0x13be35 should be: 0x143809
Source: NSudoLG.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x28106
Source: NSudoLG.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x28106
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\Desktop\extract\SOURCE\NSudoLG.exeJump to dropped file
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeFile created: C:\Users\user\AppData\Local\Temp\NSudoLG.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\Desktop\extract\SOURCE\README.txtJump to behavior
Source: C:\Users\user\Desktop\extract\GenP-3.4.14.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: wget.exe, 00000002.00000002.2127602760.0000000000B28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\NSudoLG.exeProcess token adjusted: DebugJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1
Source: GenP-3.4.14.1.exe, 00000007.00000002.2175487009.00007FF6359C8000.00000002.00000001.01000000.00000004.sdmp, GenP-3.4.14.1.exe.4.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS12
System Information Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555093 URL: https://files.catbox.moe/iz... Startdate: 13/11/2024 Architecture: WINDOWS Score: 64 30 files.catbox.moe 2->30 34 Antivirus / Scanner detection for submitted sample 2->34 36 Binary is likely a compiled AutoIt script file 2->36 38 Sigma detected: PUA - NSudo Execution 2->38 7 GenP-3.4.14.1.exe 4 2->7         started        11 7za.exe 12 2->11         started        13 cmd.exe 2 2->13         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...24SudoLG.exe, PE32+ 7->24 dropped 40 Multi AV Scanner detection for dropped file 7->40 42 Binary is likely a compiled AutoIt script file 7->42 15 NSudoLG.exe 7->15         started        26 C:\Users\user\Desktop\extract\...26SudoLG.exe, PE32+ 11->26 dropped 28 C:\Users\user\Desktop\...behaviorgraphenP-3.4.14.1.exe, PE32+ 11->28 dropped 17 conhost.exe 11->17         started        19 wget.exe 2 13->19         started        22 conhost.exe 13->22         started        signatures6 process7 dnsIp8 32 files.catbox.moe 108.181.20.35, 443, 49704 ASN852CA Canada 19->32

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://files.catbox.moe/iz3lne.zip100%Avira URL Cloudmalware

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\NSudoLG.exe0%ReversingLabs
C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe34%ReversingLabsWin32.Trojan.Generic
C:\Users\user\Desktop\extract\SOURCE\NSudoLG.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://files.catbox.moe;0%Avira URL Cloudsafe
https://m2team.github.io/NSudo/zh-hans0%Avira URL Cloudsafe
https://m2team.github.io/NSudo.0%Avira URL Cloudsafe
https://m2team.github.io/NSudo.640%Avira URL Cloudsafe
https://m2team.github.io/NSudo/zh-hant0%Avira URL Cloudsafe
https://a.dove.isdumb.one/list.txt0%Avira URL Cloudsafe
http://www.fairdell.com/hexcmp/HexCmp2_Setup.zip).0%Avira URL Cloudsafe
https://m2team.gi0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
files.catbox.moe
108.181.20.35
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://files.catbox.moe/iz3lne.zipfalse
      		high
      NameSourceMaliciousAntivirus DetectionReputation
      https://files.catbox.moe;wget.exe, 00000002.00000002.2127726835.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2127221457.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2126809718.0000000002B3E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/M2TeamArchived/NSudo7za.exe, 00000004.00000003.2129828145.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, README.txt.4.drfalse
        		high
        https://m2team.github.io/NSudo.NSudoLG.exe.4.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://files.catbox.moe/iz3lne.zipelwget.exe, 00000002.00000002.2127495029.0000000000A60000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://a.dove.isdumb.one/list.txtGenP-3.4.14.1.exe, 00000007.00000003.2170298059.0000028926F3F000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2170549783.0000028926F43000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000002.2175195218.0000028926F43000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2170166104.0000028926F34000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.au3.4.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://m2team.giNSudoLG.exe, 00000008.00000002.2209627865.000001DD8DAA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.autoitscript.com/cgi-bin/getfile.pl?../autoit3/scite/download/SciTE4AutoIt3.exe)COMPILE.txt.4.drfalse
            		high
            https://files.catbox.moe/iz3lne.zipSSwget.exe, 00000002.00000003.2127243247.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2127682012.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://files.catbox.moe/iz3lne.zipppwget.exe, 00000002.00000002.2127495029.0000000000A60000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://m2team.github.io/NSudo.64NSudoLG.exe, 00000008.00000002.2209627865.000001DD8DAA5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Thdub/NSudo_InstallerNSudoLG.exe.4.drfalse
                  		high
                  http://www.fairdell.com/hexcmp/HexCmp2_Setup.zip).COMPILE.txt.4.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://files.catbox.moewget.exe, 00000002.00000002.2127726835.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2127221457.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.2126809718.0000000002B3E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://m2team.github.io/NSudo/zh-hans7za.exe, 00000004.00000003.2129828145.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169746302.00007FF679ACD000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://m2team.github.io/NSudo/zh-hant7za.exe, 00000004.00000003.2129828145.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2143178547.0000028926FB3000.00000004.00000020.00020000.00000000.sdmp, GenP-3.4.14.1.exe, 00000007.00000003.2142774626.0000028926F84000.00000004.00000020.00020000.00000000.sdmp, NSudoLG.exe, 00000008.00000000.2169746302.00007FF679ACD000.00000002.00000001.01000000.00000007.sdmp, NSudoLG.exe.7.dr, NSudoLG.exe.4.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.zip)COMPILE.txt.4.drfalse
                      		high
                      https://files.catbox.moe/iz3lne.zipESwget.exe, 00000002.00000003.2127243247.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2127682012.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        108.181.20.35
                        		files.catbox.moeCanada
                        		852ASN852CAfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1555093
                        Start date and time:2024-11-13 12:43:40 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 3s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:urldownload.jbs
                        Sample URL:https://files.catbox.moe/iz3lne.zip
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal64.win@9/14@1/1
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: https://files.catbox.moe/iz3lne.zip

                        Simulations

                        Behavior and APIs

                        No simulations

                        LLM Input / Output

                        InputOutput
                        URL: Model: claude-3-5-sonnet-latest
                        {
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": true,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}
                        URL: https://files.catbox.moe

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\NSudoLG.exe

                        Download File
                        Process:C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):160256
                        Entropy (8bit):6.423018385520545
                        Encrypted:false
                        SSDEEP:3072:uwEUNZLRS8gLI7qwnKE6Cv/89RvD7c5Q9a88QuA6337p:/NBRS8AzdC3Qvr9aDQuA6b
                        MD5:7AACFD85B8DFF0AA6867BEDE82CFD147
                        SHA1:E783F6D4B754EA8424699203B8831BDC9CBDD4E6
                        SHA-256:871E4F28FE39BCAD8D295AE46E148BE458778C0195ED660B7DB18EB595D00BD8
                        SHA-512:59CCE358C125368DC5735A28960DDB7EE49835CA19F44255A7AE858DDD8A2DB68C72C3F6818ECA3678D989041043876E339F9FAFE1D81D26001286494A8014F0
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......h..N,...,...,......-............A.!...~../...~..(...8..(...8..+......:...~..*...y..+...y..4...8..9...,... ...y..)...y.y.-...,...(...y..-...Rich,...................PE..d.....`.........."......<...:.................@..........................................`.........................................................................................h...p.......................(.......8............P...............................text...h:.......<.................. ..`.rdata...l...P...n...@..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc...............p..............@..B................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\aut8F40.tmp

