Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
Analysis ID:	1633145
MD5:	baa1353f2955138fe781da218ecfbfec
SHA1:	951164e7150e31d64d1770ec8903a39caddf2009
SHA256:	cfdf1d2768ed773c3f5b2c2a03d7892551ea79b181068c23a765f1e09a8c90b1
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Salat Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Salat Stealer

Creates multiple autostart registry keys

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Drops PE files

Installs a raw input device (often for capturing keystrokes)

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe (PID: 8064 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

sppsvc.exe (PID: 5344 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

conhost.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\Temp\conhost.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

ymrQM6SOnQbFeKt13.exe (PID: 2132 cmdline: "C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

sppsvc.exe (PID: 8076 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

conhost.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Local\Temp\conhost.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

ymrQM6SOnQbFeKt13.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

sppsvc.exe (PID: 1076 cmdline: "C:\Program Files (x86)\reference assemblies\sppsvc.exe" MD5: BAA1353F2955138FE781DA218ECFBFEC)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.1455657830.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0000000D.00000002.1699277831.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
00000009.00000002.2464230710.000000000097F000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0000000E.00000002.1782238168.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
00000002.00000002.1255509308.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0000000C.00000002.1624314483.000000000097F000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
00000000.00000002.1251861814.0000000000EAF000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0000000B.00000002.1537050960.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0000000C.00000002.1624314483.0000000000181000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1699277831.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1537050960.0000000000251000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000001.1775363621.0000000000251000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1455657830.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.1782238168.0000000000251000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe PID: 8064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe PID: 8064	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: sppsvc.exe PID: 5344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sppsvc.exe PID: 5344	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: conhost.exe PID: 7608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: conhost.exe PID: 7608	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 2132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 2132	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: sppsvc.exe PID: 8076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sppsvc.exe PID: 8076	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: conhost.exe PID: 1016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: conhost.exe PID: 1016	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 7764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 7764	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Process Memory Space: sppsvc.exe PID: 1076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sppsvc.exe PID: 1076	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
9.2.conhost.exe.180000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.conhost.exe.180000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe.6b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe.6b0000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
13.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
14.2.sppsvc.exe.250000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.sppsvc.exe.250000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
11.2.sppsvc.exe.250000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.sppsvc.exe.250000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
12.2.conhost.exe.180000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.conhost.exe.180000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
2.2.sppsvc.exe.250000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.sppsvc.exe.250000.0.unpack	JoeSecurity_SalatStealer	Yara detected Salat Stealer	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, ProcessId: 8064, TargetFilename: C:\Users\user\AppData\Local\Temp\conhost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\conhost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, ProcessId: 8064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\conhost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\conhost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\conhost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\conhost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\conhost.exe" , ProcessId: 7608, ProcessName: conhost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\conhost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, ProcessId: 8064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://sa1at.ru/sa1at/i32i32i32i32i32i32_vhttps://sa1at.ru/sa1at/text/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_i32	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/91de60678b041dcc-EWR	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/OfficeClickToRun.exeRuntimeBroker.exeRuntimeBroker.exe	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/2i32i32i32i32i64_v	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/d23895dae0ca92abe3274c29https://sa1at.ru/sa1at/	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2i32i32i32i32i64_vi32i32i64i32i32_i32text/html;	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/text/ht	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_vhttps://sa1at.r	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/	Avira URL Cloud: Label: malware
Source: https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i3	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Virustotal: Detection: 48%			Perma Link
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	ReversingLabs: Detection: 39%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Temp\conhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:53384 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 172.67.191.102
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002366000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000208C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002350000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crl0
Source: conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/2DqfS24kcdI.crlC:
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023F8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CCA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002384000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002426000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002394000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002394000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crthttp://crl3.digicert.com/DigiCertGlobalRootG2.cr
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002140000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002140000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002014000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002014000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl(c)
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D38000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F5C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F58000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D38000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: sppsvc.exe, 00000002.00000002.1258638799.0000000001D14000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000204B000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CF6000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: sppsvc.exe, 00000002.00000002.1258638799.0000000001D14000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000206E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001D2A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CF6000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C6E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C6E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D2A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023F8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CCA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002384000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002426000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0H
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023F8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CCA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crlhttp://crl4.digicert.com/DigiCertG
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002394000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023F8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CCA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002384000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002426000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002394000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl00
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002366000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000208C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: conhost.exe, 00000009.00000002.2469112551.0000000001CF6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crtGlobalSign
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Yak
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Yak0%
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023D4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002384000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002426000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0Q
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comDigiCert
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002176000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D7C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F9E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F9E000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D7C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002176000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002145000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F88000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002140000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F56000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D7C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.orgChambers
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002384000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002426000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000023E8000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000212C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F44000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D2E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F4E000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D2E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, sppsvc.exe, 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1455657830.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, sppsvc.exe, 0000000B.00000002.1537050960.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 0000000C.00000002.1624314483.0000000000181000.00000040.00000001.01000000.00000009.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1699277831.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, sppsvc.exe, 0000000E.00000001.1775363621.0000000000251000.00000040.00000001.01000000.00000008.sdmp, sppsvc.exe, 0000000E.00000002.1782238168.0000000000251000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: https://1.1.1.1/dns-query?name=failed
Source: conhost.exe, 00000009.00000002.2469112551.0000000002048000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://1.1.1.1/dns-query?name=sa1at.ru
Source: conhost.exe, 00000009.00000002.2469112551.0000000002048000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://1.1.1.1/dns-query?name=sa1at.ru9eb46f5c7161eaecb1a84f04bdedfe313a0eeec6
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002176000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F88000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i3
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/2i32i32i32i32i64_v
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002094000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/91de60678b041dcc-EWR
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/d23895dae0ca92abe3274c29https://sa1at.ru/sa1at/
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2i32i32i32i32i64_vi32i32i64i32i32_i32text/html;
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/OfficeClickToRun.exeRuntimeBroker.exeRuntimeBroker.exe
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/text/ht
Source: conhost.exe, 00000009.00000002.2469112551.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://
Source: conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_vhttps://sa1at.r
Source: conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_i32
Source: conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sa1at.ru/sa1at/i32i32i32i32i32i32_vhttps://sa1at.ru/sa1at/text/html;