                        Download File
                        Process:C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2872
                        Entropy (8bit):7.428113748336493
                        Encrypted:false
                        SSDEEP:48:uL7Erg+msYcQ4fgPnlSjLBeER3A2vhwut+HGx53EJzrxVZ9iumc7sPQu:aEUZsYaYvqBbSOx53EhRQub7sV
                        MD5:C8974BCA42D238986F542ECE4EBA859A
                        SHA1:A25578C15F8B341178CBC34AC80D668B614E0E29
                        SHA-256:1AE68F2E79AA2072FFD717E58B162CABF31785D341A398FBF3D9C67BB07332F1
                        SHA-512:431E196A2BE14608343347812E5936AC7721B8CADD6BD2A6DCB7E7B6B45F7254E714DD40573B0C7F677DA5AF768230A78A304D107433EE18A0C36F13EBE69229
                        Malicious:false
                        Reputation:low
                        Preview:EA06......,.k...t..aU....=.......r..d.kM..s.Pl........uK...e...@...{"...V......[-.(l*d.#.%..t....s3.....a....(..4..,.+x.vf....e.Y...M...3`.B.i..n.P.\...uo...fp.%....e.Xe .9....[...+3...x...,W+M........d...6{u..GS....r..m.{-...-....v..n.....p..:.1..,......U....$~...qe...$..o...@...m..5...._.....@6KM..u.......k..M..t.[....L...........[@!K`...S .-..&..}.m..=.Z.....p..m.@...j..E..o..-...M.g.....i.....8.Yl...*.o.....$..m.....@......As.Xl.....a.;...t.Yl .....,.Y........`*..w..r...n..@1.}..e...=....e.Iu.....a..#..e.....x...........-.\-Z.l..ns...yf..(.....e.LdR../.f.%.M...I....6.....M....Zlv[u..1...f@..(.{C..(....b...._..z.......4+.......l.Q..bKu.h..,....b.3...io...v......7 ...^f... G..O...d.Q...f....gf.....+b.1...:.w...d.?@.8.....:..f`.....t.g.......l.S.-qC........l..@~ ...d.fP.....e.....0.T....?l.?.....(....R....>0!..k....@.....m....`.R......S.+.".v..n.[8.F@+..?.h.+.0...=.S-.{M..e.Zl..#.......h...Y.e.........s..-...N.r....3......@.PC.{".T.C.UL...T.).UL.i.D.'. ..

                        C:\Users\user\AppData\Local\Temp\aut8F7F.tmp

                        Download File
                        Process:C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):79468
                        Entropy (8bit):7.704698254494593
                        Encrypted:false
                        SSDEEP:1536:aWpEsrtKhZ+pTjIY7ExhmNawJyxMEEWLZlG3Ft+Xn+dgslRFT:aWpEpqpTjIdxoawJyxg0ZAFgX0gizT
                        MD5:6F040B192B47D1D0860045AA30C102A0
                        SHA1:55D3F78EB8C09EDF77760BAC0DA2706F1EFAA90E
                        SHA-256:A85D89E380CBF4929EE5B6E7D91BE71AF1C3A727A91CF30AFFB414B98E912180
                        SHA-512:8FD8BB6E860569C1CF884C9ABA664B570E708A2665B236051CA7FFD8E8F723E80B192660B7FAC34F330BA99B47351D06A0F8B3881F1E5D7ABA9FAF3BBA9BE59A
                        Malicious:false
                        Reputation:low
                        Preview:EA06..r......................Z..F@.~......G.P...... 4.l..h........r..d.;...o.H,VY...n.Zm..%>. ...Yt6...."f...S...4t..[...9-..3\.<r\..l.4... .s0Q.x.E..J....K.....rV..}9.8......%@.......o .......' ...; ...8......@..f.#..Po<. ..R.........P.. .L4.....,....@$P.\....O.DI...W...B ....(.1.@ .`.L..j.......~.`@.t......./..~50..p.%.@`..`.A..0..... P...C.....8.6....J.....q.............9.],........H.......@ ..u..a.X`.....S..p.A@.i..x..K.....C.....fu...'.]p.)..%..|...C.\.V0...R.. ......Q..m.......,@i.....Q..B.....J...J(.>.#...l 0..K...P.0./..'..o..U.....!.......^b<h,.w..@x.X~..7..D...`...L?...s..~..L...R8.I$...... f..+V......2....".n=.1...10Z...H..l..o..CX.-|....,...x.....P^.......c......v<`...)Q.h.....]ba[..8..x..h;........... ...|.......R0.... ...u...:......I....C.bk.@...$.U....#.=..L..F6{...qq.X.;...r`.........=#....1.p.r....70...&.F..U....H....>t..;.R!...#q....6...N...>0....i.....r..(2zD.v..1|..W......./..`.`..zF...bi..\>....!.........|.f6.]..@R...1H.....D.\...m..N6...... ...$.R1

                        C:\Users\user\Desktop\cmdline.out

                        Download File
                        Process:C:\Windows\SysWOW64\cmd.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):1853
                        Entropy (8bit):3.329556677294334
                        Encrypted:false
                        SSDEEP:24:xiiImAW6xePgT6PbjEej8U2zhqdhnF2tcAQPbjb:emAW6Fobrj8TzhOhF2Fybn
                        MD5:D13461320DCE3D8E4CA35CED03EDE43B
                        SHA1:A0EE8EE542002F6CACBA865979EE03461341AF24
                        SHA-256:E047CD405143C926BE46EA84C01FB7E1338C531AA3B3A7F8DB80ADFF52C79E1B
                        SHA-512:2B6E0601AFAE4FB7D4F9AC524180F01C00B4FE33127FDF5221712D0AD4854FC6C801CB7D94B8C0EB80B829FC34A725DA5E2D2AEA3AE37F243198E1B99A4381B5
                        Malicious:false
                        Reputation:low
                        Preview:--2024-11-13 06:44:29-- https://files.catbox.moe/iz3lne.zip..Resolving files.catbox.moe (files.catbox.moe)... 108.181.20.35..Connecting to files.catbox.moe (files.catbox.moe)|108.181.20.35|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 903270 (882K) [application/zip]..Saving to: 'C:/Users/user/Desktop/download/iz3lne.zip'.... 0K .......... .......... .......... .......... .......... 5% 103K 8s.. 50K .......... .......... .......... .......... .......... 11% 79.5K 9s.. 100K .......... .......... .......... .......... .......... 17% 96.6K 8s.. 150K .......... .......... .......... .......... .......... 22% 105K 7s.. 200K .......... .......... .......... .......... .......... 28% 138K 6s.. 250K .......... .......... .......... .......... .......... 34% 97.1K 6s.. 300K .......... .......... .......... .......... .......... 39% 112K 5s.. 350K .......... .......... .......... .......... .......... 45% 104K 5s.. 400K .......... ......

                        C:\Users\user\Desktop\download\iz3lne.zip

                        Download File
                        Process:C:\Windows\SysWOW64\wget.exe
                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                        Category:dropped
                        Size (bytes):903270
                        Entropy (8bit):7.998228311206749
                        Encrypted:true
                        SSDEEP:24576:5hQFuAEOVU1lerCPl2AWo44sBMG468LDnm:5hQFFQerCPl3jeh4Lnm
                        MD5:6B104BA9DEB749A6B6CE88B9C6997DAE
                        SHA1:19D9B52477606B78BDCE568235C0ACB9321C1BC4
                        SHA-256:14CE93AE01D50B9D2FF3C36C3EDD574A9F8BCEC56451F3A865FCC210C617A77B
                        SHA-512:26C804CCA16E78016BEAD5FB43B5C2BCA279BEAF7EDC062F756B43788DBA89C49B9054028A271FE70BB1657AC61C704C0DDEC38595B885CBD0D94CEC1AEDD885
                        Malicious:false
                        Reputation:low
                        Preview:PK.........t.Y.;2.C...........GenP-3.4.14.1.exe.\{`S...y.....HU. eV+Z)....Dn .*T...V.(b.....7.^......97us.O.N%.@..(....}k@..(....s........y..;.9.;....$..{.. .V|t].j...-...<. d.[.)..w.......)..,pU.c...ow..8o..A.M......sy&Mv.~..\......q...sK..$?.6.\s%._....jR...QUs!.%.ckm<,......a....Vc.1....L...>.....W...BO.<.A=*o.1.^......O...+.7..#.K.Q.........aT. T.y..S..0H.2.qd..K....@N..^....U].w....hw|z...:.$...+...|G....`*.L....x6.!C.AX.r..s.iBA.......,."..O...[O........|c.F...p...a....n....Q...R...pYf.z..+yE.#...#l..!....#.i....C8Z..z.........t.....X...OV....O....M......X..-...<.-..m.S].].3.d.F.477......H...G..y.,.,[.]&3[.LA./..Q.]...hw....J6..........E.=.Y0...L...l}:/+K...(.g..$...U....`{9".[)Y.y......M..H..u.T./.....=...t....:7.$.:..!.......g.=...;,+'S.5Wq.'.,t.l.]fr.6..l..\.B1....A..i]8Pf...siG...0.....~..,. .x.K.m.j..bF.'..&.j.....^5#}..vk.o%.=..d6..a...U!...f.0..G.9....Cv.....,.%...^..*.>.W.m2.R......._......me.L..i.4}..3.@.N_...H...}.CV.r.d...f<.:..

                        C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):1285632
                        Entropy (8bit):6.792852922923721
                        Encrypted:false
                        SSDEEP:24576:orORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tvarx8mfm0G:o2EYTb8atv1orq+pEiSDTj1VyvBarxpl
                        MD5:5AA73CE6297B35AAC0067529A47B44C5
                        SHA1:48238C0C52990AB1F64CA8FAA7FC310FD729AF49
                        SHA-256:3BDDB83344219A07A43E53F68A0F6920FDD51B7412540D0DAAEAC353B6AB11A2
                        SHA-512:CEB9D4C9F364B0C2411623A911A02A491364BE5E8A35A7823A7FE8FF71B34BA29FA54963A2BE32EFD6DF763AF09F3EB66019D8778B4D49C70133B81BD5397FF7
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 34%
                        Reputation:low
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......o1).+PG.+PG.+PG....>PG.....PG.....PG.....*PG.y8B..PG.y8C.:PG.y8D.#PG."(.#PG."(..*PG."(..PG.+PF..RG..9I.{PG..9D.*PG..9..*PG.+P.*PG..9E.*PG.Rich+PG.........................PE..d....P.f.........."......4...f.......T.........@............................. ......5.....`...@...............@..............................\..|........T...@..Ho..............t...Pp..........................(...pp...............P..8............................text...(3.......4.................. ..`.rdata...B...P...D...8..............@..@.data... ........P...|..............@....pdata..Ho...@...p..................@..@.rsrc....T.......V...<..............@..@.reloc..t...........................@..B................................................................................................................................................................................................

                        C:\Users\user\Desktop\extract\SOURCE\COMPILE.txt

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:ASCII text, with very long lines (303), with CRLF line terminators
                        Category:dropped
                        Size (bytes):2334
                        Entropy (8bit):4.766836600204075
                        Encrypted:false
                        SSDEEP:48:TIZxrwouohhV7/A8niW/W7rK3gi6a87mm3Iu9bkChJX:TQxTLhhVzA8iWe74qa+3Iuxv
                        MD5:B089647B4BFE6964655CB784D4F1AE38
                        SHA1:160EC868808BAF17425BCF360E47DF0DDE099C2A
                        SHA-256:87B24B13BAA368A62E7F5E377BFA1551CCE0BB2224AA350309F571C24452AC30
                        SHA-512:71ED6552CDD1343D57BC0186BA86443721AD74216D4D3FB864A80186D146D00A5FBC718DB9885834EB53125D3C52A51ECC69D906BF447B30368A500FB021DC1F
                        Malicious:false
                        Reputation:low
                        Preview:To compile GenP.......Confirm your compilation directory listing looks something like this:..```..| config.ini..| GenP-3.4.14.1.au3..| NSudoLG.exe..|..\---ICONS.. Logo.ico..```....Then, follow these steps carefully to set-up your development environment:..- Download [AutoIt](https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.zip).. - Run the downloaded installer and follow the instructions...- Download [AutoIt Script Editor](https://www.autoitscript.com/cgi-bin/getfile.pl?../autoit3/scite/download/SciTE4AutoIt3.exe).. - Run the downloaded installer and follow the instructions...- Restart your computer.....Afterwards, you should see a 'Compile with Options' selection within your context menu when right-clicking GenP's AutoIt v3 Script file...Select this option whenever you wish to compile GenP, and press 'Compile Script' within the interface that appears to generate the executable file.....If the interface just disappears without generating an executabl

                        C:\Users\user\Desktop\extract\SOURCE\GenP-3.4.14.1.au3

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:C source, ASCII text, with very long lines (1345), with CRLF line terminators
                        Category:dropped
                        Size (bytes):62886
                        Entropy (8bit):5.559159101436193
                        Encrypted:false
                        SSDEEP:1536:7BCU9jEpJPMumCgMbKFLoGPbbsYWugo9y6NmA71:9FLHPbbsYWugo9DmA71
                        MD5:42C434F0A040132E37EDDB5B1D886F8E
                        SHA1:3E94D309D3C1DBD4DD9077082E9CAF5926BC0FDE
                        SHA-256:3DD6CF96E38768110C8F0E64AE8C698E43931FF9FB57B4A1476B63F4E5D45554
                        SHA-512:8757867044D2AF20B5C68213A17F5D75CDBB361FE0CE2ABC0FFBC16DFE2D1266A12F5DCFE3D68F457FE23EA85F0CF378834680CB2D8F7FEEA87BADD37A35AD72
                        Malicious:false
                        Reputation:low
                        Preview:#NoTrayIcon..#RequireAdmin..#Region ;**** Directives created by AutoIt3Wrapper_GUI ****..#AutoIt3Wrapper_Icon=ICONS/Logo.ico..#AutoIt3Wrapper_Outfile_x64=GenP-3.4.14.1.exe..#AutoIt3Wrapper_Res_Comment=GenP v3.4.14.1..#AutoIt3Wrapper_Res_Description=GenP v3.4.14.1..#AutoIt3Wrapper_Res_Fileversion=3.4.14.1..#AutoIt3Wrapper_Res_ProductName=GenP v3.4.14.1..#AutoIt3Wrapper_Res_ProductVersion=3.4.14.1..#AutoIt3Wrapper_Res_CompanyName=GenP..#AutoIt3Wrapper_Res_LegalCopyright=GenP..#AutoIt3Wrapper_Res_LegalTradeMarks=GenP..#AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker..#AutoIt3Wrapper_Run_Au3Stripper=y..#Au3Stripper_Parameters=/pe /sf /sv /rm..#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****....#include <ProgressConstants.au3>..#include <WindowsConstants.au3>..#include <GUIConstantsEx.au3>..#include <EditConstants.au3>..#include <GuiListView.au3>..#include <WinAPIProc.au3>..#include <Constants.au3>..#include <String.au3>..#include <WinAPI.au3>..#include <Misc.au3>....Auto