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unsafe.Pointerreflect.Value.RCodeNameErrorResourceHeaderunreachable: Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODInstEmptyWidthmax-age=604800NO_VIABLE_PATHpacing limitedsqlite3_errstrsqlite3_errmsggo_commit_hookgo_update_hookgo_vtab_creatego_vtab_updatego_vtab_renamego_vtab_commitunixepoch_fracunixepoch_nano15:04:05Z07:00mime/multipartmutable-globalgo_sector_sizego_shm_barrierf32.demote_f64i32.extend16_si64.extend16_si64.extend32_sv128.load8x8_sv128.load8x8_uv128.bitselecti8x16.all_truei16x8.all_truei32x4.all_truei64x2.all_trueread block: %wfunc[%s.%s] %winvalid %s: %wunknown memoryalready closedI32WrapFromI64read value: %vsection %s: %vglobal[%d]: %wProcess32FirstWDispatchMessageSetWinEventHookHarmonyOutdatedchunk confirmedunzipping file winsta0\defaultgot dExec code:found tg:// urlActive window: Build Version: Browsers\Token_Network\Cookieszipinsecurepathrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(client finishedserver finishedunknown versionmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandlenegative offsetGetMonitorInfoW476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWUnmapViewOfFileFailed to load Failed to find : cannot parse ,M3.2.0,M11.1.0general failuredata before FINbad close code ExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledIsWindowVisiblePostQuitMessageSetActiveWindowTrackMouseEventWindowFromPointDrawThemeTextExGetSecurityInfoImpersonateSelfOpenThreadTokenSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodetimeBeginPeriodNTSTATUS 0x%08xRegCreateKeyExWRegDeleteValueWx509usepoliciesNetworkSettingsRestartIntervalEvery other dayConsole Connectnothing to packIgnoring Retry.invalid boolean0601021504Z0700non-minimal tagunknown Go typeHanifi_RohingyaPsalter_Pahlavireflectlite.Set is unavailableallocmRInternalwrite heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC prog

memstr_119ff72c-5

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@10/5@0/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

File created: C:\Program Files (x86)\hqzniwnflpalqojizoevbwfhzeeghwedxchkqfurzubagpitxmpcshn\496159c4-a2df-16a9-fbfd-c5e2c359c4a2

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

File created: C:\Users\user\AppData\Local\Comms\496159c4-a2df-16a9-fbfd-c5e2c359c4a2

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\WEBR_49C46OPKV4D3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

File created: C:\Users\user\AppData\Local\Temp\496159c4-a2df-16a9-fbfd-c5e2c359c4a2

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, sppsvc.exe, 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 00000009.00000002.2469112551.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2490939531.000000002A7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2491086385.000000002C7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1425310972.00000000307E0000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, conhost.exe, 00000009.00000002.2490510614.00000000247DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2491374998.000000002E7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2490792764.00000000287DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, sppsvc.exe, 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 00000009.00000002.2469112551.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2490939531.000000002A7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2491086385.000000002C7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1425310972.00000000307E0000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, conhost.exe, 00000009.00000002.2490510614.00000000247DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2491374998.000000002E7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2490792764.00000000287DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: conhost.exe, 00000009.00000002.2490652047.0000000026810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, sppsvc.exe, 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 00000009.00000002.2469112551.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2490939531.000000002A7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2491086385.000000002C7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1425310972.00000000307E0000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, conhost.exe, 00000009.00000002.2490510614.00000000247DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2491374998.000000002E7DF000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2490792764.00000000287DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Virustotal: Detection: 48%
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\conhost.exe "C:\Users\user\AppData\Local\Temp\conhost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe "C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe"
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\conhost.exe "C:\Users\user\AppData\Local\Temp\conhost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe "C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe"
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Section loaded: umpdc.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Static file information: File size 3274240 > 1048576

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x31f200

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Static PE information: section name: UPX2
Source: conhost.exe.0.dr	Static PE information: section name: UPX2
Source: ymrQM6SOnQbFeKt13.exe.0.dr	Static PE information: section name: UPX2
Source: sppsvc.exe.0.dr	Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	File created: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	File created: C:\Users\user\AppData\Local\Temp\conhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	File created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ymrQM6SOnQbFeKt13	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ymrQM6SOnQbFeKt13	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ymrQM6SOnQbFeKt13	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sppsvc	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select TotalPhysicalMemory from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select TotalPhysicalMemory from Win32_ComputerSystem

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Temp\conhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: conhost.exe, 0000000C.00000002.1626228129.00000000014CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: conhost.exe, 00000009.00000002.2468155235.000000000134A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: sppsvc.exe, 00000002.00000002.1257322616.000000000149B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: sppsvc.exe, 0000000B.00000002.1540748579.000000000141C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1253716541.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: conhost.exe, 00000009.00000002.2468155235.000000000131E000.00000004.00000020.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456521424.000000000142E000.00000004.00000020.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703246160.000000000125C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1783169874.000000000138C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Process created: C:\Program Files (x86)\Reference Assemblies\sppsvc.exe "C:\Program Files (x86)\reference assemblies\sppsvc.exe"