                        C:\Users\user\Desktop\extract\SOURCE\ICONS\Logo.ico

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:MS Windows icon resource - 6 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                        Category:dropped
                        Size (bytes):159999
                        Entropy (8bit):7.2082351230518675
                        Encrypted:false
                        SSDEEP:3072:bXKRZnDsdyWfB4uZfJybGkbr81fCMGfKCnQY/LWEwIqoqE7U4ubpLEO6uim:bXSZnx8muZ04FPEO9VkHy
                        MD5:C383035A57C2E7A39803F71096011CA6
                        SHA1:28EB06AF5B03DE330423E40275CFC251EE324D6F
                        SHA-256:71DE01801146E8DBE1EA5771A80B5F8E39693A58AD12987022DDE335B9D7CA86
                        SHA-512:62F3243857CD4A03F094209DA3990C2BBE4F92AE2A4D945F2715CC0D95DAF0BC6B821BC0A1E06DDCD86CBF409D9EF2F530116B1E155D2E2F98A5D855342E4796
                        Malicious:false
                        Reputation:low
                        Preview:............ .h...f... .... .........00.... ..%..v...@@.... .(B...;........ .(...F}........ .....n...(....... ..... .........#...#.............9...3...7..B..S..f...y........x..g..[..U.u.S.].R.T.R.]...8...5...;..E..R..c...v.........q..a..T..M..I.x.F.k.E.q...@..}=..h8..jK...m..vj.gd[.]g].h.z.O.{.>...9...7..7..7..6...yN..{Z.................lr}.ioy.....w...!IL..[_..z|.....%..&...od..}y.................................`kt._u~.9}...............d...u.............................................Y............X...a...........................................................K...t......................NNO.777.''(.nps.............N........>......w{{.@@@.............%%%.AAA.>>>.OPQ.............M........3...R......................999.OOO.....{|}......................+...-...z......................vvv.............................."...#...%...^......................................3....l...o...............!...c..............................<x...V...\..._.............t...[...P*..j`

                        C:\Users\user\Desktop\extract\SOURCE\NSudoLG.exe

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):160256
                        Entropy (8bit):6.423018385520545
                        Encrypted:false
                        SSDEEP:3072:uwEUNZLRS8gLI7qwnKE6Cv/89RvD7c5Q9a88QuA6337p:/NBRS8AzdC3Qvr9aDQuA6b
                        MD5:7AACFD85B8DFF0AA6867BEDE82CFD147
                        SHA1:E783F6D4B754EA8424699203B8831BDC9CBDD4E6
                        SHA-256:871E4F28FE39BCAD8D295AE46E148BE458778C0195ED660B7DB18EB595D00BD8
                        SHA-512:59CCE358C125368DC5735A28960DDB7EE49835CA19F44255A7AE858DDD8A2DB68C72C3F6818ECA3678D989041043876E339F9FAFE1D81D26001286494A8014F0
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Reputation:low
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......h..N,...,...,......-............A.!...~../...~..(...8..(...8..+......:...~..*...y..+...y..4...8..9...,... ...y..)...y.y.-...,...(...y..-...Rich,...................PE..d.....`.........."......<...:.................@..........................................`.........................................................................................h...p.......................(.......8............P...............................text...h:.......<.................. ..`.rdata...l...P...n...@..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc...............p..............@..B................................................................................................................................................................................................

                        C:\Users\user\Desktop\extract\SOURCE\README.txt

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):463
                        Entropy (8bit):4.800053988278318
                        Encrypted:false
                        SSDEEP:6:tDCIB/ag6/hWFkmvywoiZtR14jNgrkWB5j0DI/cDQQDKtRLz7Z+JAseg20DwmFeN:tDHQ/AFRZoBKrkWPj0D4bQwz7ZU6g9eN
                        MD5:7C8C065A6D1563CCE7A73C3D3FA66FAE
                        SHA1:9C4017613DF68ED8802B07175339812FFE5669C8
                        SHA-256:4AE4BC30641801C603C0EB36B2DDFC06081B91CF2E614E6565F489187EF1B027
                        SHA-512:7A1AF1932893B791163A4FB9E1677CD9ABCCB306CF8A35CD74DFC1C55BC3E1194066B7B0E4DAC380019204436732C9B831FC6408AB058CCDD3088F81F794EC64
                        Malicious:false
                        Reputation:low
                        Preview:NSudo is a system management tool for advanced users to launch programs with full privileges.....It was created by the M2Team, and it is fully (open source)[https://github.com/M2TeamArchived/NSudo]...Without it, XD and other UWP apps cannot be cured.....However, you can remove it and re-compile the source code of GenP to not require it.....For instructions on how to compile GenP and validate it's safety/authenticity, please check the 'COMPILE.txt' document...

                        C:\Users\user\Desktop\extract\SOURCE\config.ini

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:Generic INItialization configuration [TargetFiles]
                        Category:dropped
                        Size (bytes):7420
                        Entropy (8bit):4.966126840588047
                        Encrypted:false
                        SSDEEP:192:ByNwQDxO8vcgBPcJvcgBvF0VBotrjTZv2ctKpm8hJ3bK:ByNwaxO8vcgVevcgoIl2ctKpm8hJLK
                        MD5:ADD427035968BC6F8BCDF0C5D7580495
                        SHA1:7C1D13771B0546C31B87B36D1F158665BA9F793B
                        SHA-256:66232A4D8677CD50612EAEBC664B2F2F3556B497D5BF8657967C259EF4723B68
                        SHA-512:085C3F314F556FE2667DF998EEC6114F017849746A6691EA2E0BFFD6FC8DDC5A1C00E0BD25CACA233CBF4B3DB59072CCE212681C29A480220F1584FF26E1EE3C
                        Malicious:false
                        Reputation:low
                        Preview:[Default]..Path=C:\Program Files\Adobe....[TargetFiles]..1="acrobat.dll"..2="acrodistdll.dll"..3="acrotray.exe"..4="aero.exe"..5="afterfxlib.dll"..6="animate.exe"..7="animator.exe"..8="animator (beta).exe"..9="auui.dll"..10="adobe bridge.exe"..11="designer.exe"..12="dreamweaver.exe"..13="dvaappsupport.dll"..14="encoder.exe"..15="encoder (beta).exe"..16="euclid-core"..17="gemini_uwp_bridge.dll"..18="illustrator.exe"..19="lightroom.exe"..20="lightroomcc.exe"..21="modeler.exe"..22="modeler beta.exe"..23="ngl-lib.dll"..24="painter.exe"..25="photoshop.exe"..26="public.dll"..27="registration.dll"..28="sampler.exe"..29="sampler beta.exe"..30="stager.exe"..31="sweetpeasupport.dll"..32="xd.exe"..33="appframework.rpln"..34="objectmodel.dll"..35="4.js"..36="manifest.json"....[DefaultPatterns]..Values="ProfileExpired1","ProfileExpired3","ProfileExpired4","ProfileExpired5","ProfileExpired6","ValidateLicense1","ValidateLicense2","ValidateLicense3","CmpEax61","CmpEax62","CmpEax63","CmpEax64","Profile

                        C:\Users\user\Desktop\extract\config.ini

                        Download File
                        Process:C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe
                        File Type:Generic INItialization configuration [TargetFiles]
                        Category:dropped
                        Size (bytes):7420
                        Entropy (8bit):4.966126840588047
                        Encrypted:false
                        SSDEEP:192:ByNwQDxO8vcgBPcJvcgBvF0VBotrjTZv2ctKpm8hJ3bK:ByNwaxO8vcgVevcgoIl2ctKpm8hJLK
                        MD5:ADD427035968BC6F8BCDF0C5D7580495
                        SHA1:7C1D13771B0546C31B87B36D1F158665BA9F793B
                        SHA-256:66232A4D8677CD50612EAEBC664B2F2F3556B497D5BF8657967C259EF4723B68
                        SHA-512:085C3F314F556FE2667DF998EEC6114F017849746A6691EA2E0BFFD6FC8DDC5A1C00E0BD25CACA233CBF4B3DB59072CCE212681C29A480220F1584FF26E1EE3C
                        Malicious:false
                        Reputation:low
                        Preview:[Default]..Path=C:\Program Files\Adobe....[TargetFiles]..1="acrobat.dll"..2="acrodistdll.dll"..3="acrotray.exe"..4="aero.exe"..5="afterfxlib.dll"..6="animate.exe"..7="animator.exe"..8="animator (beta).exe"..9="auui.dll"..10="adobe bridge.exe"..11="designer.exe"..12="dreamweaver.exe"..13="dvaappsupport.dll"..14="encoder.exe"..15="encoder (beta).exe"..16="euclid-core"..17="gemini_uwp_bridge.dll"..18="illustrator.exe"..19="lightroom.exe"..20="lightroomcc.exe"..21="modeler.exe"..22="modeler beta.exe"..23="ngl-lib.dll"..24="painter.exe"..25="photoshop.exe"..26="public.dll"..27="registration.dll"..28="sampler.exe"..29="sampler beta.exe"..30="stager.exe"..31="sweetpeasupport.dll"..32="xd.exe"..33="appframework.rpln"..34="objectmodel.dll"..35="4.js"..36="manifest.json"....[DefaultPatterns]..Values="ProfileExpired1","ProfileExpired3","ProfileExpired4","ProfileExpired5","ProfileExpired6","ValidateLicense1","ValidateLicense2","ValidateLicense3","CmpEax61","CmpEax62","CmpEax63","CmpEax64","Profile

                        \Device\ConDrv

                        Download File
                        Process:C:\Windows\SysWOW64\7za.exe
                        File Type:ASCII text, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):482
                        Entropy (8bit):5.005460961215096
                        Encrypted:false
                        SSDEEP:12:pMd1DiIiRwTAEhQpyT3ArFyPANxJAIkz1GNJ:piWI4wTAEipyT3ArCANxJAIFz
                        MD5:29199162EF7268DA0A66BB2D2659B19D
                        SHA1:80D376343F45BCFFB34B03C508C63238E7234594
                        SHA-256:997A034015EF0AF6B197B1DEDA5CB2630F4D47A7703BE498B5C2EF30299FB53F
                        SHA-512:3030FD8A60028625B349CA1CFB2F6F6AB950A3E171691294F22788463E6484F94CD445DD99FE73BB0904866A9BB7A4A9B9775A664FAF048ED96AFCCC545A7E20
                        Malicious:false
                        Reputation:low
                        Preview:..7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30....Scanning the drive for archives:.. 0M Scan C:\Users\user\Desktop\download\. .1 file, 903270 bytes (883 KiB)....Extracting archive: C:\Users\user\Desktop\download\iz3lne.zip..--..Path = C:\Users\user\Desktop\download\iz3lne.zip..Type = zip..Physical Size = 903270.... 0%. .Everything is Ok....Folders: 2..Files: 7..Size: 1678990..Compressed: 903270..

                        Static File Info

                        No static file info

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-13T12:44:48.851307+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549705TCP
                        2024-11-13T12:45:27.953968+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.549905TCP

                        Network Port Distribution

                        • Total Packets: 149
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 13, 2024 12:44:31.330420017 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:31.330521107 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:31.330631971 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:31.336724997 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:31.336761951 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:32.853579998 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:32.853791952 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:32.855407953 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:32.855463028 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:32.855886936 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:32.857388973 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:32.899334908 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.245709896 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.245763063 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.245805025 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.245886087 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.245954990 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.245995998 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.246021032 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.485826969 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.485840082 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.485912085 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.485939980 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.486000061 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.616363049 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.616381884 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.616622925 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.616689920 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.616771936 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.736203909 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.736222982 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.736418009 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.736444950 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.736499071 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.855727911 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.855757952 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.855848074 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.855920076 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:33.855957985 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:33.855984926 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.120824099 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.120856047 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.120966911 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.120994091 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.121037960 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.364923954 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.364955902 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.365293980 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.365323067 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.365411043 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.600893974 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.600908041 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.601003885 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.601028919 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.601100922 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.719127893 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.719155073 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.719424009 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.719433069 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.719486952 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.882931948 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.882988930 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.883105993 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.883105993 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:34.883126020 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:34.883179903 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.101526976 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.101589918 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.101768017 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.101768017 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.101835966 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.101902008 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.231952906 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.232021093 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.232081890 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.232140064 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.232172012 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.232182980 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.358736992 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.358766079 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.358907938 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.358977079 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.359149933 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.481473923 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.481528997 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.481650114 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.481712103 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.481771946 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.481771946 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.600840092 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.600869894 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.601049900 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.601049900 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.601118088 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.601186037 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.721081018 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.721148968 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.721296072 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.721296072 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.721322060 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.721371889 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.845144987 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.845204115 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.845324993 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.845391035 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.845452070 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.845452070 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.974468946 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.974502087 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.974572897 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.974600077 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:35.974617004 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:35.974644899 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.236267090 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.236289978 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.236449003 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.236474037 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.236522913 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.364193916 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.364216089 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.364309072 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.364331007 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.364520073 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.529160023 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.529186010 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.529303074 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.529314041 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.529376984 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.684878111 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.684927940 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.684973955 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.684994936 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.685008049 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.685044050 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.814244032 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.814296007 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.814450026 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.814450979 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.814518929 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.814596891 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.909038067 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.909090042 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.909229994 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.909261942 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:36.909333944 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:36.909333944 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.073407888 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.073431969 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.073700905 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.073728085 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.073801994 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.167993069 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.168016911 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.168286085 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.168308973 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.168370008 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.293152094 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.293200970 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.293271065 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.293293953 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.293309927 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.293344021 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.413134098 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.413160086 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.413362980 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.413395882 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.413460970 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.532237053 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.532298088 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.532363892 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.532401085 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.532423019 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.532445908 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.616214037 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.616246939 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.616419077 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.616487026 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.616560936 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.742496967 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.742552042 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.742841959 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.742908955 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.742985010 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.820374012 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.820435047 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.820611000 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.820636988 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.820698023 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.950083971 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.950129032 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.950220108 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.950242043 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:37.950261116 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:37.950294971 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.042609930 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.042660952 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.042747021 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.042778969 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.042794943 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.042828083 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.131542921 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.131587029 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.131747007 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.131767988 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.131823063 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.256633997 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.256678104 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.256860971 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.256884098 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.256938934 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.329718113 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.329766989 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.329925060 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.329955101 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.330023050 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.416786909 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.416848898 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.416918993 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.416945934 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.416973114 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.417000055 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.497437000 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.497514009 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.497558117 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.497585058 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.497612953 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.497637987 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.571304083 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.571357965 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.571516991 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.571527958 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.571578979 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.660737038 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.660803080 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.660832882 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.660861015 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.660887957 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.660907984 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.751391888 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.751452923 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.751492023 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.751513004 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.751542091 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.751590014 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.827857018 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.827925920 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.828181028 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.828196049 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.828461885 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.920367956 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.920424938 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.920629978 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:38.920643091 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:38.920715094 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.004853964 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.004899979 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.004950047 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.004975080 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.004992962 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.005019903 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.086452007 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.086514950 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.086689949 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.086725950 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.086811066 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.138219118 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.138278008 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.138341904 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.138371944 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.138401031 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.138427019 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.212730885 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.212795973 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.212975025 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.212991953 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.213043928 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.300618887 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.300677061 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.300714016 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.300729990 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.300757885 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.300769091 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.387128115 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.387188911 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.387392044 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.387392044 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.387406111 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.387459993 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.422668934 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.422727108 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.422899008 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.422899008 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.422919035 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.422974110 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.510719061 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.510778904 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.510927916 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.510927916 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.510958910 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.511006117 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.546674013 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.546722889 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.546794891 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.546804905 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.546819925 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.546859980 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.637239933 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.637273073 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.637476921 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.637545109 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.637613058 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.713999033 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.714065075 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.714181900 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.714184046 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.714237928 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.714277983 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.714277983 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.714312077 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.714323044 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.714385986 CET44349704108.181.20.35192.168.2.5
                        Nov 13, 2024 12:44:39.714446068 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.716370106 CET49704443192.168.2.5108.181.20.35
                        Nov 13, 2024 12:44:39.716388941 CET44349704108.181.20.35192.168.2.5
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 13, 2024 12:44:31.314841986 CET6037153192.168.2.51.1.1.1
                        Nov 13, 2024 12:44:31.322555065 CET53603711.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 13, 2024 12:44:31.314841986 CET192.168.2.51.1.1.10xfc6aStandard query (0)files.catbox.moeA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 13, 2024 12:44:31.322555065 CET1.1.1.1192.168.2.50xfc6aNo error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • files.catbox.moe