Jump to behavior

Source: conhost.exe, 00000009.00000002.2469112551.000000000374E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.000000000435C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: conhost.exe, 00000009.00000002.2469112551.000000000374E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BgProgram Manager
Source: conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerf
Source: conhost.exe, 00000009.00000002.2469112551.000000000434C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:16 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:48 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:56 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:35:05 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:35:08 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:35:20 GMTProgram ManagerSun, 09 Mar 2025 23:35:21 GMT
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000238C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetWindowTextWProgram Manager"uname"333'
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000238C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.000000000374E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerX/P
Source: conhost.exe, 00000009.00000002.2485896782.0000000004482000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: o>Program ManagerSun, 09 Mar 2025 23:33:39 GMTSun, 09 Mar 2025 23:33:41 GMTSun, 09 Mar 2025 23:33:42 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:00 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:06 GMTSun, 09 Mar 2025 23:34:07 GMTProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:15 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:34 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:48 GMTSun, 09 Mar 2025 23:34:50 GMTProgram ManagerProgram ManagerProgram Manager
Source: conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Sun, 09 Mar 2025 23:34:15 GMTProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:23 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:32 GMTProgram ManagerSun, 09 Mar 2025 23:34:36 GMTProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:40 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:47 GMTSun, 09 Mar 2025 23:34:52 GMTProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerProgram ManagerSun, 09 Mar 2025 23:35:10 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:35:13 GMT
Source: conhost.exe, 00000009.00000002.2469112551.000000000435C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BnProgram Manager
Source: conhost.exe, 00000009.00000002.2469112551.000000000435C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BjProgram Managerj
Source: conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Sun, 09 Mar 2025 23:33:39 GMTProgram ManagerSun, 09 Mar 2025 23:33:50 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:33:57 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:34:07 GMT
Source: conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BjProgram Manager
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *struct { Name string }ConnectServerProgram Manager2.5.29.192.5.29.152.5.29.14GlobalSign ECC Root CA - R5GlobalSign ECC Root CA - R5
Source: conhost.exe, 00000009.00000002.2469112551.0000000004180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerSun, 09 Mar 2025 23:33:42 GMTProgram ManagerProgram ManagerSun, 09 Mar 2025 23:33:50 GMTSun, 09 Mar 2025 23:33:54 GMTSun, 09 Mar 2025 23:33:58 GMTProgram Manager
Source: conhost.exe, 00000009.00000002.2469112551.0000000001FA2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DEProgram ManagerOEUPUSUSQGBSalfordRi32_i32i32i64i32i64_i32i32i32i32_i32i32i32_i32i32i32i32i32_i32i32i32i32i64_i32SUSUSi32_vi32i32i32i32i32_vi32i32i32i32_vTV4
Source: conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: "Program Manager"
Source: conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager(/P
Source: conhost.exe, 00000009.00000002.2469112551.000000000374E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.00000000044FC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: BiProgram Manager
Source: conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 91de612d98895e60-EWRh3=":443"; ma=86400"Program Manager"https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891de615a197b5e60-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891de61991f3a5e60-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891de61c95d4e5e60-EWRh3=":443"; ma=86400text/html; charset=UTF-891de61fd2cbb5e60-EWRh3=":443"; ma=86400text/html; charset=UTF-891de62310f905e60-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891de624b5f915e60-EWRh3=":443"; ma=86400text/html; charset=UTF-891de6264ff355e60-EWRh3=":443"; ma=86400text/html; charset=UTF-891de629239445e60-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891de62b0ad945e60-EWRh3=":443"; ma=86400https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html; charset=UTF-891de631eecee5e60-EWRh3=":443"; ma=86400text/html; charset=UTF-891de6334a9295e60-EWRh3=":443"; ma=86400

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Browser VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\conhost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AmountExtractionHeuristicRegexes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\PrivacySandboxAttestationsPreloaded VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\RecoveryImproved VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Salat Stealer

Source: Yara match	File source: 10.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.conhost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.conhost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1455657830.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1699277831.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2464230710.000000000097F000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1782238168.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255509308.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1624314483.000000000097F000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251861814.0000000000EAF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537050960.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 1076, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type avx512finvaliduintptrChanDir using , type= Value>Convert::ffff:answersExpiresSubjectCONOUT$charsetInstAltInstNopalt -> nop -> any -> (empty)Not-ECTOPTIONSoptionsalt-svcpurpose%v: %#x2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9%s (%s)%s %#vquic ivquic hpquic kugo_funcgo_stepos/execruntime#interngo_opengo_readgo_syncgo_lockamxtileamxint8amxbf16osxsaveavxifmaavxvnnii32.eqzi64.eqzi32.clzi32.ctzi32.addi32.subi32.muli32.andi32.xori32.shli64.clzi64.ctzi64.addi64.subi64.muli64.andi64.xori64.shlf32.absf32.negf32.addf32.subf32.mulf32.divf32.minf32.maxf64.absf64.negf64.addf64.subf64.mulf64.divf64.minf64.maxv128.orfuncrefelementsuccessBrTableStore16Store32NearestRefFuncV128AddV128SubV128AndV128NotV128XorV128ShlV128ShrV128CmpV128MulV128DivV128NegV128AbsV128MinV128MaxV128Dot.returnWSAPolltelegramBytecoinbytecoinEthereumElectrumMyMoneroCoinbaseCrocobitMetamaskStarcoinWaterfoxK-MeleonCyberfoxBlackHawChromiumElementsCatalinaQIP Surfbinpath=${TEMP}/chunking-nostatsCapsLockPageDowncheckDOHatoi: %s$appdata
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: : ` %#xPUT103503/302403421425getackanyenvneti32i64f32f64nopu32u64s32s64EqzAddSubMulClzCtzDivRemAndXorShlShrAbsNegMinMaxBUG:%dstrJaxxCoreEverMathNamiTronUranEdgesent.zip-q:vtrue%s%cLAltRAltLWinRWinAppsDownLeftHomeNum0Num1Num2Num3Num4Num5Num6Num7Num8Num9Num*Num+Num-Num.Num/bibawinv.exedataOS: IP: .jpg.txtTRUEopen/PIDwmiccallPATH:443readnullbooljson'\''eEpPRGBAGrayCMYKjpeg
Source: conhost.exe, 00000009.00000003.1420572108.000000000135E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: conhost.exe, 00000009.00000003.1420572108.000000000135E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreog
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:sse41sse42ssse3int16int32int64uint8slicekind= (at ClassRetryparseutf-8%s*%dtext/bad nmatchrune 0-RTT1-RTTclear15:04tableblockbr_if%d Ki%d Mi%d Gi%d TilabelLoad8StoreFloorTrunc%s %d%s %s%s.%s%s %fI8x16I16x8I32x4I64x2F32x4F64x2stdin%#x: Attr(ArmoryExodusGuardaBitappCoin98FewchaFinnieIconexKaikasOxygenPontemSaturnSolletWombatXMR.PTXinPayChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsc.execreatedeletestart $temp\chunk!audio=video=LShiftRShiftPageUpInsertDelete[AFK] 0.22.3 (x86)acceptAnswer GB
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type avx512finvaliduintptrChanDir using , type= Value>Convert::ffff:answersExpiresSubjectCONOUT$charsetInstAltInstNopalt -> nop -> any -> (empty)Not-ECTOPTIONSoptionsalt-svcpurpose%v: %#x2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9%s (%s)%s %#vquic ivquic hpquic kugo_funcgo_stepos/execruntime#interngo_opengo_readgo_syncgo_lockamxtileamxint8amxbf16osxsaveavxifmaavxvnnii32.eqzi64.eqzi32.clzi32.ctzi32.addi32.subi32.muli32.andi32.xori32.shli64.clzi64.ctzi64.addi64.subi64.muli64.andi64.xori64.shlf32.absf32.negf32.addf32.subf32.mulf32.divf32.minf32.maxf64.absf64.negf64.addf64.subf64.mulf64.divf64.minf64.maxv128.orfuncrefelementsuccessBrTableStore16Store32NearestRefFuncV128AddV128SubV128AndV128NotV128XorV128ShlV128ShrV128CmpV128MulV128DivV128NegV128AbsV128MinV128MaxV128Dot.returnWSAPolltelegramBytecoinbytecoinEthereumElectrumMyMoneroCoinbaseCrocobitMetamaskStarcoinWaterfoxK-MeleonCyberfoxBlackHawChromiumElementsCatalinaQIP Surfbinpath=${TEMP}/chunking-nostatsCapsLockPageDowncheckDOHatoi: %s$appdata
Source: conhost.exe, 00000009.00000003.1420572108.000000000135E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets4
Source: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: go_full_pathnameavx512vpclmulqdqi64.extend_i32_si64.extend_i32_uf32.convert_i64uv128.load8_splatv128.load32_zerov128.load64_zerov128.load16_lanev128.load32_lanev128.load64_lanev128.store8_lanei32.atomic.storei64.atomic.store%s invalid as %vinvalid drop: %vdecode int33: %wkind != func: %sresult too largeF32DemoteFromF64V128FloatPromoteargs invalid: %wread element: %wunaligned atomictoo many waitersWTSQueryUserTokenSetWindowsHookExAGetKeyboardLayoutD877F783D5D3EF8CsA7FDF864FBC10B77sF8806DD0C461824FsC2B05980D9127787s0CA814316818D8F6sCoSetProxyBlanketEthereum\keystoreinvalid file path\Telegram DesktopBrowsers\Cookies_taskkill /F /PID Write after Closedecryption failedhandshake failureillegal parametermissing extensionunrecognized namereflect.Value.Intin string literal0123456789ABCDEFX0123456789abcdefxillegal hex digitcan't scan type: invalid stream IDTransfer-EncodingHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIf-Modified-Sinceframe_ping_lengthtruncated headersif-modified-sincetransfer-encodingx-forwarded-protoX-Idempotency-KeyMoved PermanentlyFailed DependencyToo Many Requests