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704108.181.20.354433528C:\Windows\SysWOW64\wget.exe
                        TimestampBytes transferredDirectionData
                        2024-11-13 11:44:32 UTC202OUTGET /iz3lne.zip HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
                        Accept: */*
                        Accept-Encoding: identity
                        Host: files.catbox.moe
                        Connection: Keep-Alive
                        2024-11-13 11:44:33 UTC542INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Wed, 13 Nov 2024 11:44:32 GMT
                        Content-Type: application/zip
                        Content-Length: 903270
                        Last-Modified: Thu, 05 Sep 2024 05:22:08 GMT
                        Connection: close
                        ETag: "66d94000-dc866"
                        X-Content-Type-Options: nosniff
                        Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Methods: GET, HEAD
                        Accept-Ranges: bytes
                        2024-11-13 11:44:33 UTC15842INData Raw: 50 4b 03 04 14 00 00 00 08 00 1b 74 02 59 01 3b 32 b9 43 ba 0a 00 00 9e 13 00 11 00 00 00 47 65 6e 50 2d 33 2e 34 2e 31 34 2e 31 2e 65 78 65 dc 5c 7b 60 53 d5 19 bf 79 d1 d0 d7 0d 8f 48 55 d0 20 65 56 2b 5a 29 ce d6 82 e6 d2 44 6e 20 81 2a 54 d8 04 a9 56 0b 28 62 85 84 87 bc 8a 37 81 5e 0e 11 b7 e1 d4 a9 93 39 37 75 73 8a 4f da 4e 25 a5 40 0b 14 28 f8 a0 ea 9c f5 7d 6b 40 8b 0f 28 a0 dc fd be 73 93 b6 d4 c7 f6 f7 0a c9 79 7f e7 3b df 39 e7 3b df f7 9d ef 24 f0 eb 7b 05 8b 20 08 56 7c 74 5d 10 6a 04 e3 cf 2d fc f7 bf 3c 93 20 64 9e 5b 97 29 bc d8 77 cf d0 1a 93 7f cf d0 29 b3 e7 2c 70 55 ce bf 63 d6 fc 1b 6f 77 95 df 38 6f de 1d 41 d7 4d b7 b8 e6 87 e6 b9 e6 cc 73 79 26 4d 76 dd 7e c7 cd b7 5c 9c 91 91 9a 9d 80 71 c7 a5 17 c4 73 4b c6 d5 24 3f 8f 36 bf 5c
                        Data Ascii: PKtY;2CGenP-3.4.14.1.exe\{`SyHU eV+Z)Dn *TV(b7^97usON%@(}k@(sy;9;${ V|t]j-< d[)w),pUcow8oAMsy&Mv~\qsK$?6\
                        2024-11-13 11:44:33 UTC16384INData Raw: a8 8c b2 3e e1 31 d7 c0 0f 0b a1 dc 9e 9c f6 77 54 1f 8d af b4 37 32 ff 86 96 c2 ef 1b c4 13 b7 7e 5c 69 17 f2 98 ee 0c e0 d4 5e 51 44 28 4d bf 46 e8 d9 34 8a 78 a1 42 93 67 e7 78 05 1e 5a fa 06 fc 1b 5b d4 f4 75 30 41 e3 ff a5 25 8a a0 89 70 f0 0d cc 62 53 20 47 7e 8f bc 61 37 32 3d 2d a9 52 fc 12 d6 f4 3e f3 f7 54 c3 96 57 93 e6 35 73 3f dd 5d 7f e8 03 4b 42 f5 6e 9b 7e c7 07 27 dd 7f e7 12 2e f7 fa 3e d5 d4 f2 23 8d b6 f9 43 59 83 cd 99 d0 60 9b 8e 94 5d 35 d8 e6 7e c4 3b 0d 8a d8 b1 3b 8f 9f 87 98 3f 5d 93 da 98 74 f3 67 69 16 96 c1 38 f8 6b a6 42 b0 e2 74 55 c8 a3 35 e0 e7 ef b1 13 db a3 2f 15 c8 3f b6 9d 66 25 6a 17 c2 13 a8 57 96 e6 0c b7 21 df be 0c 9d a9 4e 22 7d 6c ef e9 ff 28 a4 ea e7 52 c5 03 31 fb a5 84 c2 b1 b4 42 bd 94 d8 10 96 db 10 cb 46
                        Data Ascii: >1wT72~\i^QD(MF4xBgxZ[u0A%pbS G~a72=-R>TW5s?]KBn~'.>#CY`]5~;;?]tgi8kBtU5/?f%jW!N"}l(R1BF
                        2024-11-13 11:44:33 UTC16384INData Raw: ce 6b 94 1c a4 bc 55 af fc 9b 25 69 26 39 94 a1 68 e2 e0 35 58 0d af e8 ee 3f 90 80 05 e4 51 c5 4a e8 1b 37 95 f5 5a 4f 31 4b 31 02 27 c5 64 07 95 61 d7 47 99 a3 dd 8b bf bf 01 1e 0a 7f 41 0d 48 cc 1f 44 10 03 6e 00 7c e8 10 49 2c 39 55 67 78 96 7e 5f b5 c9 b6 cf 76 1d fe 96 62 33 a4 29 9d be ed 6c a9 d9 2e db f1 49 a7 4b 03 f6 61 01 9d 80 95 65 1d 11 22 da 18 96 14 85 de 38 ec fd c5 0c 58 44 1a 0a e7 74 f4 a8 8f 94 e1 de 67 99 ee d6 06 43 12 d0 00 80 74 a9 7f c4 19 11 68 82 91 ae a1 31 cf a1 d6 dc d2 15 e3 8b 95 0e ec 6d 01 50 6f 21 4c b6 d5 ab ed 50 57 51 31 14 32 b7 87 3f 52 dd e0 c1 65 1e 8c f9 79 e3 ce 41 cb 80 6b f5 ba a1 5b 8c b4 e7 b6 81 20 a6 c6 d5 aa 0c cc a0 84 ba 42 56 d4 89 b8 82 d5 14 34 d7 b5 a6 23 fc 5a 79 86 0d 3e d5 96 81 18 80 41 f2 32
                        Data Ascii: kU%i&9h5X?QJ7ZO1K1'daGAHDn|I,9Ugx~_vb3)l.IKae"8XDtgCth1mPo!LPWQ12?ReyAk[ BV4#Zy>A2
                        2024-11-13 11:44:33 UTC16384INData Raw: bd c1 95 a2 f8 d8 16 44 de b8 e2 33 2e d4 3a 59 ed d6 80 44 99 ee 82 2b 88 32 3a 9e 4f cb 52 a6 23 54 dc fe 66 37 8a ec 03 b3 45 73 2d 14 e5 ff 9b f7 63 04 51 3f 94 fa a6 d4 2d b5 f6 43 a9 8a d9 b6 52 3e fc 39 7b 41 25 d3 4a d0 69 98 67 3e 8b 6a 94 31 88 5e 04 78 da 62 e9 3b 2d a0 86 53 a0 ef 9b d1 17 73 ee 46 8b b5 4c 73 a6 73 75 70 13 8f 21 f5 85 bf 54 11 ae a0 08 4f d2 be eb 48 35 be 33 20 7d cd 85 3b 47 90 5b fe 00 9c 6a 4d 4a c4 d2 20 bf 9a 92 f4 fe 81 03 aa a9 b3 59 78 55 1a e1 0d 31 1f a4 df f7 aa fe b6 5b ca b3 d7 b5 80 61 bc da 41 96 61 bc b3 85 f4 00 ac fa 09 0d 23 64 b9 65 ec 73 87 4a b4 c3 3f 4b d2 1a b4 9f e7 21 fe 5d f7 68 07 57 ef 43 5c a5 9e 60 8b 9e 9b 48 8c 6c ff 10 a3 68 ff fe 19 d8 fe 85 ca 17 fb e7 83 8a 6a 08 8f dc 57 31 87 5a 62 fe
                        Data Ascii: D3.:YD+2:OR#Tf7Es-cQ?-CR>9{A%Jig>j1^xb;-SsFLssup!TOH53 };G[jMJ YxU1[aAa#desJ?K!]hWC\`HlhjW1Zb
                        2024-11-13 11:44:33 UTC16384INData Raw: 21 6b 01 8e 8f f1 55 ff 3c 8a 66 96 1c b2 f0 65 5e 85 32 cd 40 cf 91 87 4f ec b2 32 1f a5 a2 13 bd b9 51 51 92 47 1f fc d6 e3 77 5b 77 83 4d e4 1c b6 d7 52 55 27 a0 aa 2e 74 af 33 98 46 15 08 fc 12 49 f0 81 78 17 39 3e 7c 84 ca c0 37 b4 73 a3 20 42 44 80 0a 7d 62 a1 1e 23 42 da 0c ed 96 19 8d b1 b1 33 6f 74 51 63 8f dd 8a e4 a6 9e 65 9d 9e c0 23 64 7d 04 0f 7c 3b 3f 36 98 7d f4 c3 fc 45 34 49 52 8e f3 18 4f 26 bb c1 41 bd b3 90 58 b7 78 c6 80 c5 68 ab 4c 24 c7 0a 33 f3 9e cc f4 eb 41 c7 25 ae 2c 2d ec a2 12 4e e0 2b f9 fa ec 62 27 52 ef e6 d4 e1 41 32 40 86 23 c4 63 3e 44 a0 07 21 57 72 88 d1 79 02 16 95 91 83 32 c0 0f 80 3f f9 29 d2 a2 9b 72 f7 d9 69 47 82 34 e0 ef f9 f3 6b ab f1 d5 75 75 f9 87 71 4a cc 9d c1 ee 24 aa 98 f9 d4 ba 93 b6 ed cf cf 55 23 b5
                        Data Ascii: !kU<fe^2@O2QQGw[wMRU'.t3FIx9>|7s BD}b#B3otQce#d}|;?6}E4IRO&AXxhL$3A%,-N+b'RA2@#c>D!Wry2?)riG4kuuqJ$U#
                        2024-11-13 11:44:34 UTC16384INData Raw: 19 0c b4 c7 b2 0b 80 2e 0c 35 9a 68 cf 84 07 6b 56 05 86 cc da 72 78 a5 69 02 e7 d4 7e 62 63 32 ed c6 43 6b 00 a9 69 97 22 17 4a 9a ae 64 56 7b 95 36 86 52 aa 6c cc 8c ed d4 87 48 d7 fc f4 8e 74 0a 99 e8 df 97 5f 72 99 4f bf 0d e8 7d 83 8c d9 aa f5 5f 8d d8 5b 48 d1 ee c6 ca 31 79 4c 43 50 dc 5e 7c a0 98 2c da 0d 40 a9 10 33 1c ff 0b b2 6b 8f 32 4a 5e fe 4b 18 28 43 74 f3 dc 08 6d e1 21 7a 11 9c 30 21 e6 ba 44 77 35 93 8b db 73 00 6c e9 53 b3 77 ff da ce b2 a4 69 34 52 f1 65 af e8 b6 b6 03 64 14 e3 7c 45 0e 77 e3 24 3c b4 fb af 63 19 92 d9 aa 23 2d d2 27 32 14 88 0c 4f 66 23 83 01 19 70 1b 2c 4a 9b 88 de 6c b8 22 82 df 05 5e f8 34 7a 51 73 a1 fa bc cf 53 66 80 ee 1e dd 70 84 2b e6 1f c6 c3 b1 ca 04 4d a2 6a c6 f8 27 5c a3 52 f2 e6 51 de 1d 22 af 0d ba 1e
                        Data Ascii: .5hkVrxi~bc2Cki"JdV{6RlHt_rO}_[H1yLCP^|,@3k2J^K(Ctm!z0!Dw5slSwi4Red|Ew$<c#-'2Of#p,Jl"^4zQsSfp+Mj'\RQ"
                        2024-11-13 11:44:34 UTC16384INData Raw: 0c 62 f0 58 84 cb d5 f2 98 d6 ea 43 29 d4 32 cc 37 d4 f0 9d 04 8e d3 7a 32 92 f9 d6 8e ff 5e 92 a9 f8 74 92 19 96 73 12 92 19 07 64 07 9c b5 c5 db e9 3f 8b 6e 86 1f 47 37 59 4b 6b 69 12 09 54 56 a4 10 8f 42 e8 0e cf 98 41 43 71 0a c2 79 5a ca 1b 56 62 5e a0 1e 83 7f 8e a5 6b d6 d0 5d d3 f9 8e 22 b9 eb a8 d7 7c 36 41 0c d1 94 b6 7f 98 7b 2b 34 99 0e af 15 70 c6 8d d4 f0 da 98 23 2c 7a 78 2e 6e 40 70 7b ee 11 94 01 69 1c 0f 28 83 13 a6 4b cd e0 55 3d 72 63 1e 98 21 d1 9f d1 ef 20 76 16 99 d8 40 cc f1 f8 f7 8c c9 a2 31 38 7d e3 3b 54 c1 9a 65 7b 12 17 96 96 cc ee d1 02 7f 16 55 e1 74 99 82 cf c7 25 aa 8d 27 bb f2 46 68 d1 41 3e d8 49 5d 40 79 b9 55 b3 67 66 b9 4d fb 49 0f 0f 9f 3c 2e 75 b6 51 90 ea c0 05 89 b2 a9 5e a6 b1 58 99 13 e5 3c 5e cf 86 bc c2 26 d6
                        Data Ascii: bXC)27z2^tsd?nG7YKkiTVBACqyZVb^k]"|6A{+4p#,zx.n@p{i(KU=rc! v@18};Te{Ut%'FhA>I]@yUgfMI<.uQ^X<^&
                        2024-11-13 11:44:34 UTC16384INData Raw: 3e 8b 6c 4b e0 88 ce 18 34 3f 30 cc e6 f9 21 22 db ed c8 45 eb 6b 9d da 1d 5f 75 05 ca 07 3b d5 47 50 fd 1a 39 4c ad cf 96 79 01 79 72 3f c0 6e f2 e4 1b 1c cf f5 fd 78 de e5 e5 c9 e7 e6 71 e5 0e c0 11 95 7b 12 90 5a b9 37 e7 fd 33 79 f2 9a 79 2c 4f 3e 01 87 e4 c9 7e 70 c3 46 0d 0d d9 ad ac ff 08 03 d5 a7 ab 9b 3c c9 cd f4 5e e8 0c 97 27 63 02 b5 38 ff 78 a0 16 28 47 c8 93 dd b0 a3 12 6b 91 4e b9 99 0a 79 af 33 7c 3c bb a7 9d 49 69 75 94 b6 a2 f3 f2 f2 e4 a7 8f 87 c8 93 ef c1 13 94 27 a7 c0 17 94 27 f3 d9 c7 f2 e4 6b 00 2f 57 5a d7 63 28 6d c3 87 64 6a 06 a5 d1 6a 1c 9a 0a 09 8e 52 02 1b 25 38 db 41 fa 6f e1 67 84 bd 95 97 7b 06 ce 40 af 7d 34 82 d4 33 1e 73 74 45 da db 33 f8 c1 1e d6 ba 4e 57 5e 5a 44 93 14 90 8c a7 63 dd 37 5c 73 e7 43 17 ad 3a b7 5c fd
                        Data Ascii: >lK4?0!"Ek_u;GP9Lyyr?nxq{Z73yy,O>~pF<^'c8x(GkNy3|<Iiu''k/WZc(mdjjR%8Aog{@}43stE3NW^ZDc7\sC:\
                        2024-11-13 11:44:34 UTC16384INData Raw: 94 43 eb 6d 7e f7 01 a9 7a 0e 4b 6f 5c fb 3e c1 cc d8 43 2d 9b e6 57 de e3 bc 1f 70 5e c4 7d c3 61 b1 1e 9f d7 08 a1 5e 0b c9 59 b6 d5 6d c0 5c 10 72 98 e9 cb 1f 63 e4 68 e3 01 e7 71 64 d4 56 21 f1 13 24 80 23 3e 5b 1a 67 fd 2d fe fc 23 d3 97 af e5 cc 7d 05 b1 2c b4 4e b8 38 e8 a4 fc 70 a9 e0 87 c1 0e 87 33 32 c7 22 08 14 8d 55 92 05 29 50 a0 15 3f 62 0a 8f 8a 69 b4 02 50 b7 81 44 b2 5e 20 84 ad 60 0f 72 f0 b6 d1 e0 b0 86 7b 52 11 7a 8c 8f 74 40 a1 c7 02 7a 78 c4 78 c8 33 2e 12 44 92 cc 35 98 25 c6 e1 e8 42 1a 89 cd 2a dd a1 af b4 00 22 00 d6 08 80 64 df 05 78 46 0d 22 bf cb f4 04 af 57 42 36 3f 97 3a 3c 9f 18 f2 45 b4 89 e1 80 9a b8 56 a3 6f a5 67 a0 2b b4 ff a1 77 13 90 46 ef 26 e2 07 7b 4d ac 63 4e ee d8 a4 e7 8d f3 bd 96 ac bb 3e 02 59 f4 e7 35 04 5c
                        Data Ascii: Cm~zKo\>C-Wp^}a^Ym\rchqdV!$#>[g-#},N8p32"U)P?biPD^ `r{Rzt@zxx3.D5%B*"dxF"WB6?:<EVog+wF&{McN>Y5\
                        2024-11-13 11:44:34 UTC16384INData Raw: b2 a3 48 1a 8a 7e 65 91 3e 6a f7 0b 52 a3 f1 4c d5 59 0e 9e 01 94 66 2f f3 44 cc a5 51 3f 23 a5 09 27 cf 2a 8d ea c7 94 7d d3 70 a3 c1 da 07 f4 7e bb 56 97 5b f1 86 c0 9e 01 41 08 a7 ea 0d bb 85 6f c3 a8 d9 35 27 89 51 53 a4 c3 3a af 59 b8 81 c1 53 ba 1f 05 47 6f 3f 07 ad d2 c3 2c ce 78 c5 cc e7 19 72 e4 0a b9 a4 e4 b8 b4 c8 b7 14 66 7e 4d c1 c9 58 5c 08 ae a5 d1 a7 5e 68 ba 0a 5a 63 0b 0e aa 1e 20 e6 10 19 7d 74 c0 fc 7c 29 f3 62 f5 65 14 a0 e5 04 a2 c8 08 7f aa 7f 4a 33 09 fc 17 56 a2 b6 cb 25 2e ed 1f 01 e5 47 f8 ac 0f 2d 8d 93 d4 84 02 70 05 27 68 5b 70 dc 8d ea 54 d9 d9 00 c3 c5 80 d2 06 15 31 8b 9f c0 4e e4 0c 48 62 2d d0 7a 92 a5 6b d6 13 a0 93 b1 7b eb e1 57 1a f0 a8 01 78 36 7a 2c 61 5e c7 64 c8 69 03 16 82 35 0f e0 e3 62 67 00 1e 81 49 ed 8f 39
                        Data Ascii: H~e>jRLYf/DQ?#'*}p~V[Ao5'QS:YSGo?,xrf~MX\^hZc }t|)beJ3V%.G-p'h[pT1NHb-zk{Wx6z,a^di5bgI9