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior

Source: Yara match	File source: 10.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.conhost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.conhost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1624314483.0000000000181000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1699277831.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537050960.0000000000251000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1775363621.0000000000251000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1455657830.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1782238168.0000000000251000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 1076, type: MEMORYSTR

Remote Access Functionality

Yara detected Salat Stealer

Source: Yara match	File source: 10.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.conhost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ymrQM6SOnQbFeKt13.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.conhost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sppsvc.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1455657830.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1699277831.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2464230710.000000000097F000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1782238168.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255509308.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1624314483.000000000097F000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251861814.0000000000EAF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537050960.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymrQM6SOnQbFeKt13.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppsvc.exe PID: 1076, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	12 Process Injection	2 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	2 Virtualization/Sandbox Evasion	11 Input Capture	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	3 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	49%	Virustotal		Browse
SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	39%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe	100%	Avira	TR/Crypt.XPACK.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\conhost.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Program Files (x86)\Reference Assemblies\sppsvc.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\conhost.exe	39%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://cps.chambersign.org/cps/chambersroot.html0	0%	Avira URL Cloud	safe
https://sa1at.ru/sa1at/i32i32i32i32i32i32_vhttps://sa1at.ru/sa1at/text/html;	100%	Avira URL Cloud	malware
http://crl.chambersign.org/chambersroot.crl0	0%	Avira URL Cloud	safe
https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_i32	100%	Avira URL Cloud	malware
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://www.chambersign.orgChambers	0%	Avira URL Cloud	safe
https://repository.luxtrust.lu0	0%	Avira URL Cloud	safe
https://sa1at.ru/sa1at/91de60678b041dcc-EWR	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/OfficeClickToRun.exeRuntimeBroker.exeRuntimeBroker.exe	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/2i32i32i32i32i64_v	100%	Avira URL Cloud	malware
https://1.1.1.1/dns-query?name=sa1at.ru	0%	Avira URL Cloud	safe
https://1.1.1.1/dns-query?name=failed	0%	Avira URL Cloud	safe
https://sa1at.ru/sa1at/d23895dae0ca92abe3274c29https://sa1at.ru/sa1at/	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2i32i32i32i32i64_vi32i32i64i32i32_i32text/html;	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/text/ht	100%	Avira URL Cloud	malware
https://1.1.1.1/dns-query?name=sa1at.ru9eb46f5c7161eaecb1a84f04bdedfe313a0eeec6	0%	Avira URL Cloud	safe
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_vhttps://sa1at.r	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/	100%	Avira URL Cloud	malware
https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i3	100%	Avira URL Cloud	malware