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        • File
                        • Registry
                        • Network

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:06:44:29
                        Start date:13/11/2024
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip" > cmdline.out 2>&1
                        Imagebase:0x790000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:1
                        Start time:06:44:29
                        Start date:13/11/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Mutex Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:2
                        Start time:06:44:29
                        Start date:13/11/2024
                        Path:C:\Windows\SysWOW64\wget.exe
                        Wow64 process (32bit):true
                        Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.catbox.moe/iz3lne.zip"
                        Imagebase:0x400000
                        File size:3'895'184 bytes
                        MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Network Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:4
                        Start time:06:44:38
                        Start date:13/11/2024
                        Path:C:\Windows\SysWOW64\7za.exe
                        Wow64 process (32bit):true
                        Commandline:7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\iz3lne.zip"
                        Imagebase:0x8a0000
                        File size:289'792 bytes
                        MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        COM Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Process Token Activities


                        General

                        Target ID:5
                        Start time:06:44:38
                        Start date:13/11/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Mutex Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:7
                        Start time:06:44:39
                        Start date:13/11/2024
                        Path:C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe"
                        Imagebase:0x7ff6358f0000
                        File size:1'285'632 bytes
                        MD5 hash:5AA73CE6297B35AAC0067529A47B44C5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 34%, ReversingLabs
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        Show Windows behavior

                        Mutex Activities

                        Show Windows behavior

                        Process Activities

                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:8
                        Start time:06:44:42
                        Start date:13/11/2024
                        Path:C:\Users\user\AppData\Local\Temp\NSudoLG.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Users\user\AppData\Local\Temp\NSudoLG.exe -U:T -P:E -M:S "C:\Users\user\Desktop\extract\GenP-3.4.14.1.exe"
                        Imagebase:0x7ff679ab0000
                        File size:160'256 bytes
                        MD5 hash:7AACFD85B8DFF0AA6867BEDE82CFD147
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Windows UI Activities

                        Process Token Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Disassembly

                        No disassembly