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.chambersign.org/chambersroot.crl0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002140000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F54000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002176000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F88000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F88000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_i32	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cps.chambersign.org/cps/chambersroot.html0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002140000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F54000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sa1at.ru/sa1at/i32i32i32i32i32i32_vhttps://sa1at.ru/sa1at/text/html;	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.chambersign.org1	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002140000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F56000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D7C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D20000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F54000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sa1at.ru/sa1at/	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/r4.crl	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.chambersign.orgChambers	sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002176000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002145000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F88000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D40000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D76000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F88000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/we1/2DqfS24kcdI.crl	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002350000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/OfficeClickToRun.exeRuntimeBroker.exeRuntimeBroker.exe	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002014000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sa1at.ru/sa1at/91de60678b041dcc-EWR	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002094000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ocsp.quovadisoffshore.com	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000204B000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CF6000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/html;	conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://1.1.1.1/dns-query?name=sa1at.ru	conhost.exe, 00000009.00000002.2469112551.0000000002048000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sa1at.ru/sa1at/d23895dae0ca92abe3274c29https://sa1at.ru/sa1at/	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.quovadisglobal.com/cps0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000212C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F44000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D2E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F4E000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D2E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F44000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2i32i32i32i32i64_vi32i32i64i32i32_i32text/html;	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/r4.crl0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/r4.crt0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/gsr1.crl	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	false		high
http://o.pki.goog/s/we1/Yak	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/we1/2DqfS24kcdI.crl0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.chambersign.org	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/we1.crt	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002176000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F94000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D7C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F9E000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F9E000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D7C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F94000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	sppsvc.exe, 00000002.00000002.1258638799.0000000001D14000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://1.1.1.1/dns-query?name=failed	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, sppsvc.exe, 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1455657830.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, sppsvc.exe, 0000000B.00000002.1537050960.0000000000251000.00000040.00000001.01000000.00000008.sdmp, conhost.exe, 0000000C.00000002.1624314483.0000000000181000.00000040.00000001.01000000.00000009.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1699277831.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, sppsvc.exe, 0000000E.00000001.1775363621.0000000000251000.00000040.00000001.01000000.00000008.sdmp, sppsvc.exe, 0000000E.00000002.1782238168.0000000000251000.00000040.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://o.pki.goog/s/we1/Yak0%	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/2i32i32i32i32i64_v	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/r4.crtGlobalSign	conhost.exe, 00000009.00000002.2469112551.0000000001CF6000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/we1.crt0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002362000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.00000000020FA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1257922237.0000000002482000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/text/ht	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/gsr1.crl0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002366000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000208C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
https://1.1.1.1/dns-query?name=sa1at.ru9eb46f5c7161eaecb1a84f04bdedfe313a0eeec6	conhost.exe, 00000009.00000002.2469112551.0000000002048000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/text/htm	conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/i32i32i32i32i32i32_i32i32i32i32i32i32_vhttps://sa1at.r	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/gsr1.crt	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/we1/2DqfS24kcdI.crlC:	conhost.exe, 00000009.00000002.2469112551.0000000001CA8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://sa1at.ru/sa1at/https://	conhost.exe, 00000009.00000002.2469112551.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2485896782.0000000004544000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.securetrust.com/STCA.crl	sppsvc.exe, 00000002.00000002.1258638799.0000000001D14000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D24000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C14000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D14000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/gsr1.crt0-	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002366000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000208C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000235C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002008000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002138000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001C4B000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001D52000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000206E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001D2A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001CF6000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1456735779.0000000001C6E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001D3A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1703726051.0000000001C6E000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001D2A000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000001F6C000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F76000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D52000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.000000000214C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 00000002.00000002.1258638799.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000A.00000002.1457092103.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000B.00000002.1542107393.0000000001F74000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 0000000C.00000002.1627207089.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, ymrQM6SOnQbFeKt13.exe, 0000000D.00000002.1704362312.0000000001D4C000.00000004.00001000.00020000.00000000.sdmp, sppsvc.exe, 0000000E.00000002.1784388098.0000000001F6A000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sa1at.ru/sa1at/2https://sa1at.ru/sa1at/i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i32i3	conhost.exe, 00000009.00000002.2469112551.0000000001C9E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://o.pki.goog/s/we1/Yakhttp://i.pki.goog/we1.crt	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe, 00000000.00000002.1254461794.0000000002354000.00000004.00001000.00020000.00000000.sdmp, conhost.exe, 00000009.00000002.2469112551.0000000002012000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.84.111	unknown	United States		13335	CLOUDFLARENETUS	false
172.67.191.102	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633145
Start date and time:	2025-03-10 00:32:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@10/5@0/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 52.149.20.212
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:33:18	API Interceptor	4x Sleep call for process: SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe modified
19:33:35	API Interceptor	4x Sleep call for process: conhost.exe modified
23:33:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost C:\Users\user\AppData\Local\Temp\conhost.exe
23:33:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ymrQM6SOnQbFeKt13 C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe
23:33:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sppsvc C:\Program Files (x86)\reference assemblies\sppsvc.exe
23:33:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost C:\Users\user\AppData\Local\Temp\conhost.exe
23:33:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ymrQM6SOnQbFeKt13 C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe
23:34:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sppsvc C:\Program Files (x86)\reference assemblies\sppsvc.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.84.111	SecuriteInfo.com.Variant.Lazy.407549.28690.28181.exe	Get hash	malicious	Salat Stealer	Browse
	cRfulDypny.exe	Get hash	malicious	Salat Stealer	Browse
	noytjhjsefsae.exe	Get hash	malicious	Unknown	Browse
	flilphbvd.exe	Get hash	malicious	Unknown	Browse
172.67.191.102	hf9tYzF.exe	Get hash	malicious	Salat Stealer	Browse
	noytjhjsefsae.exe	Get hash	malicious	Unknown	Browse
	flilphbvd.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://ln.run/a1FLK/#c3BhbUBoeXVuZGFpbW92ZXguY29t	Get hash	malicious	HTMLPhisher	Browse	104.18.24.163
	https://ipfs.io/ipfs/QmfCLiDeCZJwQBA54eiqv1EKXuiCXRAXy4V1yNEeCL5A4B	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739	Get hash	malicious	Remcos, DBatLoader	Browse	1.1.1.1
	https://get.activated.win	Get hash	malicious	Unknown	Browse	104.21.24.156
	https://get.activated.win	Get hash	malicious	Unknown	Browse	104.21.24.156
	http://47musk.com	Get hash	malicious	Unknown	Browse	104.22.44.142
	https://pegas.sizablethursdaychive.shop/MKU8U.mp3	Get hash	malicious	Unknown	Browse	104.21.32.1
	apep.m68k.elf	Get hash	malicious	Unknown	Browse	172.65.156.166
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
CLOUDFLARENETUS	https://ln.run/a1FLK/#c3BhbUBoeXVuZGFpbW92ZXguY29t	Get hash	malicious	HTMLPhisher	Browse	104.18.24.163
	https://ipfs.io/ipfs/QmfCLiDeCZJwQBA54eiqv1EKXuiCXRAXy4V1yNEeCL5A4B	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739	Get hash	malicious	Remcos, DBatLoader	Browse	1.1.1.1
	https://get.activated.win	Get hash	malicious	Unknown	Browse	104.21.24.156
	https://get.activated.win	Get hash	malicious	Unknown	Browse	104.21.24.156
	http://47musk.com	Get hash	malicious	Unknown	Browse	104.22.44.142
	https://pegas.sizablethursdaychive.shop/MKU8U.mp3	Get hash	malicious	Unknown	Browse	104.21.32.1
	apep.m68k.elf	Get hash	malicious	Unknown	Browse	172.65.156.166
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	3274240
Entropy (8bit):	7.999918772918032
Encrypted:	true
SSDEEP:	98304:VFRopLT6zpNrQePFVACFD0MCqjub5uWij5nMyP8O:8LT6tNcODFYMgBitnfk
MD5:	BAA1353F2955138FE781DA218ECFBFEC
SHA1:	951164E7150E31D64D1770EC8903A39CADDF2009
SHA-256:	CFDF1D2768ED773C3F5B2C2A03D7892551EA79B181068C23A765F1E09A8C90B1
SHA-512:	CE1FB896C9D2CCAEABB04BC0D0D84665D6E312CBA388A4360E636FA2EF7907905AF6AA4E1826053D0DBECD99DB206C017604849C482A10CD1AA1C6F1B3A47B76
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................2.......................@......................................@.........................................................................................................................................................UPX0....................................UPX1......2.......1.................@...UPX2..................1.............@...4.10.UPX!....g....b.......1.....&$.e...E..g..58.y..<]7{=. ......QE@.1E....6....N...~.I>a....(z.`.9.`c...N..u.H...::J.B..n~.l..:^...!(j.%........c.o...^...k.....rk+Ft.[.....{-.4.Uw.$.n<.S.7..J.M...^/.P'..;................[80:...>.xH..rHK".. D...%s..+.xo]J:.I...9.9...ep.ax:.W...#].n.5,..?4...o.....:W..R.'-.m....YBpJ.>vZI...S.....S$.e.k..rNC....'1..gd.FI.>.......,...Q..7(.?......W....2....... .4K..*iyszHQw....y;...7..[.G...Qv...F.]W[......[.n.d..2..;.P..I7q4....e.ob..d4yO.

C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	3274240
Entropy (8bit):	7.999918772918032
Encrypted:	true
SSDEEP:	98304:VFRopLT6zpNrQePFVACFD0MCqjub5uWij5nMyP8O:8LT6tNcODFYMgBitnfk
MD5:	BAA1353F2955138FE781DA218ECFBFEC
SHA1:	951164E7150E31D64D1770EC8903A39CADDF2009
SHA-256:	CFDF1D2768ED773C3F5B2C2A03D7892551EA79B181068C23A765F1E09A8C90B1
SHA-512:	CE1FB896C9D2CCAEABB04BC0D0D84665D6E312CBA388A4360E636FA2EF7907905AF6AA4E1826053D0DBECD99DB206C017604849C482A10CD1AA1C6F1B3A47B76
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................2.......................@......................................@.........................................................................................................................................................UPX0....................................UPX1......2.......1.................@...UPX2..................1.............@...4.10.UPX!....g....b.......1.....&$.e...E..g..58.y..<]7{=. ......QE@.1E....6....N...~.I>a....(z.`.9.`c...N..u.H...::J.B..n~.l..:^...!(j.%........c.o...^...k.....rk+Ft.[.....{-.4.Uw.$.n<.S.7..J.M...^/.P'..;................[80:...>.xH..rHK".. D...%s..+.xo]J:.I...9.9...ep.ax:.W...#].n.5,..?4...o.....:W..R.'-.m....YBpJ.>vZI...S.....S$.e.k..rNC....'1..gd.FI.>.......,...Q..7(.?......W....2....... .4K..*iyszHQw....y;...7..[.G...Qv...F.]W[......[.n.d..2..;.P..I7q4....e.ob..d4yO.

C:\Users\user\AppData\Local\Temp\conhost.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	3274240
Entropy (8bit):	7.999918772918032
Encrypted:	true
SSDEEP:	98304:VFRopLT6zpNrQePFVACFD0MCqjub5uWij5nMyP8O:8LT6tNcODFYMgBitnfk
MD5:	BAA1353F2955138FE781DA218ECFBFEC
SHA1:	951164E7150E31D64D1770EC8903A39CADDF2009
SHA-256:	CFDF1D2768ED773C3F5B2C2A03D7892551EA79B181068C23A765F1E09A8C90B1
SHA-512:	CE1FB896C9D2CCAEABB04BC0D0D84665D6E312CBA388A4360E636FA2EF7907905AF6AA4E1826053D0DBECD99DB206C017604849C482A10CD1AA1C6F1B3A47B76
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................2.......................@......................................@.........................................................................................................................................................UPX0....................................UPX1......2.......1.................@...UPX2..................1.............@...4.10.UPX!....g....b.......1.....&$.e...E..g..58.y..<]7{=. ......QE@.1E....6....N...~.I>a....(z.`.9.`c...N..u.H...::J.B..n~.l..:^...!(j.%........c.o...^...k.....rk+Ft.[.....{-.4.Uw.$.n<.S.7..J.M...^/.P'..;................[80:...>.xH..rHK".. D...%s..+.xo]J:.I...9.9...ep.ax:.W...#].n.5,..?4...o.....:W..R.'-.m....YBpJ.>vZI...S.....S$.e.k..rNC....'1..gd.FI.>.......,...Q..7(.?......W....2....... .4K..*iyszHQw....y;...7..[.G...Qv...F.]W[......[.n.d..2..;.P..I7q4....e.ob..d4yO.

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\AppData\Local\Temp\conhost.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.053374040827532
Encrypted:	false
SSDEEP:	3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........t.......................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.999918772918032
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
File size:	3'274'240 bytes
MD5:	baa1353f2955138fe781da218ecfbfec
SHA1:	951164e7150e31d64d1770ec8903a39caddf2009
SHA256:	cfdf1d2768ed773c3f5b2c2a03d7892551ea79b181068c23a765f1e09a8c90b1
SHA512:	ce1fb896c9d2ccaeabb04bc0d0d84665d6e312cba388a4360e636fa2ef7907905af6aa4e1826053d0dbecd99db206c017604849c482a10cd1aa1c6f1b3a47b76
SSDEEP:	98304:VFRopLT6zpNrQePFVACFD0MCqjub5uWij5nMyP8O:8LT6tNcODFYMgBitnfk
TLSH:	75E5332D2B7B8116C36265748A58A027D3FC8B96E29B470D9AD1D08DFE0FFD720C8785
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................2.......................@.......................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0xf7a5b0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
pushad
mov esi, 00C5C015h
lea edi, dword ptr [esi-0085B015h]
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007F00AC92725Dh
inc esi
inc esi
push ebx
push 00B78908h
push edi
add ebx, 04h
push ebx
push 0031E592h
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00020003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+54h], 00000001h
mov dword ptr [esp+50h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7c000	0x88	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb7c088	0xc	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x85b000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x85c000	0x320000	0x31f200	6dae184a0e3e9a478dcd2ee0e5768bd7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0xb7c000	0x1000	0x200	3672b7a56e556c12eb4ccbc8b518b1bd	False	0.21484375	data	1.4735397498218852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 326
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 00:34:00.047132015 CET	53384	53	192.168.2.4	162.159.36.2
Mar 10, 2025 00:34:00.052339077 CET	53	53384	162.159.36.2	192.168.2.4
Mar 10, 2025 00:34:00.052527905 CET	53384	53	192.168.2.4	162.159.36.2
Mar 10, 2025 00:34:00.057658911 CET	53	53384	162.159.36.2	192.168.2.4
Mar 10, 2025 00:34:00.537077904 CET	53384	53	192.168.2.4	162.159.36.2
Mar 10, 2025 00:34:00.542458057 CET	53	53384	162.159.36.2	192.168.2.4
Mar 10, 2025 00:34:00.542509079 CET	53384	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 00:33:16.641252995 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:16.844808102 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:16.847068071 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.104871988 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.104897976 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.116493940 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.116792917 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.116808891 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.116827965 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.117760897 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.131839037 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.131874084 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.131982088 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.132055998 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.232636929 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.232671022 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.234662056 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.234690905 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.237545013 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.239248991 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.239361048 CET	58586	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.240505934 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.340406895 CET	443	58586	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.435839891 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.435910940 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.717637062 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.718755007 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.719274998 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.719293118 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.719353914 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.719822884 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.722081900 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.722124100 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.722125053 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.722125053 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.822700977 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.822740078 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.822767973 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.822796106 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:17.823574066 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.823646069 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:17.923054934 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:18.079986095 CET	443	58587	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:18.081319094 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.113086939 CET	58587	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:18.270159960 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.270224094 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.544554949 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.544578075 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.546266079 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.546629906 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.546648026 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.546665907 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.547267914 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.569166899 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.593091965 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.593163967 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.692831039 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.692871094 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.692928076 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.692958117 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.693097115 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.693147898 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.693175077 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:18.793344975 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.981108904 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:18.996747017 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:19.797060013 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:19.896658897 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:19.896883965 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:19.996424913 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:20.109404087 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:20.109591961 CET	443	58588	172.67.191.102	192.168.2.4
Mar 10, 2025 00:33:20.109997034 CET	58588	443	192.168.2.4	172.67.191.102
Mar 10, 2025 00:33:33.588778019 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:33.814454079 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:33.814528942 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.076236010 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.076283932 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.076488018 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.077246904 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.077282906 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.077318907 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.078238964 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.078238964 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.084964037 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.084964991 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.084964991 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.184159040 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.184200048 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.184228897 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.184257984 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.184509993 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.184585094 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.184921980 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.184921980 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.185436964 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.188705921 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.221142054 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.283900023 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.394262075 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.394342899 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.667306900 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.667371035 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.677611113 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.678612947 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.680495977 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.680531025 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.680788994 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.682442904 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.685112000 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.685210943 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.685245991 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.779994011 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.780044079 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.780075073 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.780103922 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:34.780344009 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.780394077 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:34.874381065 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:35.004185915 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:35.005392075 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.037614107 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:35.210413933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.210413933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.472511053 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.472629070 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.474915028 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.475269079 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.475334883 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.475374937 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.514559031 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.514559984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.520929098 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.520929098 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.620661974 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.620887995 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.620932102 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.620959997 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.621093988 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.621227980 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.719659090 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.753247976 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:35.890067101 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:35.910103083 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:37.427546978 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:37.427546978 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:37.526351929 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:37.747242928 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:37.782392979 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463705063 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463799000 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463834047 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463834047 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463916063 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463937998 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463958025 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463999033 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.463999033 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.464118004 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.464145899 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.464145899 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481010914 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481010914 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481050968 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481189013 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481229067 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481229067 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.481254101 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.497148991 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.497266054 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.497298956 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.513416052 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.513453960 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.513453960 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.513487101 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.513488054 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.532567978 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.532567978 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.532610893 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.564321995 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.566636086 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.578413963 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578488111 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578488111 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578519106 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578536987 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578557014 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578577995 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578644991 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578644991 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578738928 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578772068 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.578831911 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.579231977 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.579261065 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.579310894 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.579336882 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.579363108 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.582897902 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.582942009 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.582942009 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.582971096 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.582998991 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.583019972 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.583064079 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.583064079 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.595273018 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.595299959 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.595343113 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.611577034 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.611603975 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.611654043 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.612050056 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612137079 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612165928 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612195015 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612215042 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612234116 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612262011 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612262011 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612298965 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612298965 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.612360001 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628303051 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628303051 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628303051 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463030 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463030 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463030 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628463984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628535032 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.628560066 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.632778883 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.633759022 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.633784056 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.650473118 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650473118 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650473118 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650474072 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650474072 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650474072 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650474072 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650474072 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650597095 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650597095 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.650597095 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666434050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666434050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666547060 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666547060 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666548014 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666548014 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.666548014 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.676929951 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677123070 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677172899 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677201033 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677227020 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677284002 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.677284002 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.677294970 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677284002 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.677284002 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.677284002 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.677321911 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677350044 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.677371979 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.681376934 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.681483984 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.681514978 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682059050 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682060003 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682148933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682148933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682148933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.682156086 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.682183981 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.698663950 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698663950 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698704958 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698729992 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698803902 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698803902 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698945999 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.698981047 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.699003935 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.699017048 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.699032068 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.699104071 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.699104071 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.710175037 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.710189104 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.710798025 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.726778030 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.726836920 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.726861954 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.726934910 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.726947069 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.727019072 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.727030993 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.727102995 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727118969 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.727133036 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.727190018 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727257013 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727294922 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727294922 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727391958 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727427006 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727447033 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727483034 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727483034 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.727550983 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.743166924 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.743168116 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.743207932 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.748672009 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.748699903 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.748789072 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.748816013 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.749281883 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.749444008 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.764817953 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.764894009 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.765558958 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.775702953 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.775789976 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.780179024 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.780227900 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.780363083 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.780920982 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.780961037 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.796746969 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.796843052 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.796870947 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.796897888 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.796924114 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.796957016 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.797117949 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.797209024 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:38.825367928 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.825402021 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.825412989 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.825436115 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.825448036 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.825460911 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.841748953 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:38.864161015 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:39.132603884 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:39.136236906 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:39.171350002 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:39.234549046 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:39.887166023 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:39.887590885 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:39.919441938 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:39.985790014 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:41.147147894 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:41.245934963 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:41.441304922 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:41.495074987 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:41.974072933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:42.073781013 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:42.272346020 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:42.288923979 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:42.446124077 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:42.551805019 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:42.736849070 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:42.753631115 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:44.271197081 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:44.271197081 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:44.370251894 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:45.001851082 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:45.001950979 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:45.096568108 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:49.802850008 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:49.901520014 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:50.090253115 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:50.122385025 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:50.279453993 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:50.378541946 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:50.580826998 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:50.613039970 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:54.100545883 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:54.200216055 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:54.373859882 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:54.373859882 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:54.394452095 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:54.426702023 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:54.472887039 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:54.472933054 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:55.123755932 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:55.123910904 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:33:55.217924118 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:33:57.405958891 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:57.504393101 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:57.702657938 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:57.795208931 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:58.593163013 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:33:58.691570997 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:58.880584955 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:33:58.912709951 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:00.046668053 CET	53	59604	162.159.36.2	192.168.2.4
Mar 10, 2025 00:34:00.726831913 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:00.783123016 CET	53	57203	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:00.825824022 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:01.026551962 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:01.058634043 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:04.468849897 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:04.468991995 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:04.567764997 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:05.226378918 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:05.226378918 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:05.320707083 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:06.189856052 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:06.288589001 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:06.492355108 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:06.525298119 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:06.900866985 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:06.900919914 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:07.001034975 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:07.198187113 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:07.230596066 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:07.481441021 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:07.580435038 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:07.767271042 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:07.799488068 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:14.563680887 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:14.563680887 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:14.662605047 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:14.963469028 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:15.062052965 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:15.204258919 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:15.204374075 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:15.256052017 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:15.288134098 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:15.303029060 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:15.350929022 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:15.350929022 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:15.446548939 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:15.502861977 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:15.535295010 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:16.260838032 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:16.359198093 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:16.555332899 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:16.680777073 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:16.739965916 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:16.772069931 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:23.496448040 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:23.599392891 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:23.788712025 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:23.788732052 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:23.789036036 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:24.680572987 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:24.780113935 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:25.453735113 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:25.547761917 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:31.788286924 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:31.788288116 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:31.886992931 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:32.101109028 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:32.133361101 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:34.702352047 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:34.780879021 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:34.801037073 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:34.879909992 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:34.998987913 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:35.015626907 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:35.557384968 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:35.651406050 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:36.000778913 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:36.000778913 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:36.000853062 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:36.099464893 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:36.297894001 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:36.330454111 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:40.102967978 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:40.201869965 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:40.398930073 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:40.431649923 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:44.876017094 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:44.975070000 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:45.648927927 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:45.742784977 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:47.341644049 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:47.440490007 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:47.643589020 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:47.660623074 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:48.438601017 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:48.537256956 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:48.632776976 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:48.726980925 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:48.731277943 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:48.763417959 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:48.915554047 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:48.948132992 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:49.918034077 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:49.918034077 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:50.016952038 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:50.209496975 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:50.243230104 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:52.213203907 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:52.213284016 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:52.312522888 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:52.522938967 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:52.555695057 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:54.980345011 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:55.087987900 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:55.731132984 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:34:55.825237989 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:34:56.734498024 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:56.734569073 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:34:56.833254099 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:57.017129898 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:34:57.049478054 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:05.031990051 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:05.032186031 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:05.079874992 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:35:05.130832911 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:05.178855896 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:35:05.324343920 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:05.356587887 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:05.826601028 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:35:05.920881987 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:35:08.584598064 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:08.584641933 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:08.683223963 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:08.868736982 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:08.886785984 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:09.857198954 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:09.857299089 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:09.955856085 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:10.137005091 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:10.169785976 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:13.335805893 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:13.434238911 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:13.633227110 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:13.633268118 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:13.634008884 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:13.732093096 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:13.764682055 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:15.179976940 CET	51250	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:35:15.279762030 CET	443	51250	1.1.1.1	192.168.2.4
Mar 10, 2025 00:35:15.922307014 CET	51251	443	192.168.2.4	1.1.1.1
Mar 10, 2025 00:35:16.016228914 CET	443	51251	1.1.1.1	192.168.2.4
Mar 10, 2025 00:35:19.966845989 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:20.066082954 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:20.250303030 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:20.283109903 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:21.252727985 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:21.252727985 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:21.351267099 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:21.538239002 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:21.554968119 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:21.634104013 CET	57228	443	192.168.2.4	104.21.84.111
Mar 10, 2025 00:35:21.732311964 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:21.928544998 CET	443	57228	104.21.84.111	192.168.2.4
Mar 10, 2025 00:35:21.964401007 CET	57228	443	192.168.2.4	104.21.84.111

Statistics

CPU Usage

• SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
• sppsvc.exe
• conhost.exe
• ymrQM6SOnQbFeKt13.exe
• sppsvc.exe
• conhost.exe
• ymrQM6SOnQbFeKt13.exe
• sppsvc.exe
• conhost.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
• sppsvc.exe
• conhost.exe
• ymrQM6SOnQbFeKt13.exe
• sppsvc.exe
• conhost.exe
• ymrQM6SOnQbFeKt13.exe
• sppsvc.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
• sppsvc.exe
• conhost.exe
• ymrQM6SOnQbFeKt13.exe
• sppsvc.exe
• conhost.exe
• ymrQM6SOnQbFeKt13.exe
• sppsvc.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	19:33:15
Start date:	09/03/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe"
Imagebase:	0x6b0000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000000.00000002.1251861814.0000000000EAF000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1251861814.00000000006B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:33:20
Start date:	09/03/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0x250000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000002.00000002.1255509308.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1255509308.0000000000251000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:33:32
Start date:	09/03/2025
Path:	C:\Users\user\AppData\Local\Temp\conhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\conhost.exe"
Imagebase:	0x180000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 00000009.00000002.2464230710.000000000097F000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2464230710.0000000000181000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	19:33:40
Start date:	09/03/2025
Path:	C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe"
Imagebase:	0x2e0000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 0000000A.00000002.1455657830.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1455657830.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:33:48
Start date:	09/03/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0x250000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 0000000B.00000002.1537050960.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1537050960.0000000000251000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:33:56
Start date:	09/03/2025
Path:	C:\Users\user\AppData\Local\Temp\conhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\conhost.exe"
Imagebase:	0x180000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 0000000C.00000002.1624314483.000000000097F000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1624314483.0000000000181000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:34:04
Start date:	09/03/2025
Path:	C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe"
Imagebase:	0x2e0000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 0000000D.00000002.1699277831.0000000000ADF000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1699277831.00000000002E1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:34:12
Start date:	09/03/2025
Path:	C:\Program Files (x86)\Reference Assemblies\sppsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\reference assemblies\sppsvc.exe"
Imagebase:	0x250000
File size:	3'274'240 bytes
MD5 hash:	BAA1353F2955138FE781DA218ECFBFEC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SalatStealer, Description: Yara detected Salat Stealer, Source: 0000000E.00000002.1782238168.0000000000A4F000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000001.1775363621.0000000000251000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1782238168.0000000000251000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:34:22
Start date:	09/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Reference Assemblies\sppsvc.exe

C:\Users\user\AppData\Local\Comms\ymrQM6SOnQbFeKt13.exe

C:\Users\user\AppData\Local\Temp\conhost.exe

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3212.25037.exe